T-Mobile Settles with FCC for $15,750,000 Over CPNI Breaches and Commits to Spending Another $15,750,000 on Cybersecurity
T-Mobile US, Inc. has entered into a Consent Decree with the Federal Communications Commission’s (FCC) Enforcement Bureau to resolve investigations into multiple data breaches and privacy violations that occurred between 2021 and 2023. These incidents affected millions of current, former, and prospective T-Mobile customers, as well as customers of mobile virtual network operators (MVNOs) using T-Mobile’s network infrastructure.
Key Alleged Violations
The FCC’s investigation focused on several alleged violations by T-Mobile:
- Failure to protect customer proprietary information (PI)
- Unauthorized use, disclosure, or access to customer proprietary network information (CPNI)
- Inadequate measures to prevent unauthorized access to CPNI
- Unjust and unreasonable information security practices
- Misrepresentations to customers regarding information security practices
These violations are considered breaches of T-Mobile’s statutory duties under the Communications Act of 1934 and the FCC’s rules, which require telecommunications carriers to protect customer information and maintain just and reasonable practices.
Settlement Terms
To resolve the investigations, T-Mobile has agreed to the following terms:
- Financial Penalties:
- $15,750,000 civil penalty
- Additional $15,750,000 to be spent over two years on strengthening cybersecurity programs
- Compliance Plan: T-Mobile must develop and implement a plan to protect consumers against future data breaches.
- Cybersecurity Improvements: T-Mobile is required to enhance its privacy, data security, and cybersecurity practices through several measures:
- Corporate Governance: Appointing a Chief Information Security Officer with regular reporting to the Board of Directors
- Zero-Trust Architecture: Implementing a “zero trust” security framework and network segmentation
- Identity and Access Management: Deploying phishing-resistant multifactor authentication (MFA)
- Data Management: Adopting data minimization, inventory, and disposal processes
- Critical Asset Inventory: Identifying and tracking critical network assets
- Third-Party Assessments: Conducting independent assessments of information security practices
Implications and Future Accountability
The FCC emphasizes that these required changes will likely necessitate expenditures significantly higher than the civil penalty imposed. The Commission intends to hold T-Mobile accountable for implementing these mandatory changes to ensure compliance with statutory and regulatory obligations.
This Consent Decree aligns with a broader government strategy to shift the consequences of poor cybersecurity away from consumers and onto service providers. The FCC’s action serves as a clear signal to the telecommunications industry about the importance of robust data protection and cybersecurity practices.
Conclusion
The T-Mobile Consent Decree underscores the FCC’s commitment to enforcing privacy and data security regulations in the telecommunications sector. Clients are encouraged to review their own practices in light of this development and consider proactive measures to enhance their cybersecurity and data protection protocols.
NEED HELP WITH DATA PRIVACY AND SECURITY LAW COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy and security obligations under state and federal laws and FCC rules or would like specific guidance on implementing the data security and vendor management best practices listed above, please contact:
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com