Less than a month ago, I wrote about lessons to be drawn from the U.S. Federal Communications Commission's enforcement action against AT&T related to the company's oversight of a third-party provider of cloud services. Now comes a new FCC settlement with another major carrier, T-Mobile.

The full significance of the latest case can be found in the commission's statement accompanying the settlement, where the FCC said the long list of cybersecurity practices T-Mobile committed to in settling the matter "will serve as a model for the mobile telecommunications industry."  

I'll get to those commitments in just a minute, after some context.

ADVERTISEMENT

Cassie Ad, Universal consent webinar

The FCC proceeding against T-Mobile related to four incidents in 2021, 2022 and 2023 that compromised customer data. As the source of its authority over service provider cybersecurity, the commission cited both Section 222 of the Communications Act, which states every telecommunications carrier "has a duty to protect the confidentiality of proprietary information of, and relating to, . . . customers," and Section 201(b), which states "[a]ll charges, practices, classifications, and regulations for and in connection with [interstate or foreign] communication service [by wire or radio], shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful." 

The commission has previously interpreted section 201(b) to apply to carriers' practices for protecting customer data against unauthorized access, use or disclosure.

Under the settlement, T-Mobile will pay a civil penalty of USD15.75 million. Moreover, it committed to spending an additional USD15.75 million over the next two years to strengthen its cybersecurity program.

Because the commission believes the settlement is a model for the industry, it's worth summarizing in some detail. Specifically, the settlement order required T-Mobile to improve its privacy, data security and cybersecurity practices by, among other things:

  • Corporate governance. Designating a chief information security officer who will report regularly to the board of directors on cybersecurity matters.
  • Information security program. Maintaining a comprehensive information security program that is "[r]easonably designed to protect the confidentiality, integrity, and availability" of customer information.
  • Training. Providing covered individuals with annual cybersecurity training.
  • Segmentation and zero-trust architecture. Maintaining, "to the extent technically feasible," a "hybrid zero trust framework" and segmenting its network in a way "[r]easonably designed to provide that only authorized communication channels are opened between segments," with additional detail on documenting and conducting risks assessments on which ports are opened between segments and steps to separate production and non-production environments and to protect non-production environments.
  • Network access controls. Regularly conducting vulnerability scans.
  • Account and password management. Implementing phishing-resistant multifactor authentication to secure its networks and systems ("except where such use is technically or otherwise infeasible, or unreasonably burdensome or disruptive"); maintaining policies, procedures and controls reasonably designed to manage access to, and use of, accounts with access to covered information; taking reasonable measures to prevent administrative-level passwords from being stored in plaintext, and, within two years maintaining reasonable measures to encrypt or securely store administrative-level passwords; and maintaining operating procedures reasonably designed to change or disable default system credentials for internal systems.
  • Logging and monitoring.
  • Data retention, minimization and deletion. Limiting the collection of consumer information to what is reasonably necessary for a legitimate business or legal purpose, maintaining policies that provide for the destruction, anonymization or removal of consumer information that is no longer necessary, and maintaining data reduction processes aimed at reasonably minimizing T-Mobile's long-term storage of covered information.
  • Third party oversight.
  • Critical asset inventory. Identifying critical assets on T-Mobile's network and taking reasonable steps to disable and/or remove assets that are no longer necessary for a legitimate business or operational purpose.
  • Patch and security update management.
  • Vulnerability management.
  • Risk assessments. Maintaining and regularly reviewing and revising a risk assessment program reasonably designed to identify, assess, prioritize and manage material cybersecurity risks to the T-Mobile Network, using methods and criteria for assessing material cybersecurity risks that are consistent with a risk assessment method provided by a nationally recognized information security body.
  • Consumer data inventory.
  • Forensic reports. Obtaining, and furnishing to the Enforcement Bureau, upon formal written request, a forensic report analyzing any future incident that affects 10,000 or more consumers.
  • Independent third party assessments. Obtaining independent third-party assessments of its information security practices.

The order, which remains in effect for three years, notes that implementing these practices "will require significant — and long overdue — investments.  To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here." The commission said it will hold T-Mobile accountable for making these mandatory changes.

Interestingly, the order defines "reasonable," "reasonably," "reasonableness," long key terms in cybersecurity, to mean "a level of care or effort that is commensurate with industry norms or, as applicable, a Risk Assessment, both in terms of quality and scope of effort, as well as the timing of performance."

While the FCC said the commitments imposed on T-Mobile will serve as a model for the industry, the settlement order also states that what constitutes a reasonable practice is highly fact-dependent and the information security program T-Mobile must implement must contain safeguards "[r]easonably appropriate" to the size and complexity of T-Mobile's operations, the nature and scope of T-Mobile's activities, and the sensitivity of covered information within the T-Mobile network.

With this enforcement action, coming after the September 2024 settlement with AT&T and a July 2024 settlement with Verizon's wholly owned subsidiary TracFone, the commission has now achieved what it could not, or has chosen not, to accomplish by rulemaking: it has imposed cybersecurity regulatory requirements on all three of the nation's largest mobile carriers.

Jim Dempsey is the managing director for the IAPP Cybersecurity Law Center.