Editor’s Note: On Wednesday, the Federal Communications Commission announced a $25 million settlement with AT&T for data breaches including the releasing of thousands of customer records, including names, phone numbers and some Social Security numbers.
BroadbandBreakfast.com welcomes commentaries and opinions on this and other subjects from a multitude of viewpoints.
WASHINGTON, April 8, 2015 – The FCC’s settlement with AT&T sets another benchmark for data breach enforcement, with several important developments.
First, it demonstrates the continuing encroachment of the FCC into areas once thought to be the exclusive domain of the FTC. This is a classic data breach enforcement action that typically would have been prosecuted by the FTC until most recently.
Second, it “ups the ante” for such breaches, with a fine two and a half times the previous largest penalty imposed.
Third, it calls into question the integrity of call centers outside of the U.S. The fact that an initial breach was discovered in Mexico, followed by subsequent discoveries in Columbia and the Philippines, suggests AT&T may have a more serious systemic vulnerability rather than a one-off hack.
Forth, and most importantly, it once again calls the question of which agency has enforcement priority: the FCC or the FTC? Will the FTC accept a subsidiary role in enforcement maters where telcos are involved? One could surmise that the FTC could assert a claim against AT&T under Section 5. Given the increasingly frosty relationship between the FTC and FCC on enforcement of incidents triggering dual jurisdiction, its difficult to imagine that there was any significant coordination between the two agencies. This raises a number of potential issues, not the least of which might be potential double jeopardy.
Robert Cattanach is a partner at the international law firm Dorsey & Whitney. He has previously worked as a trial attorney for the United States Department of Justice and was also special counsel to the Secretary of the Navy. Today he practices in the areas of regulatory litigation, including cybersecurity, privacy and telecommunications, civil and criminal enforcement proceedings and international Regulatory Compliance.
Editor’s Note: BroadbandBreakfast.com accepts commentary from informed observers of the broadband scene. Please send pieces to firstname.lastname@example.org. The views reflected in Expert Opinion pieces do not necessarily reflect the views of BroadbandBreakfast.com and Breakfast Media LLC.