FCC Fines Prompt AT&T to “Zealously Guard” Customers’ Personal Information

On April 8, 2015, the Federal Communications Commission (“FCC”) announced its largest ever data security settlement requiring AT&T to pay $25 million to resolve an investigation into data security breaches at its call centers in the Philippines, Mexico, and Colombia. AT&T’s privacy violations involved the unauthorized disclosure of the names, full or partial Social Security Numbers, and other protected customer proprietary network information (“CPNI”) of nearly 280,000 U.S. customers.

The initial focus of the FCC’s investigation was a 168-day long breach beginning in November 2013 at AT&T’s call center in Mexico where thousands of customer accounts were accessed and sold without authorization. The buyers, who were likely trafficking stolen cell phones, submitted nearly 291,000 handset unlock requests to AT&T’s Mexico call center. Similar breaches occurred in Columbia and the Philippines, where a combined total of approximately 211,000 customer accounts were accessed without authorization.

In response, the FCC brought charges of violations of Sections 222 and 201(b) of the Communications Act (the “Act”) against AT&T for failure to timely report the breaches. Section 222 of the Act requires companies like AT&T to take every reasonable precaution to protect customer data, including CPNI, and to take reasonable measures to discover and report attempts to access CPNI, including notifying law enforcement “as soon as practicable, in no event later than seven (7) business days, after reasonable determination of the breach.” Section 201(b) of the Act prohibits unjust and unreasonable practices.

4-28AT&T notified law enforcement of the Mexico call center breach on May 20, 2014, over a month after it began its internal investigation, and several months after the actual breach. In an effort to mitigate the breach, AT&T notified victims of the breach and the California Attorney General, terminated its relationship with the Mexico call center, mandated the uniform use of partial social security numbers in all call centers, and developed new customer account monitoring and phone access/unlock policies.

The FCC settlement also mandates the implementation of a permanent, strict compliance plan that requires AT&T to:

  1. designate a senior compliance manager who is a certified privacy professional;
  2. complete a privacy risk assessment reasonably designed to identify internal risks of unauthorized access, use, or disclosure of personal information and CPNI;
  3. implement an information security program reasonably designed to protect CPNI and personal information from unauthorized access, use, or disclosure;
  4. prepare a compliance manual to be distributed to all covered employees and vendors; and
  5. regularly train employees on its privacy policies and applicable privacy legal authorities.

AT&T is required to report any noncompliance to the FCC and must file regular compliance reports for the next three years.

The FCC has taken the position that phone companies are expected to “zealously guard” their customers’ personal information and that the FCC “will exercise its full authority against companies that fail to safeguard the personal information of their customers.” This position tracks the trend of active enforcement of consumer data security breaches over the past year. To that end, companies in possession of CPNI and other protected customer information should heed the Agreement and “look to [it] as guidance” for protecting customer information and avoiding liability under Sections 222 and 201(b) of the Act.

We expect that other telephone companies/carriers will continue to evolve and implement heightened security measures in response to this settlement, and the FCC will surely investigate those companies who are not in compliance.

Image courtesy of Flickr by Michael Weinberg

Speedy Internet May Cost You More Than Money

On March 30, 2015, AT&T offered its “GigaPower” service to Cupertino, California. It is currently offered in a handful of cities across the United States (Austin, Dallas, Fort Worth, Kansas, Raleigh-Durham, and Winston-Salem) with ten other planned metro areas. GigaPower is promoted as Internet service with “[b]lazing-fast speeds up to 1Gbps,” allowing the user to download twenty-five songs in one second, an HD television show in three seconds, and an HD movie in thirty-six seconds.

The price tag for this super-speed is either $139.00/month, or $110.00/month plus allowing AT&T to monitor your Internet browsing. Thus, AT&T’s customers will have to choose whether to allow such monitoring or in effect pay $29.00 for their privacy. AT&T’s “Internet Preferences” analytics program monitors all activity in order to use that information to target its customers with personalized advertisements, for which it can then charge advertisers. According to an AT&T spokesperson, opting out of the Internet Preferences program will ensure that the customer does not receive targeted ads, but AT&T’s privacy policy still allows it to collect information on its customers’ web activity for certain purposes. AT&T has stated that the benefits of these ads are that AT&T can keep its prices from rising, and since all the data is maintained in-house, it will not sell its customers’ information. AT&T claims that the “vast majority” of its customers have opted to participate in the Internet Preferences program.

This comes on the heels of the recent battle over net neutrality which resulted in the Federal Communications Commission’s February 26, 2015 adoption of “Open Internet” rules. These rules seek to “protect and maintain open, uninhibited access to legal online content without broadband Internet access providers being allowed to block, impair, or establish fast/slow lanes to lawful content.” Given that the federal government has determined that service providers cannot charge web users or websites for entry onto an Internet superhighway “fast” lane, it is unlikely that AT&T will be the only Internet service provider to start charging to maintain its customers’ privacy.

Our Privacy & Data Security Group will continue to monitor the implications of AT&T’s recent offering in this regard.

Image courtesy of Flickr by Mike Mozart