The events that led to the FCC imposing the largest-ever fine for data privacy violations on AT&T read a bit like a James Patterson novel.
For more than six months in late 2013 and early 2014, three employees of a Mexican call center with systems maintained and operated by AT&T, and subject to the company’s data security practices, used their login credentials to access customer accounts and grab names and the last four digits of Social Security numbers so that online requests for cellular handset unlock codes could be submitted.
They sold this information, which the FCC categorizes as Customer Proprietary Network Information (CPNI), to a member of the Mexican underworld known as El Pelón. The Bald Guy.
In the end, the personal information of 51,422 different customers was used to place 290,803 handset unlock requests.
All of this was uncovered via an internal AT&T investigation that began with the administration of a polygraph examination of an employee. Further, the investigation led AT&T to discover and report in March of this year that similar practices had been going on in call centers operated in the Philippines and Colombia, affecting another 211,000 customers.
Luckily, unlike a Patterson novel, the end result wasn’t a grisly crime scene, but rather a consent agreement with the FCC, which requires AT&T to pay a $25 million civil penalty, hire a compliance officer who “shall be privacy certified by an industry certifying organization,” create a compliance plan that will be submitted to the FCC within 90 days and then file compliance reports after six, 12, 24 and 36 months.
All told, responsibilities in the consent decree last for a total of seven years.
The fine, and consent agreement in general, sent ripples through the privacy industry.
“The FCC has been warning communications companies for months that it was going to be more active in protecting consumer privacy and security, and this certainly shows the Commission’s capacity for follow-through,” said Christin McMeley, CIPP/US, chair of the privacy and security practice at Davis Wright Tremaine and former VP and CPO at Charter Communications.
Of course, the FCC had already indicated it meant business, with recent actions against Dialing Services, Sprint, Verizon and TerraCom and YourTel America, totaling more than $25 million in fines since October of 2014, but while “they all had headline-making settlement amounts or proposed fines … this was by far the largest penalty,” said Mark Brennan, a partner at Hogan Lovells who focuses on FCC matters.
Further, said Brennan, “with the ink barely dry on this settlement, the agency already seems to be looking for the next target, with representatives encouraging companies to use the settlement as ‘guidance’ to help protect against future data breaches.”
On top of its active enforcement stance, last month, the FCC, in a dramatic policy decision, reclassified the provision of online services as common carrier activity subject to the Communications Act. This subjects an entire new swath of the online industry to the robust privacy protections of Section 222, which governs CPNI. In addition, signaling its enhanced interest in the topic, the agency joined GPEN, a global network of privacy enforcement agencies, and appointed Travis Leblanc, formerly of the California Attorney General’s privacy office, its head of enforcement.
So, what should other telecom firms—and now broadband providers—take away from this incident?
Firstly, while most of the previous enforcement actions in this recent batch have involved Do-Not-Call list violations, or failing to notify customers of privacy rights, this action is squarely in the sort of data security and area where the Federal Trade Commission normally operates when it sanctions organizations for failing to use “reasonable” security practices.
This “sends a clear signal that any telecommunications company will be held fully responsible for a breach of care or duty pertaining to the security of subscriber information, whether on American soil or abroad, or by a service provider or vendor,” said S. Jennell Trigg, CIPP/US, chair of Lerman Senter’s intellectual property and new technology practice group and a member of the FCC’s Federal Advisory Committee on Diversity for Communications in the Digital Age.
“This enforcement action is a warning shot across the bow that the FCC will not tolerate lax data security practices,” she said, “and failure to conduct proper due diligence before engagement of a call center, as well as on a continuous basis throughout the engagement, that could detect such unauthorized use of subscriber PII could very well be an unjust and unreasonable practice under Section 201 of the Communications Act.”
Indeed, said William Baker, partner at the Potomac Law Group, “this action against AT&T demonstrates that the FCC takes seriously its statutory responsibilities under Section 222 … Unlike the FTC, which must use Section 5 [of the FTC Act] to address data security and thus must find a deceptive statement or unfair practice, the FCC has direct statutory authority in Section 222, which requires carriers to protect the confidentiality of customer proprietary network information. It is interesting that the FCC also cited Section 201, but Section 222 establishes the primary obligations.”
However, Trigg isn’t the only one to focus on the “reasonable” language in 201.
“It will be interesting to see how far the FCC goes to enforce ‘reasonable’ privacy and security practices in the provision of telephone services, as well as in the provision of Internet services,” said McMeley.
In fact, noted fellow Davis Wright Tremaine partner Peter Karanjila, “there’s a strong parallel in approach [between the FTC and the FCC], and also in the lack of legal certainty among industry members about what either agency—especially in an after-the-fact enforcement action—will deem to be an ‘unreasonable’ or ‘unfair’ data security practice or policy.”
However, “unlike the FTC,” noted McMeley, “the FCC has rules that require timely reporting of both CPNI breaches and failures of telecommunications companies’ CPNI opt-out processes, as well as a requirement for such companies to certify their compliance with such rules on an annual basis. And as we saw from the AT&T case, the CPNI does not have to be used or disclosed, but unauthorized access alone triggers reporting requirements. This can give the FCC a ready-made roadmap for enforcement actions.”
So, what should telecoms, and now broadband companies, do to prepare for this new reality?
“If they have not started doing so already,” said Hogan Lovells’ Brennan, “companies under the FCC’s purview – and organizations that do business with those companies – should take a fresh look at their data privacy and security practices to ensure that they are keeping pace with the agency’s rapidly evolving expectations.”
“This includes,” said Trigg by way of agreement, “review of all employee and management responsibilities and who has authority to access certain information in subscriber accounts. How is that authority confirmed and verified? Does the call center have technical capabilities to conduct an audit trail to determine which employees have accessed subscriber accounts and when? Is there a system in place to determine when a subscriber’s account and sensitive PII has been accessed without the subscriber’s express consent? The question will be whether such audit trail capabilities and other technical safeguards are now deemed reasonable given the nature of breach that was experienced at AT&T.”
“I also suggest,” Trigg continued, “a review of, and revisions if necessary, the call center’s data handling representations and warranties, and indemnification provision if there is an contract.”
Further, the inclusion of language requiring AT&T to have a certified privacy professional heading up its compliance effort “recognizes the importance of training and experience in the required compliance position,” said Potomac’s Baker. Until now, the FTC’s consent orders in this area have required review of corporate practices by a person “with a minimum of three years of experience in the field of privacy and data protection,” but have not yet called for certified privacy professionals.
It’s clear, said McMeley, that companies need to have “a designated person who is accountable for ensuring the proper implementation, management and training” for a data privacy and security program. “Compliance should be an ongoing activity, not a certification exercise that takes place once a year.”
This emphasizes “the value of dedicated, experienced data privacy and security advisors,” said Brennan, “and the need to engage in enterprise-wide compliance efforts in this space.”
If there’s one thing that every commenter agreed on, it was that the FCC will certainly be announcing more consent agreements in the near future. No one wants to be the next company sending a check to Johnny Drake in the Telecommunications Consumers Division at the FCC.
If that’s not a name straight out of a James Patterson novel …
If you want to comment on this post, you need to login.