The Federal Communications Commission today announced a $13 million settlement with AT&T to resolve an Enforcement Bureau investigation into the company's supply chain integrity and whether it failed to protect the information of AT&T customers in connection with a data breach of a vendor's cloud environment. AT&T used the vendor to generate and host personalized video content, including billing and marketing videos, for AT&T customers. Under AT&T's contracts, the vendor should have destroyed or returned AT&T customer information when no longer necessary to fulfill contractual obligations, which ended years before the breach occurred. AT&T failed to ensure the vendor: (1) adequately protected the customer information, and (2) returned or destroyed it as required by contract. In January 2023, threat actors exfiltrated AT&T customer information from the vendor's cloud environment. The investigation examined whether AT&T failed to protect customer information and engaged in unreasonable privacy, cybersecurity, and vendor management practices in connection with the breach. To resolve the investigation, AT&T entered into a Consent Decree that also commits to strengthening its data governance practices to increase its supply chain integrity and ensure appropriate processes and procedures are incorporated into AT&T's business practices in the handling of sensitive data to protect consumers against the harmful effects of similar vendor data breaches in the future.
The growing nexus between privacy, cybersecurity, and supply chain risks associated with cloud security and vendor security, coupled with vendor oversight vulnerabilities across industry, make the terms of this Consent Decree especially timely and necessary. The Communications Act of 1934 and the Commission's rules require telecommunications companies to protect customers' personal information and take all necessary steps to safeguard customer data. These requirements include responsibility for cloud and vendor security, as well as an obligation to engage in reasonable practices as they relate to cloud security, data retention and disposal, and vendor oversight. Further, the Act makes clear that carriers are responsible for the acts of their agents and contractors. Companies that choose to share their customers’ data with vendors must act as responsible stewards and hold their vendors responsible for protecting that data as required by the Communications Act.
The Consent Decree's expansive consumer privacy and data protection terms or "Consumer Privacy Upgrades" include requirements to:
Enhance tracking of customer data as part of a data inventory program;
Require vendors to adhere to retention and disposal obligations;
Implement multifaceted vendor controls and oversight;
Implement a comprehensive Information Security Program to include broad customer data protections; and
Conduct annual compliance audits.
Implementing the terms of this Consent Decree will require AT&T to make significant investments in and prioritize the safeguarding of customers' information shared with third parties. Given AT&T's size, number of customers, and extensive use of vendors, this will likely require expenditures far greater than the civil penalty herein. The Commission will hold AT&T accountable for making these mandatory changes to its data protection practices as required to comply with this Consent Decree and the Communications Act going forward.
Read the full press release here.
FCC