The FCC Just Upped the Ante for Communications Providers and the FTC with a $25 Million Fine, a Detailed Information Security Program, and a “Privacy Certified” Compliance Manager
The FCC has been warning communications companies for months that protecting consumer privacy and information security is a top priority, and the recent announcement of a $25 million settlement with AT&T over its alleged failures to adequately protect consumer information are a good indication of the agency’s intent to follow through on its threat with record-setting penalties. The agreement is reminiscent of recent FTC consent orders that require companies to maintain a written information security program, designate a person within the company to oversee the program, and provide employee training on the program. Unlike the FTC, however, the FCC has the ability to levy significant civil penalties for “customer proprietary network information” or “CPNI” violations, which it has done in this instance, along with imposing detailed requirements for AT&T’s information security program going forward, including requiring the company to designate a “privacy certified” compliance officer or managers. With this settlement, the FCC has set new stakes for what it will demand in “reasonable” information security practices. Here’s a look at what this may mean for other companies under the FCC’s expanding jurisdiction and the potential political implications.
Background
This FCC investigation and the resulting Order and Consent Decree relate to alleged consumer privacy violations at AT&T’s internal and outsourced call centers in Mexico, Colombia and the Philippines. The FCC alleged that AT&T’s data security measures for these internal systems failed to prevent or timely detect this large and ongoing breach. According to the Consent Decree, a number of employees at these call centers used their login credentials to access the names and partial Social Security numbers of about 280,000 customers. Although the call center employees could see subscribers’ full nine-digit Social Security numbers, AT&T did not find any evidence that the full Social Security numbers were used, but AT&T subsequently masked the full Social Security numbers. The call center workers then sold the names and last four-digits of the Social Security numbers to third parties who are believed to have used this information to place unlock requests for mobile phones through AT&T’s online portal.
The Consent Decree indicates that AT&T found no evidence that these employees actually used or disclosed any CPNI in connection with this data breach, but CPNI was “accessed” because the unlock codes appeared on the same account page as the customers’ CPNI. The FCC began investigating in May 2014 after AT&T submitted a breach notice to the FCC’s CPNI breach portal and to the California Attorney General. AT&T commenced its investigation of the breach on April 3, 2014 and was aware from the outset that these account systems contained CPNI but did not submit a CPNI breach notification to the FCC until more than forty-five days later. The FCC’s rules require telecommunications carriers to report via the FCC’s CPNI breach Portal any “breach” of its customers’ CPNI “as soon as practicable, in no event later than seven (7) business days, after reasonable determination of the breach ....” See 47 CFR § 64.2011(b). Section 64.2011(e) defines a “breach” as occurring whenever “a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI” (emphasis added). Unauthorized access alone, even without subsequent use or disclosure, is enough to be considered a breach under the FCC’s CPNI rules.
The Consent Decree also disclosed that AT&T employees had discovered suspicious activity in December 2012 and again in January 2013, namely that two different employees in the same outsourced Mexican call center may have provided customer information to unauthorized persons. AT&T did not classify either occurrence as a CPNI breach at the time because it concluded that those earlier incidents did not entail the use or disclosure of CPNI. However, during its April 2014 breach investigation, AT&T re-examined these earlier incidents and belatedly reported them to the FCC in September 2014. AT&T’s investigation at the Colombia and Philippines call centers is still ongoing and could reveal that additional accounts were compromised.
The Terms of the Consent Decree
While $25 million in civil penalties makes headlines, the Consent Decree contains several other terms that, while similar to recent requirements from FTC data security enforcement actions, have their own nuances.
Written Information Security Program
As part of the settlement, the FCC required AT&T to conduct a risk assessment and then implement and maintain a written information security program designed to address the risks identified. Under the Consent Decree, the information security program must include:
- Administrative, technical, and physical safeguards;
- Third-party service provider oversight;
- Access management, to ensure that only those authorized individuals with a legitimate business need have access to CPNI and Personal Information;
- Processes to detect and respond to suspicious or anomalous account activity; and
- A comprehensive breach response plan;
- Ongoing monitoring and assessments to ensure the effectiveness of the program;
- Compliance manuals and training to be provided to employees and service providers (where permitted by contract).
Privacy Certified Compliance Officer
In addition to the information security program, AT&T must designate a senior corporate manager to serve as the program’s compliance officer, who will be accountable for developing, implementing and administering the requirements of the Consent Decree, including the ongoing information security program. The FTC has consistently required the designation of an employee or employees to coordinate and be responsible for the security program, but the FCC has gone a step further and required that, in addition to possessing general knowledge of communications laws, the compliance officer must have specific knowledge of information security principles and practices, and he or she (or managers reporting to him or her) must be “privacy certified by an industry certifying organization.”
Increased Oversight of Third-Party Service Providers
Not only does the Consent Decree require up-front due diligence and care in selecting vendors, but it also requires clear communications to AT&T’s service providers regarding information security expectations through contractual provisions and by sharing AT&T’s required compliance manual. In addition, the Consent Decree requires AT&T to request (and sometime require) its service providers to take the AT&T information security program training. All of this must be accompanied by continuous monitoring and enforcement of service providers.
