UPDATE The FCC is investigating T-Mobile’s data breach. Experts believe how the case unfolds is a sign of how the Democratic-controlled agency will govern telecom privacy. At the same time, the carrier was hit with two class action suits in federal court accusing the company of violating the California Consumer Privacy Act.
The carrier said last week some data of about 7.8 million customers and records of 40 million more from past or prospective customers were stolen in a cyber attack, Inside Towers reported. On Friday, T-Mobile said 5.3 million additional current accounts were hacked, according to a filing with the Securities and Exchange Commission. The company said those files did not contain Social Security numbers or ID information.
Public Knowledge SVP Harold Feld told Bloomberg the agency’s probe, “is going to be a very interesting test” of how the administration treats these kinds of data breaches and privacy concerns. “We’ll see how thorough the investigation is and to what extent they decide what penalties and remedial actions are necessary.”
The agency said it couldn’t comment.
How the FCC Handled These Cases Before
Agency observers expect the FCC to probe the episode under Section 222 of the Communications Act. That requires carriers to take specific steps to ensure that customer proprietary network information is properly protected from unauthorized disclosure. But that may not be a perfect fit because stolen data may not qualify as proprietary customer network information, according to Bloomberg Intelligence analyst Matthew Schettenhelm.
During the Obama administration, the Commission imposed substantial fines on carriers that failed to protect customer data, but was less active during the Trump years, notes Bloomberg.
Observers say the Commission likely will ask T-Mobile whether it followed FCC rules once it discovered the breach, including notifying authorities; whether it failed to take precautions leading up to the cyberattack, and whether it was meeting the latest industry standards. Those factors would help the agency determine whether to impose monetary penalties, require T-Mobile to come up with a compliance plan, or both.
Questions may arise over whether T-Mobile’s data is a broadband or phone service, analysts believe. Some say only the FCC has the authority to handle telephone service and the Federal Trade Commission could step in to review stolen broadband data, according to Schettenhelm and Tony Pepper, CEO and co-founder of cyber security software company Egress.
T-Mobile last week offered impacted customers two years of free identity protection service, provided “an extra step” to protect mobile accounts that would make it harder for that information to be stolen and will provide ways for customers to take further steps, Inside Towers reported.
The Lawsuits
T-Mobile violated the California Consumer Privacy Act and acted negligently by failing to protect consumer data, allege the plaintiffs in the case filed in U.S. District Court for the Western District of Washington. Kern County California resident Veera Daruwalla alleged she’s spent hours addressing privacy problems from the data breach, like reviewing financial and credit statements for evidence of unauthorized activity, Bloomberg reported.
T-Mobile violated the CCPA by failing to prevent consumers’ non encrypted personally identifiable information “from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” attorneys representing Daruwalla and the proposed class wrote.
Stephanie Espanoza is the plaintiff in a separate class action suit. She accused T-Mobile of acting negligently by failing to provide adequate security. The Los Angeles resident also accused the company of violating the Washington State Consumer Protection Act by committing unfair acts such as providing poor data security, according to the account.
Reader Interactions