The Federal Communications Commission (FCC) announced yesterday that it has entered into a settlement with AT&T Services, Inc. as a result of the FCC’s investigation of a series of data breaches during 2013 and 2014 at AT&T call centers in Mexico, Colombia, and the Philippines. As part of the settlement, AT&T must pay a $25 million civil money penalty — the largest data enforcement ever imposed by the FCC for data privacy and security concerns — provide data breach notification to affected customers and offer those customers credit monitoring services.
The data breaches involved over 40 employees who stole sensitive personal information from almost 300,000 AT&T customer accounts and sold that information to third parties who later committed fraud with the information.
The FCC viewed the company’s failure to properly secure the customer account information as an unjust and unreasonable practice in violation of Section 201 of the Federal Communications Act of 1934 and as a violation of the carrier’s obligations under Section 222 of that Act. The Consent Order, in this case, is available here.
This action follows an earlier FCC settlement in October 2014 with two other telecommunications companies, TerraCom, Inc. and YourTel America, Inc., due to failures by those companies to properly secure customer’s personal information and which led to a combined fine amount of $10 million. Taken together, these cases affirm that the FCC intends to increase its focus on data privacy and security issues and that there will be additional privacy and security compliance pressures for businesses in the telecommunications sector.
For more information on Data Enforcement, contact your Cybersecurity and Data Privacy Counsel at Smith, Gambrell & Russell.