On April 8, 2015, the Federal Communications Commission’s (“FCC” or “Commission”) Enforcement Bureau (“Bureau”) announced that it imposed a $25 million civil penalty on AT&T for failure to protect the Customer Proprietary Network Information (“CPNI”) of almost 280,000 customers from several data breaches occurring at third party call centers in Columbia, Mexico, and the Philippines under contract with the Company. AT&T’s civil penalty was accompanied by a Consent Decree in which the Bureau agreed to conclude its investigation into the Company in exchange for AT&T’s agreement to develop and implement a CPNI compliance plan to protect customers against similar data breaches in the future.
What is unique about the AT&T Consent Decree is its focus on data security – specifically AT&T’s failure to implement adequate data protections for its customers’ confidential information. In contrast, up to now, most Bureau actions concerned CPNI compliance, and did not purely involve data security issues.
The rules and regulations governing CPNI protection are contained in Sections 201(b) and 222(c) of the Communications Act of 1934 (the “Act”), and Sections 64.2010(a) and 64.2010(b) of the Commission’s Rules.
First, Section 222(c)(1) of the Act provides that a carrier is only permitted to disclose, access, or use CPNI to provide telecommunications services as necessary, or otherwise authorized by the customer or required by law. Second, Section 64.2010(a) of the Commission’s Rules requires “carriers to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” Third, Section 64.2010(b) requires a carrier to notify designated law enforcement authorities (i.e., U.S. Secret Service, FBI, and FCC) of a CPNI breach “as soon as practicable, in no event later than seven (7) business days.”
Finally, Section 201(b) of the Act states that “all charges, practices, classifications, and regulations for an in connection with [interstate or foreign] communication service [by wire or radio], shall be just an reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful.” The Commission found in the October 2014 Notice of Apparent Liability for Forfeiture against Terracom, Inc. and YourTel America, Inc. that Section 201(b) prohibited “unjust and unreasonable” data security practices among carriers.
The Bureau noted in the AT&T Consent Decree that the purpose of its investigation of AT&T was to determine whether AT&T had violated any of these CPNI rules and regulations – not data security rules and regulations – as a result of its failure to protect its customers’ CPNI from the Mexico Call Center breach, as well as the potential breaches at call centers in Colombia and the Philippines.
Breach at the Mexico Call Center:
The Bureau’s investigation into AT&T resulted from an internal data breach that occurred between November 2013 and April 2014 at a third party’s call center in Mexico. AT&T self-reported this breach to the Commission via the FCC’s online CPNI breach reporting portal in September 2014 based on an internal investigation into the breach that commenced in April 2014.
In this report, AT&T disclosed that between November 2013 and April 2014, three employees at the Mexico call center impermissibly accessed 68,701 customers’ accounts to obtain “unlock codes”, which appeared on the same account page as the CPNI. AT&T also reported that the information obtained from this breach resulted in the personal information of 51,422 AT&T customers being used to place 290,803 handset unlock requests through the Company’s online customer unlock request portal. Furthermore, AT&T disclosed that at least two employees believed to have engaged in the breach confessed that they sold the CPNI to a third party known to them only as “El Pelon” or “The Bald One.” AT&T subsequently terminated its use of the Mexico Call Center in September 2014.
Breaches in Colombia and the Philippines:
In March 2015, AT&T disclosed to the Bureau that the Company was investigating additional potential data breaches at call centers in Colombia and the Philippines. AT&T reported that it believed that employees at those call centers had accessed customer accounts in order to obtain unlock codes for AT&T mobile phones. AT&T informed the Bureau that based on its investigation, thus far it had identified that roughly 211,000 customer accounts were accessed as a result of the breach, and warned that its continuing investigation could reveal additional instances of such activities. However, AT&T also reported that, as a result of its discovery of the breach, it had changed its unlock policy such that it no longer required employees to access CPNI before providing an unlock code, and was in the process of developing a new monitoring process to identify suspicious account access by call center employees.
AT&T’s Consent Decree:
In addition to imposing a $25 million civil penalty, to be paid within 30 days, the Consent Decree requires AT&T to:
- appoint a Senior Compliance Officer;
- develop and implement a CPNI Compliance Plan;
- develop and implement a CPNI Compliance Manual/ Training Program;
- report non-compliance with the Consent Decree’s terms and conditions to the Bureau within 15 days of its occurrence; and
- file compliance reports with the Commission at 6, 12, 24, and 36 months after the effective date of the Consent Decree.
AT&T further agreed to continue its investigation into the breaches at the call centers in Colombia and the Philippines, and to provide affected customers with written notification that their CPNI had been accessed as a result of the breach.
Basis of the Investigation/ Consent Decree
In concluding its investigation by the Consent Decree, the Bureau did not specifically conclude that the AT&T violated any of the CPNI regulations through its failure to protect its customers’ CPNI from the data breaches. Instead, through the Consent Decree, AT&T agreed not to contest “that its actions that were subject of the Investigation violated Section 222(c) of the Act, and Sections 64.2010(a) and 64.2011(b) of the Commission’s Rules.”
However, unlike the TerraCom NAL, the Bureau failed to demonstrate how Section 201(b)’s prohibition on “unjust and unreasonable” data security practices applied to AT&T’s shortcomings although the section’s applicability is briefly mentioned in the Consent Decree. Furthermore, the Bureau also did not mention in the AT&T Consent Decree whether Section 222(a), which imposes a duty on carriers to protect customer’s confidential information, applied to AT&T as it did to TerraCom, Inc. and YourTel America, Inc. in the TerraCom NAL.
This distinction is notable because while the Bureau found in the TerraCom NAL that the carriers involved violated specific data security regulations (i.e., Sections 201(b) and 222(a)), and fined the carriers involved $10 million, the AT&T Consent Decree was not the result of an investigation into such violations, but, nevertheless, a $25 million civil penalty was imposed upon AT&T on the grounds that it failed to protect its customers’ CPNI from data breaches. It is possible that the reason for the greater magnitude of AT&T’s civil penalty was not based on alleged violations of any specific data security regulations, but the fact that its breach involved more than twice the amount of customers involved in the TerraCom/ YourTel breach.
The Bureau’s action against AT&T clearly demonstrates that the FCC will “not stand idly by when a carrier’s lax data security practices expose personal information.” Instead, the Commission will not hesitate to impose hefty civil penalties and burdensome ongoing compliance obligations – especially when a large number of customers are involved. Thus, despite the unique nature of the grounds governing the AT&T Consent Decree, other carriers should take heed of the Bureau’s actions by reviewing and, if possible, strengthening both its data security and CPNI protection policies and procedures.
Should you have any questions regarding the contents of this Advisory, or require guidance regarding your company’s CPNI regulations, please do not hesitate to contact Linda McReynolds, Certified Information Privacy Professional/U.S. (CIPP/US), at (703) 714-1318, or firstname.lastname@example.org.