Demonstrating an increasing trend of actively pursuing non-traditional violations of its Customer Proprietary Network Information (“CPNI”) and data privacy rules, the FCC reached a settlement last week with Cox Communications, Inc. (“Cox ”) in the agency’s first ever cable privacy enforcement action.1 The settlement resolved the FCC’s investigation into whether Cox failed to properly protect the confidentiality of its customer’s CPNI, proprietary information (“PI”), and personally identifiable information (“PII”), as well as whether Cox failed to promptly notify law enforcement authorities of security breaches involving CPNI, as required by FCC rules.2
The FCC investigation focused on a pretexting ploy that resulted in a breach of Cox’s electronic data systems in August 2014.3 By pretending to be an employee from Cox’s information technology department, a third party was able to convince Cox employees to enter account ID and password information that allowed the third party pretexter to gain access to Cox’s data systems.4 Once in the systems, the third party pretexter was able to obtain information about Cox’s current and former customers, including their names, home addresses, emails addresses, phone numbers, partial Social Security Numbers, partial driver’s license numbers, and other account-related data.5 The third-party hacker then posted a portion of the personal information for at least eight of the affected customers on social media sites, changed the passwords of at least 28 of the affected customers, and shared customer personal information with another alleged hacker.6
For its failure to protect customer data and disclose the breach within the applicable seven-day (7) business day period, Cox will pay a civil penalty of $595,000, and must develop and implement a compliance plan to protect customer data in the future.7 Specifically, Cox must improve its privacy and data security practices by designating three corporate officers to assist with the oversight, implementation of, and compliance with the FCC-mandated compliance plan including, but not limited to: (i) conducting privacy risk assessments; (ii) implementing a written information security program; (iii) maintaining reasonable oversight of third party vendors, to include implementing multi-factor authentication; (iv) implementing a more robust data breach response plan; and (vi) providing privacy and security awareness training to employees and third-party vendors.8 Cox will also be required to identify all affected consumers, notify them of the breach, provide them with free credit monitoring, and file regular compliance reports with the FCC.9
The FCC’s tough stance with Cox evidences a pattern of increasingly strict penalties for cable operators and telecommunications providers that fail to properly protect customer information in violation of the Communications Act of 1934, as amended. Perhaps this year’s most memorable FCC privacy enforcement action occurred in April 2015, when the FCC entered into a $25 million consent decree with AT&T Services, Inc. (“AT&T”) in connection with data breaches at AT&T call centers in Mexico, Colombia, and the Philippines.10 In that case, at least two AT&T employees engaged in the unauthorized access of customer data and sold the information obtained from the breaches to a third party.11 The unauthorized access and disclosure resulted in the personal information of 51,422 AT&T customers’ information being used to place 290,803 handset unlock requests through AT&T’s online customer unlock request portal.12 As with the Cox investigation, the FCC determined that AT&T had not promptly notified law enforcement authorities of the security breaches involving its customers’ sensitive personal and account-related information. Like Cox, AT&T was required to develop and implement a compliance plan to improve its privacy and data security practices by appointing a senior compliance manager who was privacy certified, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and applicable privacy law.
Likewise, in July 2015, the FCC entered into a consent decree with TerraCom, Inc. and YourTel America, Inc. when those companies failed to protect the confidentiality of PI they received from customers who applied to receive Lifeline phone services.13 The companies’ vendor stored the PI of more than 300,000 customers in clear, readable text on servers that were accessible over the Internet, and the data was not password protected or encrypted.14 It was only after learning that a news reporter had discovered the breach and was preparing to publish an article, that TerraCom and YourTel notified the FCC of the breach.15 To settle the matter, TerraCom and YourTel were found jointly and severally liable and required to pay a civil penalty of $3.5 million.16 In addition, they were required to develop and implement a compliance plan with conditions almost identical to the conditions imposed on Cox.17
The FCC takes consumer privacy seriously. Whether a data/privacy breach occurs due to the unauthorized access of sensitive customer information, failure to encrypt that information, or because of social engineering ploys visited on unwitting employees, cable operators and telecommunications providers that fail to properly protect their customers’ sensitive personal information run the risk of an FCC enforcement investigation, stiff monetary penalties, and the imposition of onerous operational conditions. Dorsey has the knowledge and experience to help cable operators and telecommunications providers create, implement, improve, and maintain data and privacy policies that will keep them off the FCC’s radar and in the business of doing business.
1. In the Matter of Cox Communications, Inc., DA 15-1241, Order (rel. Nov. 5, 2015) (“Cox Order”).
2. Id.
3. Id. Pretexting occurs when a perpetrator adopts the identity of a legitimate person or entity with the goal of obtaining confidential and personal information belonging to the targeted individual. See Federal Bureau of Investigation, “Owner, Employee, and Contractor of Private Investigative Firm Sentenced in Connection with Pretexting” (Dec. 14, 2012), https://www.fbi.gov/sanfrancisco/press-releases/2012/owner-employee-and-contractor-of-private-investigative-firm-sentenced-in-connection-with-pretexting.
4. See generally Cox Order.
5. Id.
6. Id.
7. Id.
8. Id.
9. Id. The three officers required by the consent decree include: (1) a senior corporate manager with the requisite corporate and organizational authority to serve as a Compliance Officer and discharge the duties set forth in the consent decree; (2) a Chief Privacy Officer, who must be privacy certified and who must keep current on privacy laws and issues through appropriate continuing privacy education courses; and (3) a Chief Information Security Officer, who will be responsible for developing, implementing, and administering the compliance plan, including the Information Security Program required by the consent decree.
10. In the Matter of AT&T Services, Inc., DA 15-399, Order (rel. Apr. 8, 2015).
11. Id.
12. Id.
13. In the Matter of TerraCom, Inc., and YourTel America, Inc., DA 15-776, Order (rel. July 9, 2015).
14. Id.
15. Id.
16. Id.
17. Note that the Consent Decree also resolved the FCC’s investigation into whether YourTel violated the Commission’s rules by failing to timely de-enroll ineligible subscribers from its Lifeline service after the Universal Service Administrative Company instructed it to do so.