AT&T Agrees to $13M Settlement Following Vendor’s Data Breach; FCC Emphasizes Data Security and Vendor Management Obligations for All Voice Providers
The Federal Communications Commission (FCC, Commission) today announced a $13 million settlement with AT&T (Company) to resolve an investigation into the company’s supply chain integrity and data protection practices. This settlement serves as a crucial reminder that all telecommunications providers, regardless of size, are responsible for safeguarding customer data shared with vendors. The Consent Decree is available for review here.
Applicable Law
The Communications Act of 1934, as amended (Act), and the FCC’s rules require carriers to protect consumers’ personal information from unauthorized access, use, or disclosure. The Act imposes vicarious liability on carriers for the actions of their agents within the scope of their employment, making carriers responsible for the acts of their agents and contractors.
Carriers are expected to meet the requirements of the Act and the Commission’s rules, including taking “every reasonable precaution” to protect customers’ proprietary or personal information. This includes implementing reasonable practices for cloud security, data retention and disposal, and vendor oversight.
Settlement’s Background
The breach occurred in 2023 when threat actors accessed AT&T’s vendor’s cloud environment and ultimately exfiltrated AT&T customer information that the Company had previously shared with the vendor. The incident revealed a critical oversight: the vendor should have either destroyed or returned this sensitive data years earlier, as stipulated in their agreements with AT&T.
The FCC found that AT&T failed to ensure its vendor adequately protected that customer information; instead, it remained in the vendor’s cloud environment for many years after it should have been deleted or returned to AT&T and was ultimately exposed in the 2023 breach.
Details of the Settlement
AT&T has agreed to pay a civil penalty of $13,000,000 and commit to strengthening its data governance practices to protect consumers’ sensitive data against future vendor data breaches. The settlement includes several key commitments:
- Broad Customer Information Protections: AT&T will protect Customer Proprietary Network Information (CPNI) and other sensitive personal information, limiting vendor access and disposal.
- Comprehensive Information Security Program: AT&T will implement a program designed to protect the security, confidentiality, and integrity of customers’ information.
- Multifaceted Vendor Controls and Oversight: The company will enhance due diligence in vendor selection, require vendors to employ safeguards for customer information, limit vendor access to and storage of customer data, and conduct enhanced vendor oversight.
- Data Inventory Program: AT&T will improve its data inventory processes to track customer data shared with vendors, enabling quicker response to protect customer data.
- Data Retention and Disposal: Vendors will be required to adhere to retention and disposal obligations related to customer information, limiting the amount of vulnerable customer data.
- Annual Compliance Audits: AT&T will conduct yearly audits to evaluate compliance with the Consent Decree, including information security and vendor information security requirements.
Implications for Smaller Providers
While this settlement involved a major carrier, the FCC’s message is clear: all providers, including smaller Voice Service Providers (VSPs), are responsible for protecting customer data shared with vendors. The Communications Act of 1934 mandates that carriers are responsible for the acts of their agents and contractors.
Best Practices for Mitigating Data Security Risks
- Conduct regular audits of vendor data handling practices
- Implement and enforce clear data retention and disposal policies
- Provide ongoing training and reminders to vendors about data security obligations
- Adhere to principles of data minimization and purpose limitation
- Implement robust vendor oversight mechanisms
- Develop and maintain a comprehensive Information Security Program
Conclusion
This settlement serves as a wake-up call for all telecommunications providers to prioritize data security and vendor management. By implementing strong data governance practices and maintaining vigilant oversight of vendors, companies can better protect their customers’ sensitive information and mitigate the risk of costly data breaches.
NEED HELP WITH DATA PRIVACY AND SECURITY LAW COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy and security obligations under state and federal laws and FCC rules or would like specific guidance on implementing the data security and vendor management best practices listed above, please contact us:
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com