As reported on the Privacy & Information Security Law blog, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.
The data breach suffered by Cox in August 2014 occurred when a third party gained access to Cox’s systems by perpetrating a social engineering “phishing” attack on the company’s personnel. According to the Consent Decree, the relevant systems allegedly did not have technical safeguards (e.g., multi-factor authentication) to prevent the compromised credentials from being used to access customer information. As a result, the attackers allegedly acquired sensitive personal information of Cox customers, including their contact information, partial Social Security numbers, partial driver’s license numbers and telephone account-related data. The FCC indicated that the hacker later posted personal information of at least eight affected customers on social media sites, changed the passwords of at least 28 affected customers and further shared customer personal information.
In the Consent Decree, the FCC claimed that telecommunications carriers such as Cox are obligated under the Communications Act of 1934 to take “every reasonable precaution” to protect their customers’ data and must promptly disclose CPNI breaches via the FCC’s reporting portal within seven business days after reasonable determination of a breach. Based on these allegations, the FCC claimed Cox violated the Communications Act of 1934 and FCC rules by: (1) failing to properly protect the confidentiality of customers’ personally identifiable information; (2) failing to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI; (3) failing to provide timely notification to law enforcement of a CPNI breach; and (4) engaging in unjust and unreasonable practices as a result of its failure to employ reasonable data security practices to protect proprietary information and CPNI, to monitor for customers’ breached data online and to notify all potentially affected customers of the breaches.
As part of the settlement, Cox agreed to pay a civil penalty of $595,000 and to develop and implement a compliance plan to help protect customer information against similar data breaches. The compliance plan requires Cox, for example, to improve its privacy and data security practices by: (1) designating a senior corporate manager who is a certified privacy professional; (2) conducting privacy risk assessments; (3) implementing a written information security program; (4) maintaining reasonable oversight of third party vendors; (5) implementing a more robust data breach response plan; and (6) filing regular compliance reports with the FCC. Pursuant to the Consent Decree, Cox also must identify all affected consumers, notify them of the breach and offer them free credit monitoring.