On September 17, 2024, the Federal Communications Commission (“FCC”) announced a $13 million settlement with AT&T, resolving an investigation by the FCC’s Enforcement Bureau into whether AT&T failed to adequately protect customer information during a data breach involving one of its vendors.

Background

AT&T hired a third-party vendor to create and host personalized videos for its customers, including billing and marketing content. The contract stated that the vendor had to return or destroy customer data when it was no longer needed. However, AT&T did not enforce this requirement and failed to ensure that the vendor handled customer information properly.

In January 2023, threat actors exfiltrated AT&T customer information from the vendor’s cloud database, bringing to light concerns about the company’s privacy and security practices. The FCC’s investigation examined whether AT&T failed to protect customer information and whether its practices around cybersecurity, privacy, and vendor management were reasonable in light of the breach.

Settlement and Consent Decree

As part of the settlement, AT&T has entered into a Consent Decree with the FCC. In addition to the $13 million civil penalty, the Consent Decree commits AT&T to bolstering its data governance practices, with a focus on supply chain integrity and improving its processes for handling sensitive data.

The aim is to ensure that AT&T, as well as its vendors, take the necessary precautions to safeguard customer information and prevent similar breaches in the future.

Key Reforms in AT&T’s Privacy and Data Security Practices

The Consent Decree’s expansive consumer privacy and data protection terms include requirements to:

• Enhance tracking of customer data as part of a data inventory program;
• Require vendors to adhere to retention and disposal obligations; • Implement multifaceted vendor controls and oversight;
• Implement a comprehensive Information Security Program to include broad customer data protections; and
• Conduct annual compliance audits.

These “Consumer Privacy Upgrades” are designed to address the vulnerabilities that led to the breach and will likely require AT&T to make considerable investments into its data security infrastructure. Implementation and compliance will be monitored by the FCC.

The FCC’s Broader Focus on Privacy and Data Protection

The settlement highlights the FCC’s commitment to holding carriers accountable for the actions of their vendors. Enforcement Bureau Chief Loyaan A. Egal echoed this sentiment, stating that the settlement sends a strong message “(T)hat the Enforcement Bureau will not hesitate to take action against service providers that choose to put their customers’ data in the cloud, share that data with their vendors, and then fail to be responsible custodians of that data.”

FCC Chairwoman Jessica Rosenworcel emphasized the role of carriers in protecting customer data, saying that “The Communications Act makes clear that carriers have a duty to protect the privacy and security of consumer data, and that responsibility takes on new meaning for digital age data breaches.”

In 2023, Chairwoman Rosenworcel had established the Privacy and Data Protection Task Force, a working group focused on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including vulnerabilities involving third-party vendors that service regulated communications providers.

Conclusion

The FCC’s settlement with AT&T marks a significant step in addressing the complex challenges of data security and vendor oversight in the telecommunications sector. This settlement sets an important precedent for other telecommunications companies to follow and highlights the need for enhanced security practices across the industry.

You can read the consent decree here: In the Matter of AT&T Services Inc.