The Federal Communications Commission asserted its information privacy authority Wednesday by reaching a settlement with AT&T—over data breaches at a trio of call centers—that includes a $25 million fine.
“It's big,” J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), told SCMagazine.com Wednesday, of the fine, which the FCC says is it's largest ever for an information security or privacy concern. “$25 million is not insignificant,” Hughes said, noting that the sum could possibly be the largest of its kind not just at the FCC but in the U.S.
With the whopper of a fine and a bevy of requirements that AT&T must meet as part of the settlement, the FCC is sending out a clear message to companies that it is serious about enforcement of privacy issues. “Consumers trust that their phone company will zealously guard access to sensitive personal information in customer records,” Travis LeBlanc, chief of the FCC's Enforcement Bureau, said in a press release. “Today's agreement shows the Commission's unwavering commitment to protect consumers' privacy by ensuring that phone companies properly secure customer data, promptly notify customers when their personal data has been breached, and put in place robust internal processes to prevent against future breaches.”
Breaches at AT&T call centers in Colombia, the Philippines and Mexico in 2013 and 2014 disclosed names and full or partial Social Security numbers, on 280,000 AT&T customers and led to unauthorized access of protected account information.
Call center workers used that information to obtain codes to unlock handsets of AT&T phones and also shared it with others outside the company in a stolen cell phone-trafficking scheme.
After the FCC began investigating a 168-day breach at call centers in Mexico, AT&T alerted the commission to breaches in their facilities in the other two countries.
The bold enforcement action is “an indication of the FCC's arrival as a cop on the block” when it comes to privacy, said Hughes, claiming its regulatory authority in an area where the Federal Trade Commission (FTC) has been on the beat for quite some time.
The FCC's actions will not dilute the FTC's efforts or authority in data privacy and security matters. But they do underscore the commission's commitment to playing a larger role and giving teeth to enforcement actions, something the FCC has been gearing up for with the hiring of a LeBlanc, who Hughes termed “a real groundbreaking privacy enforcer” from the California Attorney General's consumer privacy division as well as a recent $10 million fine levied against TerraCom and Yourtel and its rulings on net neutrality.
“In making the net neutrality decisions, the FCC took common carriers out of the FTC authority and put them into FCC regulatory authority,” said Hughes. “We see a very active FCC with a clear goal.”
The settlement with AT&T was significant, too, he added, because “it actually acknowledged that you need human beings,” certified privacy professionals, within companies to execute the operational requirements typically imposed on organizations to comply with enforcement actions.