On November 5, 2015, the Federal Communications Commission Enforcement Bureau announced a $595,000 settlement agreement with Cox Communications, Inc. to resolve an investigation into whether the company failed to properly protect its customers’ personal information when electronic data systems were breached in August 2014. According to the FCC, Cox exposed the personal information of numerous customers and failed to report the breaches through the Commission’s established breach-reporting portal.
This is the third FCC data security settlement this year. In July, the FCC settled an investigation into TerraCom Inc. and YourTel America Inc. for $3.5 million for failing to safeguard customers’ personal information, and in April reached a $25 million settlement with AT&T Services Inc. to resolve similar claims.
Details of the Breach:
The Enforcement Bureau’s investigation discovered that Cox’s data systems were breached in August 2014 by a member of the hacker group “Lizard Squad.” To access sensitive customer information, the hacker allegedly pretended to be a Cox tech employee (a practice commonly referred to as “pretexting”) and successfully convinced a company customer service representative and a Cox contractor to enter their account IDs and passwords into a fake website that was controlled by the hacker. According the FCC, Cox’s data systems lacked technical safeguards, such as multi-factor authentication, for the employees that were compromised.
With the Cox employees’ credentials, the hacker purportedly had access to Cox customers’ personal data, including sensitive personal information such as name, home address, email address, phone number, partial Social Security Number, partial driver’s license number, as well as Customer Proprietary Network Information (“CPNI”) of the company’s telephone customers. In addition to sharing the compromised account credentials with another alleged member of the Lizard Squad, the hacker posted customers’ personal information on social media sites and changed some customers’ account passwords.
Alleged Violations of the Communications Act and the FCC’s Rules:
According to the FCC, the disclosure of the data violated the Communications Act, as amended by the Telecommunications Act of 1996, which requires network operators to protect customer information. Relying on 47 U.S.C. § 551, the FCC stated in its Order that “Congress and the Commission have made clear that cable operators such as Cox must ‘take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator.’” The Order goes on to state that “telecommunications carriers such as Cox must take ‘every reasonable precaution’ to protect their customers’ data.”
The FCC also determined that Cox failed to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI, and failed to provide timely notification to law enforcement of the CPNI breach.
According to the Consent Decree, the Enforcement Bureau will directly monitor Cox’s efforts for the next seven years. In addition to the civil penalty, Cox is required to:
- Designate a senior corporate manager who is a certified privacy professional;
- Conduct privacy risk assessments;
- Implement a written information security program;
- Maintain reasonable oversight of third party vendors, including implementing multi-factor authentication;
- Implement a more robust data breach response plan;
- Provide privacy and security awareness training to employees and third-party vendors;
- Notify all affected consumers of the breach and provide them with free credit monitoring; and
- File regular compliance reports with the FCC.