Out-Law News 2 min. read
09 Apr 2015, 4:04 pm
Under the terms of the settlement, the firm will also have to notify all customers affected by the breach and pay for credit monitoring services for those whose data has been put at risk. It will also have to appoint a senior compliance manager, who will report regularly to the FCC, to oversee its privacy and data security policies.
The action taken against AT&T is the FCC's "largest privacy and data security enforcement action to date", the regulator said. It comes after employees at call centres used by the firm in Mexico, Columbia and the Philippines accessed customer records without authorisation, and passed some of the information on to "unauthorised third parties who appear to have been trafficking in stolen cell phones", according to the FCC's enforcement report.
"As the nation's expert agency on communications networks, the Commission cannot – and will not – stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," said FCC chairman Tom Wheeler. "As today's action demonstrates, the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers."
Under the US Communications Act, network carriers have a legal duty to "reasonably secure" customers' personal information. According to the FCC's enforcement report, AT&T's breach was also an "unjust and unreasonable practice" under a separate section of the Act and breached regulatory rules requiring carriers to "take reasonable measures to discover, report and protect against attempts to access" account-related data without authorisation.
The FCC began investigating a 168-day data breach that took place at a call centre used by AT&T in Mexico in May 2014. It found that three call centre employees were paid by third parties to obtain customer names and the last four digits of their social security numbers, which could then be used to submit online requests for codes to 'unlock' mobile handsets tied to the network. Between November 2013 and April 2014, the employees accessed more than 68,000 accounts to obtain information used to submit 290,803 unlock requests, according to the FCC.
During the course of this investigation, AT&T informed the FCC of further data breaches at call centres in Columbia and the Philippines. An additional 211,000 customer accounts were accessed for data needed to obtain unlock codes by around 40 employees at these two call centres, according to the FCC's report.
AT&T said in a statement that it was "terminating vendor sites as appropriate" following the FCC's investigation.
The FCC has issued fines worth over $50 million combined against firms for consumer privacy and data security breaches over the past year, the regulator said. These include a $7.5m settlement with Sprint to resolve an investigation into the company's failure to honour consumers' 'do not call' and 'do not text' requests in May 2014; and a $7.4m settlement with Verizon to address the company's unlawful marketing to two million customers without their consent or notification of their privacy rights.
