Opinion: Cox fine should force telecoms to get serious about data security

Cox Communications, the third largest cable company in the United States, will pay nearly $600,000 to settle the Federal Communications Commission’s investigation into a data security breach last year that exposed customer information.

The FCC’s announcement last week is the latest sign that the agency intends to play a substantial role in data security enforcement against the telecommunications providers and cable operators it regulates – and, just as important, may reflect an emerging trend in which telecommunications carriers and other companies are found to have a duty to employ reasonable data security practices to protect customer data.

It appears the FCC has been gearing up for this: two earlier FCC data security actions, for instance, paved the way for the Cox settlement.  

First, back in April, the FCC reached a consent decree – a settlement without an admission of liability – with AT&T following the compromise of personal information at AT&T call centers in Mexico, Colombia and the Philippines.  After vendor employees were found to have accessed customer accounts inappropriately to obtain certain customer data, AT&T agreed to pay a $25 million fine to resolve allegations that the company failed to protect the confidentiality of approximately 280,000 customers’ sensitive personal information and certain account-related information.

Then, in July, the FCC announced a $3.5 million settlement of a data security investigation involving telecommunications carriers TerraCom and YourTel America. After the two carriers’ outside vendor stored unencrypted consumer information on Internet-accessible servers in publicly accessible folders with no password protection, the FCC launched an investigation to determine whether the carriers had failed to protect personal information of over 300,000 consumers in violation of the Communications Act.

On the heels of AT&T and TerraCom/YourTel, the Cox case marks the first FCC data security enforcement action specifically brought against a cable operator.Given the potentially far-reaching business ramifications of the Cox case, it is noteworthy that the August 2014 Cox data breach that gave rise to the FCC’s investigation was rather unsophisticated, as cybercrimes go.  

A group of teenage hackers – calling itself the Lizard Squad – pulled off the breach using a well-known form of social engineering known as pretexting.  The hackers pretended to be from Cox’s IT department and convinced a Cox customer service representative and a Cox contractor to provide their log-in credentials.  Using those credentials, the hackers accessed customer information including names, home addresses, e-mail addresses, telephone numbers and account-related data.

Like other recent high-profile breaches, the Cox breach easily could have been thwarted had the company implemented basic security measures, such as encryption or two-factor authentication, to protect its sensitive databases.  Two-factor authentication would have bolstered database security – with minimal impact on convenience – by restricting database access to users who provided not one, but two forms of identification (e.g., a username/password as well as a unique, single-use passcode sent to the user’s mobile phone or e-mail for each attempted log-in).

In all three cases – TerraCom/YourTel, AT&T, and Cox – the consent decrees impose similar data security requirements that should spur the settling companies, and others hoping to stay off of the FCC’s hit list, to implement basic security measures.

For example, at the heart of each consent order is a requirement that the settling company designate a compliance officer to oversee implementation of a compliance plan.  What does such a plan require?

For one, Cox was required to conduct a comprehensive risk assessment – to identify risks to the security, confidentiality, and integrity of customer information that Cox collects. It must also evaluate safeguards in place to control identified risks and implement a comprehensive information security program, including annual audits of certain call center systems; internal threat monitoring; annual penetration testing of selected systems; and additional breach notifications systems. Lastly, it must maintain a compliance training program.  

The content of these consent decrees helps companies connect the regulatory dots so they can understand the agency’s developing expectations with respect to data security. As a result, these decrees should spur cable operators and telecommunications providers not only to reassess their cybersecurity posture, but to invest in basic cybersecurity improvements as necessary to avoid costly enforcement actions.  

Unfortunately, it is unclear exactly what is required of companies seeking to achieve compliance.  In the AT&T consent order, the FCC stated that telecommunications carriers must take “every reasonable precaution” to protect customer data, but it could take years for standards to coalesce around a concept of “reasonableness.”

In any event, the FCC’s recent investigations and consent decrees signal that the agency has added its voice to the growing chorus of federal agencies enforcing data security obligations.  While this could spur needed cybersecurity investment, it also could lead to costly and time-consuming turf wars down the road as federal agencies – particularly the FCC and Federal Trade Commission – tussle over which one has authority to regulate new technologies.

For now, the FCC appears to be following in the footsteps of the FTC, which has successfully carved out a role for itself in data security enforcement over the past few years. Private litigants have challenged the FTC’s legal authority to play such a role, but a recent appellate court ruling in Wyndham v. FTC upheld the FTC’s authority (under Section 5 of the FTC Act, which prohibits unfair acts or practices in or affecting commerce) to bring enforcement actions to remedy unreasonable data security practices that lead to breaches that cause consumer harm.

A similar challenge to the FCC’s data security enforcement authority may be telescoped by the dissenting comments of two FCC Commissioners expressed in October 2014 in connection with the TerraCom/YourTel case. The Commissioners argued – among other things – that the Communications Act does not create an affirmative legal obligation to protect personally identifiable information and that the Commission had never interpreted the Act to impose an enforceable duty on carriers to employ reasonable data practices.  

These arguments were never tested in court; they were mooted by this summer’s TerraCom/YourTel consent decree.  Indeed, it could be years before the courts rule on the scope of the FCC’s legal authority – if any – to enforce data security requirements.

While the scope of federal agency authority over privacy and data security remains ill-defined, the writing is on the wall: a failure to take reasonable steps to protect customers’ sensitive personal information could lead to FCC, FTC, Securities and Exchange Commission, and other federal agency investigations and enforcement actions, large penalties, and administrative agency oversight.  

Given the maddening state of cybersecurity, in which companies have in many instances failed to take even the most basic precautions to protect sensitive consumer data, perhaps it is about time.

Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.