This article is about AT&T and the penalty it agreed for the breach which occurred in January 2023 involving the personal data of 9 million people. This particular data breach should not be confused with the AT&T breach made public in March 2024 involving the personal data of 73 million people or the AT&T breach made public in May 2024 involving the personal data “of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network”. The US Federal Communications Commission (FCC) decided the January 2023 breach merited AT&T handing over USD13mn in cash and making a bunch of promises and agreeing to audits which essentially mean AT&T will start doing things they should have been doing anyway. According to the FCC this represents a ‘privacy upgrade’…
In 2023, FCC Chairwoman Rosenworcel established the Privacy and Data Protection Task Force, an FCC staff working group focused on coordinating across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches… Thanks to the work of the Task Force and a renewed focus on consumer protections more broadly under Chairwoman Rosenworcel, the Commission secured similar “Consumer Privacy Upgrades” covering beneficial data protection, cybersecurity, and consumer privacy terms with the largest wireless carriers, including today’s AT&T settlement…
Readers will have to look at the detail of the FCC’s findings and decide for themselves if USD1.46 for every individual whose data was breached represents a fair deal for both AT&T and the public who are put at risk every time their personal data is obtained by criminals. AT&T will say they are not really to blame because a vendor who handled the data failed to satisfy the terms of their contract. This kind of argument seems to be taken seriously by the FCC, even though AT&T should have checked if their vendor performed as expected. If telcos are not held liable for the bad behavior of suppliers that manage data on their behalf then they could easily eliminate any responsibility for data protection by writing contracts that imply suppliers are responsible for everything.
Long-serving readers will remember that blaming other companies for data breaches is a common theme for AT&T. Some may even remember that the same rationalization was proferred in 2015, when AT&T and FCC reached a then-record settlement of USD25mn for a breach involving offshored call centers that affected 280,000 AT&T customers. The data involved in that breach was more sensitive, but what the FCC now describes as a ‘privacy upgrade’ looks more like treading water when observing the number of breaches that have occurred over time. Regulators in most countries tend to increase penalties when the same rules are repeatedly broken by the same business. AT&T has had two more serious data breaches since the one covered by this latest settlement, begging the question of whether penalties are being geared up to motivate necessary change.



