The Federal Communications Commission (FCC) has reached a $25 million settlement with AT&T Services, Inc. that will resolve an investigation into consumer privacy violations at AT&T’s call centers in Mexico, Colombia, and the Philippines. The AT&T data breach involved the unauthorized disclosure of almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI).
The Enforcement Bureau at the FCC began its investigation in May of 2014 at an AT&T call center in Mexico. The investigation by the Bureau revealed that from November 2013 to April 2014, AT&T call center contractors in Mexico, Colombia, and the Philippines collected personal information of subscribers without any authorization. During this period, three call center employees were paid by third parties to obtain customer information – specifically, names and at least the last four digits of customers’ Social Security numbers.
The call center employees then sold the data to unauthorized third parties who used the data to submit nearly 300,000 requests for handset unlock codes for AT&T mobile phones through AT&T’s online customer unlock request portal. These unauthorized third parties were allegedly trafficking in stolen cell phones or secondary market phones and used the codes to unlock the stolen phones. The three call center employees accessed more than 68,000 accounts without customer authorization.
AT&T, as a result of the settlement with the FCC, must now pay a $25 million civil penalty. AT&T will also be required to notify all of its customers whose accounts were accessed without authorization. Additionally, AT&T will be required to pay for credit monitoring services for all consumers affected by the breaches in Colombia and the Philippines.
According to the FCC, AT&T is now required to appoint a senior compliance manager in order to improve its privacy and data security practices. AT&T will be tasked with conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities. AT&T will also be required to file regular compliance reports with the FCC.
The FCC has made it very clear through this settlement that it expects telecommunications carriers to take “every reasonable precaution” to protect their customers’ data. The FCC’s April 8, 2015, press release quoted FCC Chairman Tom Wheeler as saying:
As the nation’s expert agency on communications networks, the Commission cannot — and will not —stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud.
As this action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers. That is good news. This $25 million settlement is the FCC’s largest privacy and data security enforcement action to date. In the past year, the FCC has taken five major enforcement actions valued at more than $50 million in order to protect consumer privacy and data security. The failure to reasonably secure customers’ personal information violates a carrier’s duty under Section 222 of the Communications Act, and also constitutes an unjust and unreasonable practice in violation of both state and federal laws.
If you need more information on this matter, contact Alison Hawthorne, a lawyer in our Consumer Fraud/Commercial Litigation Section, at 800-898-2034 or by email at Alison.Hawthorne@beasleyallen.com.
Sources: Law360 and FCC’s April 8, 2015 Press Release
Contact us today for a free legal consultation with an experienced attorney.
Fields marked *may be required for submission.
If you would like to subscribe to the Jere Beasley Report digital edition, simply visit our Subscriptions page and provide the necessary information or call us at 800-898-2034.
Attorney Advertising - Prior results do not guarantee a similar outcome.