The Federal Communications Commission (FCC) announced on April 8 that it had adopted a consent decree between its Enforcement Bureau and AT&T Services, Inc. (AT&T), including a civil penalty of $25 million and a requirement to adopt a comprehensive compliance plan, among other actions. The consent decree alleges that AT&T “failed to protect the confidentiality” of approximately 280,000 customers’ “sensitive personal information” and “account-related customer proprietary network information,” or “CPNI,” and questions whether AT&T made the necessary notifications to law enforcement in a timely manner as required by the Commission’s rules.
It is the FCC’s second enforcement action against one or more telecommunications carriers with regard to data security, following last year’s action against TerraCom and YourTel America. As in that enforcement action, the Commission justifies its exercise of enforcement authority on Sections 222 and 201 of the Communications Act. Those sections restrict common carriers’ use and disclosure of CPNI and declare as unlawful any “charge, practice, classification, or regulation” for and in connection with interstate communication service by wire or radio that is unjust or unreasonable, respectively. The FCC’s fine of $25 million far exceeds the $10 million penalty assessed in the TerraCom/YourTel case.
The enforcement action was brought against AT&T due to a series of incidents that occurred at international call centers in Mexico, Columbia, and the Philippines. Specifically, the incidents involved vendor employees accessing customer accounts inappropriately to harvest data used (at that time) to request cellular handset unlock codes online.
The data elements used to obtain the unlock codes online – a practice that is no longer allowed under the consent decree – were the account holder’s name plus the last four digits of the account holder’s social security number. However, in order to obtain those data elements, the rogue employees accessed the same account page as the customers’ CPNI. The consent decree states that AT&T “found no evidence that the . . . employees used or disclosed CPNI in connection with the data breach.” Nonetheless, section 222 generally prohibits a carrier from permitting access to individually identifiable CPNI except in connection with its provision of “the telecommunications service from which such information is derived, or . . . services necessary to, or used in, the provision of such telecommunications service… ” Thus, after investigating the initial incidents, AT&T notified law enforcement of the inappropriate account access on May 20, 2014 after determining that CPNI and other sensitive data had been accessed in excess of authorization. (AT&T also also notified at least the California Attorney General of the incident.) In subsequent incidents at other call centers, full social security numbers and certain CPNI may have been visible to the rogue employees, but again no evidence was found that this information was acquired or used (other than for the harvesting of the last four digits of social security numbers).
Although the Commission states in its order adopting the consent decree that failure to “reasonably secure” CPNI “constitutes an unjust and unreasonable practice” under Section 201(b) of the Communications Act, it provides little explanation of how AT&T’s practices were not reasonable. In the TerraCom/YourTel case, the Commission explicitly specified that the companies “failed to employ even the most basic and readily available technologies and security features for protecting consumers’ PI” as well as “created an unreasonable risk of unauthorized access[,]” and provided a detailed explanation of these alleged shortcomings. In this case, the Commission merely asserts that it expects telecommunications carriers “to take ‘every reasonable precaution’ to protect their customers’ data” and cites to the previous enforcement to support the proposition that “Section 201(b) applies to carriers’ practices for protecting customers’ PII and CPNI.” This raises the question of whether the Commission views any violation of Section 222 as a per se unjust and unreasonable practice. At the same time, the previous enforcement was in the form of a “notice of apparent liability for forfeiture” while the AT&T case is a consent decree, which may explain the lack of detail in the Commission’s discussion.
Under the consent decree, AT&T agrees to designate a Compliance Officer to oversee the development, implementation, and administration of a compliance plan also required by the Commission. The compliance plan is required to include a risk assessment designed to identify risks of unauthorized use, access, or disclosure of personal information or CPNI by certain employees and vendor employees. It also requires the creation of an information security program reasonably designed to protect CPNI and personal information from unauthorized use, access, or disclosure by the same set of employees, which must satisfy several criteria specified by the Commission. The compliance plan also requires AT&T to distribute a compliance manual to certain covered employees and vendor employees, as well as establish and implement a compliance training program specific to personal information and CPNI. Specifically with regard to the incidents at the Philippines and Columbia call centers, AT&T is also obligated to notify affected customers within 60 days and offer to provide them with one year of complimentary credit monitoring services. (The company already provided notice to those affected by the first breach at the Mexico call center.) Most notably, AT&T agrees to pay a civil penalty of $25 million.