TracFone Reaches $16 Million Settlement with FCC Over CPNI Breaches; FCC Highlights Importance of API Security
On Monday, the Federal Communications Commission (FCC, Commission) announced a significant settlement with TracFone Wireless, resolving investigations into the carrier’s data protection and cybersecurity practices. This development carries important implications for telecommunications providers and emphasizes the growing importance of API security. The settlement, formally called a Consent Decree, is available here.
Key Settlement Details:
- TracFone will pay a $16 million civil penalty.
- The settlement addresses three data breaches occurring between January 2021 and January 2023.
- These breaches involved the exploitation of application programming interfaces (APIs), resulting in unauthorized access to customer proprietary information (PI), including certain customer proprietary network information (CPNI) and personally identifiable information (PII), as well as unauthorized port-outs.
Regulatory Context:
The FCC’s action underscores violations of Sections 201 and 222 of the Communications Act and FCC rules, which require carriers to:
- Reasonably protect customers’ proprietary information
- Obtain customer approval before using, disclosing, or permitting access to individually identifiable CPNI
- Take “every reasonable precaution” to safeguard customers’ proprietary or personal information
- Take reasonable measures to discover, report, and protect against attempts to access CPNI without authorization
Consent Decree Provisions:
In addition to a $16 million civil penalty, TracFone must implement:
- A comprehensive information security program with novel provisions to reduce API vulnerabilities, aligned with widely-accepted standards, such as those from NIST and OWASP.
- Enhanced Subscriber Identity Module (SIM) change and port-out protections.
- Annual assessments of its information security program, including by independent third-parties.
- Privacy and security awareness training for employees and relevant third parties.
API Security
Today’s software applications present a user-friendly interface that masks an intricate web of interconnected components. These components communicate through APIs, which serve as a common language for different parts of the software to interact.
When a user accesses a website, numerous API requests are working behind the scenes, coordinating various elements to deliver a seamless experience. While this modular approach enhances software flexibility and functionality, it also significantly expands the potential vulnerabilities that malicious actors could exploit.
Without robust protection measures, each API endpoint becomes a potential entry point for attackers who may attempt to execute unauthorized actions or access private information, including sensitive consumer data.
The widespread use of APIs, combined with their potential access to valuable consumer information, makes them an attractive target for cybercriminals. As a result, organizations must prioritize API security and implement stringent protective measures to safeguard their systems and user data.
In light of these risks, it is crucial for businesses to subject their API infrastructure to heightened security scrutiny and adopt best practices in API protection.
Implications for the Industry:
This settlement highlights the FCC’s increased focus on data protection and cybersecurity in the telecommunications sector. The emphasis on API security is particularly noteworthy, as APIs have become ubiquitous in modern network architectures and represent a common attack vector.
FCC’s action follows the Commission’s issuance of nearly $200 million in fines against the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that sensitive information against unauthorized disclosure.
In 2023, FCC Chairwoman Rosenworcel established the Privacy and Data Protection Task Force, an FCC staff working group focused on coordinating across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches (such as those involving telecommunications providers) and vulnerabilities in regulated communications providers’ privacy and cybersecurity practices.
Conclusion:
The TracFone settlement serves as a stark reminder of the critical importance of robust data protection and cybersecurity measures in the telecommunications industry. Companies should review and strengthen their API security practices to mitigate risks and ensure compliance with regulatory expectations.
We recommend that clients conduct a thorough review of their current API security measures and consider implementing enhanced protections in line with the best practices outlined above. Our firm stands ready to assist in navigating these complex regulatory and technical challenges.
NEED HELP WITH PRIVACY LAW COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy obligations under state and federal laws and FCC rules or would like to reassess its data collection and processing practices in compliance with state regulation, please contact us:
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com