Implications of the Consent Decree
The FCC’s Expanded Scope
With this settlement, as well as a recent enforcement action described below, the FCC appears to be intent on sending a strong message to the industry about its expectations in the privacy and data security area—even though its actions go far beyond any rules that are currently on the books. After all, the Commission still has an open rulemaking where it asked for comment on the appropriate security standards for CPNI. And, until this past October, the FCC never claimed authority to penalize service providers for data breaches that did not involve the use or disclosure of CPNI, which is authorized under section 222(c) of the Communications Act. CPNI is defined as individually identifiable bill information, telephone call detail, and information relating to “the quantity, technical configuration, type, destination, location and amount of use” of a telecommunications service that the provider possesses by virtue of the carrier-customer relationship. In fact, the FCC has never proposed or adopted rules governing private customer information other than CPNI.
But in the last six months, and without rules, the FCC has expanded the scope of its consumer protection activities and interpreted Section 222 as giving the agency authority over all “proprietary” customer information under subsection 222(a) of the Act. In a still-unresolved “notice of apparent liability for forfeiture” issued in October 2014, the FCC proposed to impose a $10 million forfeiture on two affiliated “Lifeline” telephone service providers, TerraCom and YourTel America, for an alleged failure to employ reasonable data security practices with respect to non-CPNI applicant information. (At the same time, the FCC asserted that other companies are now on notice of the Commission’s broader view of its authority under Section 222.) Then, as described further below, this February the FCC asserted this new-found authority over broadband internet access providers (see below and here); and now, tucked into the “definitions” recital of the new Consent Decree, is the following statement:
"Personal Information" means either of the following: (1) an individual’s first name
or first initial and last name in combination with any one or more of the following
data elements, when either the name or the data elements are not encrypted: (A)
Social Security number; (B) driver's license number or other government-issued
identification card number; or (C) account number, credit or debit card number, in
combination with any required security code, access code, or password that would
permit access to an individual’s financial account; or (2) a user name or email
address, in combination with a password or security question and answer that would
permit access to an online account.
In so doing, the FCC not only introduces a new definition of “personal information” over which it asserts authority (beyond CPNI), but it also borrows from several state data breach notification statutes that exempt similarly encrypted data from their scope. While the FCC has previously stated that it “does not specifically require carriers to encrypt their customers’ CPNI,” this new definition of “personal information” indicates that encryption may now be a requirement. While this definition may set a new “reasonableness” standard for “personal information,” it leaves uncertainty as to what additional data the Commission believes should be encrypted and in what circumstances – questions that could and should be resolved in its pending rulemaking.
Interestingly, while in this new Consent Decree the FCC claims authority over providers’ handling of non-CPNI “proprietary” and “personal” information under both sections 201 and 222 of the Communications Act, AT&T does not indicate agreement with these claims or admit liability (as the Enforcement Bureau has often insisted in recent settlements) for violation of these statutory provisions. Instead, it “does not contest” only that its actions violated the CPNI provisions of subsection 222(c) of the Act and the FCC’s CPNI rules.
Strict liability?
The FCC’s actions not only assert new authority—and arguably usurp the FTC’s heretofore primary authority—to police data breaches; they also seem to tilt toward adoption of a “strict liability” standard with respect to such breaches. In both the TerraCom/YourTel forfeiture proposal and the new Consent Decree here with AT&T, the FCC has cited the providers for the occurrence of a data breach, without a finding of actual harm to affected consumers. This appears contrary to the long-standing view of the FTC and many state laws that the mere occurrence of a data breach does not necessarily indicate a violation of law.
The FCC’s Expanded Jurisdiction
In the FCC’s recent Open Internet Order, the agency not only reclassified broadband Internet access service as a Title II/common carrier service, but also expressly declined to forbear from applying the privacy requirements of Section 222 of the Act. As a result, broadband providers are, absent a stay or a reversal in the courts, now—like wireline and wireless telephone carriers—subject to the FCC’s expanding assertion of jurisdiction over privacy and data security. While the FCC has promised workshops and more rulemaking in this area, it remains to be seen how far it will go in defining what it determines to be “reasonable” privacy and security practices and policies. It will also bear watching to see whether the FCC will attempt to expand its regulatory jurisdiction beyond broadband Internet access providers to include edge-providers, as recently speculated by Commissioner O’Rielly.
The FCC’s Expanded Role in Consumer Protection and Data Security Enforcement
It is very evident that the FCC sees itself on par with the FTC in this area, using its authority under Section 201(b) of the Communications Act to police “unjust and unreasonable” practices in the same manner the FTC uses its Section 5 authority to police “unfair and deceptive” practices. What remains unclear is how the FCC will complement or compete with the FTC’s enforcement activities, and whether entities will be subject to one or the other, or both. A recent federal court decision found that the FTC common carrier exemption applies only when the common carrier is actually engaged in common carrier activity, but it is unclear whether protecting consumer privacy and information security is a common carrier activity. If Federal breach legislation passes, perhaps it will clarify the two agencies’ roles.