A recent enforcement action by the U.S. Federal Communications Commission offers important lessons to all entities that use cloud services, whether or not they are subject to FCC regulation.
The specific case involved AT&T, which utilized a third-party provider to generate and host personalized video content for its customers. As part of the relationship, and in order to receive the vendor's services, AT&T shared customer information with the third party.
AT&T's agreements with the vendor required its customer data to be deleted, destroyed or returned either upon expiration or termination of the agreement or when the data was no longer necessary to fulfill contractual obligations. The vendor was also subject to AT&T's Supplier Information Security Requirements, which included encryption, access control and network oversight requirements.
Through its supplier monitoring processes, AT&T specifically asks suppliers whether all AT&T records in their possession have been or will be destroyed in accordance with applicable contracts. Moreover, AT&T performed multiple reviews and assessments of the vendor, which stated it was destroying data as required under the agreements. Looks like AT&T was doing everything right.
However, in January 2023, the vendor suffered a data breach that exposed information related to over 8 million AT&T customers. As required under FCC rules, AT&T reported the breach, and the commission opened an investigation.
According to AT&T, the customer information exposed in the breach should have been destroyed or deleted by the vendor in 2017 or 2018. But from the FCC's perspective — and this is a key point — the responsibility fell on AT&T.
AT&T settled, agreeing to pay USD13 million and to improve its vetting and oversight of vendors.
The FCC emphasized that it viewed this as a cloud computing case. In its order, the FCC began by citing a study finding that over 80 percent of data breaches in 2023 involved data stored in the cloud. That same study found cloud misconfigurations and vendor systems were two of the three primary causes of personal data breaches.
The FCC said data stored in the cloud may become "an easy target" when companies "unintentionally misuse the cloud, such as allowing excessively permissive cloud access, having unrestricted ports, and use unsecured backups."
The FCC also cited warnings from the federal government that "misconfiguration of cloud resources remains the most prevalent cloud vulnerability" that could be "exploited to access cloud data and services."
Moreover, the FCC made it clear that AT&T, even though it had done a lot right in its data services agreements, still bore responsibility for the loss. "Companies that choose to share their customers' data with vendors must act as responsible stewards and hold their vendors responsible for protecting that data," it said.
Specifically, the settlement requires AT&T to improve its privacy and data security practices by engaging in due diligence when selecting vendors, requiring vendors to employ safeguards for customer information, limiting vendor access to and storage of customer information, conducting enhanced vendor oversight, and conducting annual compliance audits, among other things.
On vendor oversight, the consent decree requires AT&T to perform regular assessments, reviews and other oversight of vendor compliance with information security standards. While the order allows AT&T to determine the level of assessment review or other oversight for each vendor, it also specifies AT&T must assess a minimum of 20% of its vendors each year.
AT&T must take steps to enhance its data inventory processes to track customer data contained in its networks, systems, and assets transferred or otherwise made available to a vendor. The company must appoint a compliance officer and must establish and implement a compliance training program regarding compliance with the Privacy and Security Requirements and the requirements of the FCC's consent decree.
The FCC noted implementing the terms in the consent decree will require AT&T to make significant investments in, and prioritize, the safeguarding of customers' information shared with third parties and "will likely require expenditures far greater than the civil penalty" of USD13 million.
The lessons of the case go well beyond AT&T and the FCC. While the Communications Act has a specific provision making carriers responsible for the acts of their agents and contractors, the U.S. Federal Trade Commission and other regulators have long held that data controllers are responsible for carefully selecting and overseeing their third-party service providers.
Bottom line: Data security requirements for cloud providers and other vendors cannot rely solely on contract language and vendor assurances. Trust, but verify seems to be the FCC's message.
Jim Dempsey is a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Program on Geopolitics, Technology and Governance.
