Greetings from Brussels!
This week there was a breaking story in the U.S. that I believe has global interest, and one that might set a new precedent for telecom carriers in the privacy space. The U.S. Federal Communications Commission (FCC) announced it has reached a settlement with AT&T to the tune of $25 million for a series of consumer data privacy violations following an investigation. In summary, close to 280,000 customers’ data records were illegally accessed, and stolen by employees working at AT&T Call Centers in Mexico, Colombia and the Philippines. The customer data was used to request unlock codes for AT&T handsets. To further compound the violation, the data was then provided to unauthorized “third parties” dealing in stolen and “secondary market” handsets.
This is an extraordinary story and of particular interest to me, as many years ago I worked for a global service provider in the outsourcing of “Contact Centers” to Fortune 500 companies. What one needs to bear in mind is the sheer volumes of data that these types of operations store and process on a daily basis, simply phenomenal amounts of personal (B2C) as well as business (B2B) data. Moreover, it is commonplace to outsource such activities and related services to specialized providers. In doing so, a great deal of data protection and security is passed—and possibly compromised—through the supply chain to third-party service providers; it raises interesting questions as to levels of responsibility, as well as liability with regard to data flows through supply chains, and whether adequate safeguards and privacy compliance measures exist with service partners and vendors across the spectrum of industries.
This issue reaches well beyond “internal compliance policy”; many questions need to be asked with regard to data traceability, as well as the levels of protection from the source and “entry points” to potential “exist points” through to the end of the chain.
Referring back to the case in question, the FCC stated in its press release: “AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities …”
AT&T commented that they have already updated their policies, including cutting ties with vendors as needed. Here's the full statement.
On a final note, next week I will be in London for our annual IAPP Data Protection Intensive, where we have some great sessions, panels and speakers. I’m looking forward to a week of learning and meeting with our privacy community.
If you want to comment on this post, you need to login.