Alert: FCC Continues Aggressive Action on Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/alert-fcc-continues-aggressive-action-o-52393/

As noted in previous alerts, the FCC has dramatically increased its
enforcement of data security practices and breaches resulting from what the
FCC considers to be inadequate security measures. Most recently, the FCC
entered into a $25 million settlement with AT&T Services, Inc. (AT&T)
resulting from the unauthorized access to personal customer information by
employees of foreign-based call centers under contract with AT&T. The FCC
again stressed that it expects telecommunications companies, which now
includes broadband internet access providers, to take "every reasonable
precaution" to protect their customers' data.

In this instance, call center employees based in Mexico, Columbia and the
Philippines, used log in credentials to gain unauthorized access to
customers' names and partial social security numbers. This information was
then sold to third parties to be used to unlock AT&T mobile phones that had
been stolen and sold on the secondary market. The systems used by the call
centers were governed by AT&T's data security measures, which "failed to
prevent or timely detect a large and ongoing" data breach. The FCC order
does not provide information on the types of security measures AT&T
utilized but notes that AT&T was implementing new monitoring procedures.

When obtaining the customer name and social security number information
needed to unlock phones, these employees also accessed, but no evidence
suggested that they used or disclosed, the specific type of customer
information called customer proprietary network information (CPNI), which
includes information such as telephone numbers called. In addition to
agreeing to a $25 million payment (no information was provided on how this
number was obtained), AT&T also agreed to a detailed compliance plan.

The FCC found that the employees' unauthorized access violated the
statutory privacy provisions contained in Section 222 of the Communications
Act, and also constituted an unjust and unreasonable practice under Section
201(b) of the Act. These two provisions will also be applied to providers
of broadband Internet access service once the FCC's new Net Neutrality
Order becomes effective.

Several interesting aspects of the FCC's self-described "Largest Data
Security Enforcement Action" should be noted by entities subject to the
FCC's jurisdiction. First, this breach involved company insiders with
access to the company network. Media coverage of recent data breaches,
however, has frequently focused on threats from the outside (e.g., from
nation state actors and Advanced Persistent Threat (APT) actors). Awareness
of insider threats has not been as prominent. This situation shows that
such threats from employees cannot be ignored.

A variety of actions can be carried out by entities to address these
insider threats, including but not limited to identity management, data
classification, and implementation of access controls. Identity management
involves both technology and processes that permit or deny an employee's
access to certain assets, as appropriate. It can include such things as
two-factor authentication and password management. Data classification
allows data to be tagged and access to the data to be limited by use of
access control technologies. The combination of these and other tools can
be used to minimize the ability of people with authorized access to the
network to engage in unauthorized access of information to which they do
not have rights. Companies should also consider ongoing vetting of
employees to make sure that they do not pose a threat after they have
passed the initial background checks.

The FCC's action also helps quantify potential risk exposure. Just based on
the $25 million settlement, the cost of the breach works out to
approximately $89 per record that was unlawfully accessed. Although this is
less than the commonly cited average data point of $200/record in
commercial data breach situations, this settlement amount does not include
the additional costs of customer notification, "clean up" of the breach,
and the ongoing monitoring costs. The settlement amount does, however,
provide an estimate of the types of exposure companies might be facing
based on the number of records they possess. (In a previous data breach
order, the FCC indicated that it would apply a base fine of $29,000 per
record based on existing agency forfeiture rules).

Ultimately, the FCC continues to focus its efforts on data security
situations. It notes that it has "taken five major enforcement actions" in
the past year. Of those, the first three were privacy related (involving
robocalls, violations of do-not-text requests, and unlawful marketing). The
latter two, including this one, both focus on cybersecurity. It appears
that the path forward by the FCC is clear—cybersecurity is definitely in
the agency's cross-hairs.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!