FCC fines AT&T $25M: Agency’s largest cyber enforcement
By Sue Reisinger, From Corporate Counsel
Besides paying a record $25 million penalty, AT&T Services Inc. must hire a senior compliance officer, conduct a privacy risk assessment and undertake several other reforms after it settled a cyberbreach case involving personal data of nearly 280,000 customers.
The settlement was detailed in a consent decree between the company and the Federal Communications Commission (FCC) last week. The agency called it the “largest privacy and data security enforcement action to date.”
The breaches occurred at three separate call centers in Mexico, Colombia and the Philippines, according to the consent document. And they involved the unauthorized disclosure of customers’ names, full or partial Social Security numbers and unauthorized access to protected account-related data, the FCC said.
James Talbot, an AT&T in-house attorney based in Washington, D.C., informed the FCC in January that the company had terminated its use of the Mexico call center on Sept. 28, 2014. Talbot could not be reached for comment Monday.
But AT&T spokesman Michael Balmoris released this statement to CorpCounsel.com: “Protecting customer privacy is critical to us. We hold ourselves and our vendors to a high standard. Unfortunately, a few of our vendors did not meet that standard, and we are terminating vendor sites as appropriate.”
Balmoris continued, “We’ve changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information.”
The FCC was especially critical of AT&T’s security measures in the Mexico call center. “In this case, those measures failed to prevent or timely detect a large and ongoing data breach” that lasted 168 days, the agency said.
“As the nation’s expert agency on communications networks, the commission cannot—and will not—stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom
Wheeler in a statement last week. “As [this] action demonstrates, the commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”
The FCC said the data was used by unauthorized third parties to unlock mobile phones that were stolen or sold in a secondary market. In Mexico, the third party was identified only as “El Pelon,” Spanish slang for “the bald guy.”
The three-year consent decree calls for AT&T to report any future noncompliance or data breaches within 15 days after their discovery.
Among other deal terms, AT&T agreed to:
Hire a privacy certified compliance officer within 30 days.
Implement a compliance plan within 90 days.
Conduct risk assessment within 90 days to evaluate existing policies and safeguards to control the risk of unauthorized access and disclosures.
Create an information security program designed to protect personal information.
Implement an ongoing monitoring program to identify and respond to new or emerging risks.
Develop and distribute a compliance manual within 120 days.
Conduct a full compliance review by certified professionals within 150 days.
Establish a compliance training program for employees and require vendors to train their employees in compliance as well.
Notify certain affected customers of the breach and provide free credit-monitoring services.