As more organizations across industry sectors store personal data with cloud storage vendors— including the three largest vendors in the world, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform—federal regulatory agencies are increasing their scrutiny of data control efforts and vetting the data privacy and security protocols of third-party vendors.

AT&T’s recent settlement with the Federal Communications Commission (FCC) serves as a cautionary tale.

What Is the Cloud?

In case your cloud knowledge is, well, nebulous, cloud data storage allows user organizations to store data on remote servers that are maintained by a third party and are located off site. Users then access the data via the internet. This enables seamless collaboration and accessibility by users in disparate locations, without the burden of physical infrastructure.

According to Precedence Research, the cloud computing market will continue to rise, with the global market predicted to surpass $1 trillion by 2028. A 2023 survey of hospital and health system leaders conducted by Global Healthcare Exchange (GBX) found “cloud-based solutions are quickly becoming a new standard within hospitals and health systems and impact nearly every domain, including supply chain, clinical, finance, and HR teams.” The survey revealed that nearly 70 percent of all hospitals and health systems are likely to adopt a cloud-based approach by 2026.

The benefits of cloud storage include scalability, cost efficiencies, increased user accessibility, and improved operational resiliency. Cloud technology can even lead to increased cybersecurity. Yet the GBX study still emphasizes the importance of selecting the “right cloud partner” to achieve the best outcome and stronger data security.

Cloud storage raises concerns regarding data privacy and security because it relies on third-party vendors to protect sensitive information. The third-party vendor, otherwise referred to as a data processor, is responsible for securing the data on their servers. While this is a key benefit for most organizations, it is also a key reason that organizations must use due diligence in selecting and continuously monitoring cloud data storage vendors. Failure to do so risks possible serious liability and significant penalties or fines.

In the Matter of AT&T Services Inc.

The FCC’s September 2024 enforcement order against AT&T rings a warning bell for organizations utilizing cloud services for data storage. As recounted in the order. AT&T utilized a third-party vendor to generate and host personalized video content for its customers. As part of the relationship, and to receive the vendor’s services, AT&T shared customer information with the vendor; sharing this information with the vendor was not an issue since customers had agreed to such sharing beforehand.

Pursuant to AT&T’s agreements with the vendor, however, the vendor was contractually required to delete, destroy, or return the customer data either upon expiration or termination of the agreement or when the data was no longer necessary to fulfill contractual obligations. The vendor was also subject to AT&T’s Supplier Information Security Requirements, which included encryption, access control, and network oversight requirements.

Through its supplier monitoring processes, AT&T specifically elicits affirmation that its records in the vendor’s possession have been or will be destroyed in accordance with applicable contracts, and the vendor’s affirmation is required. AT&T apparently performed multiple reviews and assessments, confirming that the vendor would destroy data as required.

Subsequently, a vendor data breach occurred, exposing over eight million AT&T customers’ sensitive personal information. AT&T reported the breach to the FCC, which then investigated. The FCC determined that the customer information exfiltrated in the breach should have been destroyed or deleted by the vendor. The kicker: despite AT&T’s diligent efforts and oversight, the liability fell on AT&T, who was fined at a number exceeding the number of affected customers: $13 million. The FCC determined the following in its Order against AT&T:

• the data was stored in the cloud;
• according to an article in the Harvard Business Review, more than 80 percent of data breaches in 2023 involved data stored in the cloud, and cloud misconfigurations and vendor systems were two of the three primary causes of personal data breaches in 2023;
• data stored in the cloud is likely “an easy target” when companies “unintentionally misuse the cloud such as allowing excessively permissive cloud access, having unrestricted ports and use unsecured backups;” and
• the federal government has warned that “misconfiguration of cloud resources remains the most prevalent cloud vulnerability,” one that is rife for exploitation.

The AT&T Settlement

As noted in the FCC’s September 17 settlement order, the ultimate actors are the “companies that choose to share their customers’ data with vendors.” AT&T, as the ultimate controller of the data, bears responsibility for the failures of its vendors, regardless of the vendor’s contractual obligation. The settlement requires AT&T to:

• engage in due diligence when selecting vendors and ensure, at a minimum, that vendors have safeguards in place for customer information;
• conduct audits that evaluate compliance with the consent decree, including assessing the vendor’s compliance with information security standards of applicable laws and regulatory requirements;
• ensure that vendor access to and storage of customer information be limited, with enhanced oversight by AT&T;
• “assess” its vendors each year with respect to the adequacy and security of customer information storage;
• enhance a data inventory process to track customer data within AT&T’s networks, systems, and assets transferred to or otherwise made available to a vendor; and
• undertake compliance training within the organization pursuant to an established program.

Adding AI to the Equation

The scrutiny demonstrated by the AT&T settlement is not going away. Due to the security concerns inherent in cloud computing, the FCC and Federal Trade Commission (FTC) have paid strong attention to this space. The FCC continues to prioritize data protection, including by establishing its Privacy and Data Protection Task Force. In 2024, the FTC issued orders to five companies—including Amazon, Microsoft, and OpenAI—to provide information regarding investments and partnerships with generative AI companies and major cloud service providers.

Data storage used in connection with the implementation of AI systems is generally classified into three types: “cloud” storage, on-premises storage, and edge device storage. AI infrastructure, traditionally located on-premises, has evolved toward cloud and edge technologies. Each storage type has pros and cons. For example, edge storage hosts data close to the source of its generation but comes with inherent accessibility limitations. 

As organizations continue to integrate AI-based technologies and solutions into their work processes and HR systems, the demand for cloud storage has and will continue to grow. According to the 2024 PwC Cloud and AI Business Survey, 63 percent of “Top Performers,” defined as companies that already score in the top range of those surveyed on both cloud and generative AI performance indexes, are increasing their tech budgets in 2024 in order to further leverage generative AI. 

Takeaways

In a prophetic moment, the FCC noted that the terms of the consent decree will require an investment of resources and capital that will exceed the civil penalty levied against AT&T. Thus, contractual language in vendor contracts, and vendors’ assurances of meeting their obligations with respect to data storage security, must be supported by the organization’s demonstrable due diligence. Organizations must also conduct ongoing assessments and monitoring of the vendor’s operations with respect to the safety and security of storage operations inclusive of cybersecurity architecture and protocols.

Organizations should expect increased enforcement activity in 2025, particularly from executive agencies and certain independent regulatory agencies in light of Executive Order 14110 of October 30, 2023, regarding the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Although the consent decree does not apply generally, companies employing cloud storage strategies should review the steps required of AT&T. These steps represent the yardstick that the FCC will likely apply in other instances of a data breach involving data vendors, including the use of cloud storage. Stay tuned.
 

Katherine Heaney, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, and Attorney Ann W. Parks, contributed to the preparation of this post.