On Sept. 17, the Federal Communications Commission (FCC) announced that it has reached a Consent Decree with AT&T Services Inc. to resolve an investigation into a data breach that occurred in January 2023. AT&T's vendor experienced a data breach that exposed the personally identifiable information (PII) of 8,931,656 AT&T Mobility customers, including customer proprietary network information (CPNI) elements like line counts, billing information, and rate plan details. As part of the Consent Decree, AT&T will pay a $13 million civil penalty and take various measures to strengthen its data governance practices.

The Consent Decree reminds telecommunications carriers of their obligations to protect customer data and to make sure their third-party vendors also protect customer data in their possession or control.

Consent Decree Terms

The Consent Decree requires AT&T to make significant changes to its data governance and security practices including:

• Compliance officer – designation of a compliance officer with expertise in privacy and security responsible for implementing the terms of the Consent Decree.
• Compliance plan – development and implementation of a comprehensive compliance plan and manual outlining processes for data protection, compliance training, and compliance with the CPNI rules.
• Information security program – establishment of a robust information security program and vendor information security program addressing administrative, technical, and physical safeguards for protecting customer data.
• Vendor oversight – strengthened vendor oversight through ongoing monitoring, assessments, and enforcement of data security obligations.
• Data inventory program – implementation of a data inventory program to track AT&T customer data shared with vendors including enforced data retention and disposal policies and annual compliance audits.

Key takeaways for telecommunications carriers

• Cloud security, customer information, and vendor management: The Consent Decree underscores the increasing cybersecurity risks. As the FCC notes in its order, researchers singled out the telecommunications sector as the top industry target for cloud attackers in 2023, with more than 80% of data breaches involving data stored in the cloud. 
• Ongoing data governance and protection: All telecommunications carriers need robust data governance practices, including data retention and disposal policies, data inventory management, and comprehensive information security programs. Not only must carriers have these measures in place, but carriers are also responsible for keeping their policies and practices up to date.
• Compliance and enforcement: The FCC has shown it will take enforcement actions in instances of compromised customer PII, holding telecommunications carriers accountable for inadequate data protection practices.

We will continue to monitor the FCC for similar enforcement actions. Please contact us if you would like more information or have questions regarding the impact of this order.