Last week, the FCC’s Enforcement Bureau (“Enforcement Bureau”) entered into a consent decree (“Consent Decree”) with prepaid calling provider TracFone Wireless (“TracFone”), addressing TracFone’s failure to adequately safeguard customer proprietary network information (“CPNI”). In the Consent Decree, TracFone agreed to pay a $16,000,000 civil penalty along with a series of comprehensive directives to mitigate network vulnerabilities. 

Key Takeaways: The Consent Decree represents yet another enforcement action against a mobile carrier resulting from a data breach carried out by threat actors accessing CPNI. We see three key takeaways from the Consent Decree:

• The Consent Decree signals that the FCC’s current focus on consumer privacy and data protection—areas not typically the focus of previous administrations—remains a high priority for the Enforcement Bureau. Mobile carriers (including their resellers and MVNOs) and telecommunications providers should be aware of the FCC’s CPNI rules and the potentially large fines that can accrue as a result of data breaches.
• In particular, operators (and the third-party vendors who often monitor network security) should maintain heightened awareness around the security of their application programming interfaces (APIs) and any suspicious customer port-out requests. In light of the FCC’s new rules around customer port-outs, telecom providers should ensure their customer authentication processes are not vulnerable to attacks from threat actors.
• Operators should continue to act expeditiously to address and remediate any cybersecurity incidents or data breaches. Here, it appears TracFone reported the incidents to the FCC and moved to remediate the breaches and reverse the unauthorized port-outs—yet was still subject to a significant forfeiture. Proactive efforts to address network vulnerabilities and ensure robust network security measures are likely to pay more dividends than good-faith efforts to remediate customer damage once a cybersecurity incident has occurred.

Background: After a series of three network breaches, third-party threat actors gained access to TracFone customer names and billing addresses and CPNI (e.g., the features customers are subscribed to and the number of lines on an account). These actors were able to obtain such information by exploiting vulnerabilities in the customer-facing TracFone APIs. Upon gaining this sensitive information, the threat actors managed to complete an undisclosed number of unauthorized “port-outs,” a practice that involves a threat actor requesting that a wireless provider transfer a victim’s phone number to a new wireless account controlled by the bad actor.

Alleged Rule Violations: The Communications Act of 1934, as amended, imposes a duty on telecommunications carriers to protect the confidentiality of the proprietary information of customers.[1] Likewise, FCC rules require carriers to take “reasonable measures” to discover and protect against attempts to gain unauthorized access to CPNI.[2] Further, the FCC makes clear that it expects carriers to take “every reasonable precaution” to protect customers’ proprietary or personal information.[3] Given this framework, the Bureau investigated the following alleged violations by TracFone:

• Failing to meet its duty to protect the confidentiality of certain customer information;
• Impermissibly using, disclosing, or permitting access to individually and identifiable CPNI without customer approval;
• Failing to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI; and
• Engaging in unjust and unreasonable information security practices in connected to three breaches.

Settlement: The settlement with TracFone encompasses the following directives:

• TracFone will pay a civil penalty of $16,000,000.
• TracFone will develop and implement an extensive compliance plan to ensure that “appropriate processes and procedures” are incorporated into TracFone’s business practices to safeguard against future data breaches. This plan must include
  • Designating a competent compliance officer familiar with the Consent Decree;
  • Implementing a security program that is reasonably designed to protect customer information collected, processed, stored, or accessed by TracFone web applications, including APIs;
  • Implementing Subscriber Identity Module (SIM) change and port-out protections;
  • Performing annual assessments of the security system; and
  • Providing privacy and security training to employees and certain third-parties.

*****

FOOTNOTES

[1] 47 U.S.C. § 222.

[2] 47 CFR § 64.2010.

[3] Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927, 6959, para. 64 n.198 (2007) (citing 47 U.S.C. § 222(a)).