The FCC issues cybersecurity model for the mobile telecommunications industry

Less than a month ago, I wrote about lessons to be drawn from the U.S. Federal Communications Commission's enforcement action against AT&T related to the company's oversight of a third-party provider of cloud services. Now comes a new FCC settlement with another major carrier, T-Mobile.

The full significance of the latest case can be found in the commission's statement accompanying the settlement, where the FCC said the long list of cybersecurity practices T-Mobile committed to in settling the matter "will serve as a model for the mobile telecommunications industry."  

I'll get to those commitments in just a minute, after some context.

The FCC proceeding against T-Mobile related to four incidents in 2021, 2022 and 2023 that compromised customer data. As the source of its authority over service provider cybersecurity, the commission cited both Section 222 of the Communications Act, which states every telecommunications carrier "has a duty to protect the confidentiality of proprietary information of, and relating to, . . . customers," and Section 201(b), which states "[a]ll charges, practices, classifications, and regulations for and in connection with [interstate or foreign] communication service [by wire or radio], shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful." 

The commission has previously interpreted section 201(b) to apply to carriers' practices for protecting customer data against unauthorized access, use or disclosure.

Under the settlement, T-Mobile will pay a civil penalty of USD15.75 million. Moreover, it committed to spending an additional USD15.75 million over the next two years to strengthen its cybersecurity program.

Because the commission believes the settlement is a model for the industry, it's worth summarizing in some detail. Specifically, the settlement order required T-Mobile to improve its privacy, data security and cybersecurity practices by, among other things: