The Federal Communications Commission (FCC) announced today that AT&T Services, Inc., will pay $25 million to resolve an investigation into whether the company violated Sections 201(b) and 222 of the Communications Act relating to consumer privacy at AT&T call centers in Mexico, Colombia, and the Philippines. According to the FCC’s order and consent decree, call center employees gained unauthorized access to customer names, full or partial Social Security numbers, and account-related information (known as “customer proprietary network information” or “CPNI”), and shared it with third parties who trafficked in stolen mobile phones or secondary market phones so that they could unlock the phones.
FCC Chairman Tom Wheeler said that the FCC, “[a]s the nation’s expert agency on communications networks, … cannot – and will not – stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands” of Americans. Nearly 280,000 customer accounts were reportedly affected.
This is the FCC’s second (and largest) enforcement action relating to data security, and the agency’s fifth major enforcement action in the last year relating to privacy and data security. As part of the settlement, in addition to paying a $25 million civil penalty, AT&T agreed to enhance its privacy and security practices, by (among other things) performing a risk assessment, adopting a written information security program, developing a compliance manual for employees and vendors, implementing a training program, and filing periodic compliance reports with the FCC.
This settlement is a reminder of the broad set of actors who are using their authority to police data breaches. Although the most prominent enforcers are the Federal Trade Commission (FTC) and a few select attorneys general (Kamala Harris in California and Eric Schneiderman in New York, for example), others are getting in the game. In fact, the Chief of the FCC’s Enforcement Bureau was previously Special Assistant Attorney General of California and a senior advisor to California A.G. Harris, suggesting that the FCC will continue to aggressively enforce privacy and data security violations. This settlement is also a reminder that U.S. data breach laws can extend outside U.S. borders to wherever a company handles information. Robust written procedures, including good hiring practices and training, and a sound data security program and breach response plan are necessary to assure that your customer and employee data is appropriately protected, wherever you process and store it.