FCC Admonished T-Mobile for Data Breach—In Order Later Removed From Site, With No Replacement
T-Mobile failed to take reasonable measures to protect confidentiality of customer data and failed to exercise reasonable oversight during a 2015 data breach (see 1510020051), the FCC Enforcement Bureau said in a document that was removed shortly after it was…
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
released so that the commission could make changes to correct an unspecified procedural error. No replacement was added by our deadline and the agency had no further comment. It was unclear how the changes would impact the final item. An FCC official said the document, a bureau-level item, was pulled because it was found to violate confidentiality rules and it may never be released in another form unless as a fully redacted draft. Those privacy-protection failures affected 15 million T-Mobile customers when a third party stole data collected by the carrier for credit checks, including customer names, Social Security numbers and address, the bureau said. In a Wednesday order, the bureau admonished T-Mobile “for willful and repeated violations” of Sections 222(a) and 201(b) of the Communications Act. “Though T-Mobile made a business choice to rely on its vendor, Experian Information Solutions, Inc. (Experian) to keep this information safe and secure, T-Mobile nonetheless failed the responsibility it owed to its customers to protect their data,” the bureau said. “Providers are responsible for their supply chain and while they can outsource functions, they cannot transfer accountability. If T-Mobile had engaged in reasonable oversight, it would have found that Experian’s security practices were far from reasonable.” T-Mobile failed to do basic oversight even after a 2013 data breach of Experian, the bureau said. The FCC couldn’t fine the carrier due to a one-year statute of limitations in the Communications Act, the bureau said. “Our determination not to impose a forfeiture in this case should not be construed as disregarding the seriousness of the violation or its impact on 15 million customers, and should not be construed to affect the authority of any other government agency to pursue an enforcement action against T-Mobile, or the rights of any T-Mobile customer to seek a remedy in the courts of law.” The company didn’t comment.