The FCC has been warning communications companies for months that protecting consumer privacy and information security is a top priority, and the recent announcement of a $25 million settlement with AT&T over its alleged failures to adequately protect consumer information are a good indication of the agency’s intent to follow through on its threat with record-setting penalties.
The agreement is reminiscent of recent FTC consent orders that require companies to maintain a written information security program, designate a person within the company to oversee the program, and provide employee training on the program. Unlike the FTC, however, the FCC has the ability to levy significant civil penalties for “customer proprietary network information” or “CPNI” violations, which it has done in this instance, along with imposing detailed requirements for AT&T’s information security program going forward, including requiring the company to designate a “privacy certified” compliance officer or managers.
With this settlement, the FCC has set new stakes for what it will demand in “reasonable” information security practices. Here’s a look at what this may mean for other companies under the FCC’s expanding jurisdiction and the potential political implications.
Continue reading here.