AT&T Will Pay $25 Million to Settle FCC Privacy Investigation | Practical Law

AT&T Will Pay $25 Million to Settle FCC Privacy Investigation | Practical Law

The FCC has announced that AT&T Services, Inc. will pay $25 million to settle its largest privacy and data security enforcement action to date. AT&T will also be required to notify its affected customers of the breach, provide credit monitoring services and improve its internal privacy and data security practices.

AT&T Will Pay $25 Million to Settle FCC Privacy Investigation

Practical Law Legal Update 6-608-4986 (Approx. 3 pages)

AT&T Will Pay $25 Million to Settle FCC Privacy Investigation

by Practical Law Intellectual Property & Technology
Published on 09 Apr 2015USA (National/Federal)
The FCC has announced that AT&T Services, Inc. will pay $25 million to settle its largest privacy and data security enforcement action to date. AT&T will also be required to notify its affected customers of the breach, provide credit monitoring services and improve its internal privacy and data security practices.
On April 8, 2015, the FCC issued a press release announcing that it has entered a $25 million settlement with AT&T Services, Inc. to resolve an investigation into consumer privacy violations at AT&T's call centers in Mexico, Colombia and the Philippines. In addition, the settlement requires AT&T to:
  • Notify affected customers and pay for credit monitoring services.
  • Improve its privacy and data security practices.
In May 2014, the FCC's Enforcement Bureau launched an investigation into a data breach at a AT&T call center in Mexico. During investigation, the Enforcement Bureau learned about additional data breaches at AT&T call centers in Colombia and the Philippines. The data breaches consisted of AT&T employees accessing and disclosing almost 280,000 US customers' names, full or partial Social Security numbers and accessing and providing protected account-related data to third parties. These third parties used the information to obtain unlock codes for AT&T mobile phones.
As part of its settlement, AT&T must:
  • Pay a $25 million civil penalty.
  • Notify all customers whose accounts were improperly accessed.
  • Pay for credit monitoring services for all customers affected by the breaches in Colombia and the Philippines.
In addition, the FCC is requiring AT&T to improve its privacy and data security practices by:
  • Appointing a senior compliance manager who is a certified privacy professional.
  • Conducting a privacy risk assessment.
  • Implementing an information security program.
  • Preparing an appropriate compliance manual.
  • Regularly training employees on the company's privacy policies and legal obligations.
The settlement also requires that AT&T file regular compliance reports with the FCC.
This settlement represents the FCC's largest privacy and data security enforcement action to date and further demonstrates the FCC's commitment to privacy and data security enforcement (see Legal Update, FCC to Fine Phone Carriers $10M for Failing to Safeguard Customer Data). The press release noted that, in the last year, the FCC has undertaken five major privacy and security enforcement actions valued at over $50 million.