The Enforcement Bureau (“Bureau”) of the FCC issued an Admonishment Order against T-Mobile for willful and repeated violations of Sections 222(a) and 201(b) of the Communications Act by failing to take reasonable measures to protect the confidentiality of its customers’ data and by failing to exercise reasonable oversight. T-Mobile’s violations allowed 15 million of its customers to become victims of a data breach in 2015, where a third party gained unauthorized access to personal information collected by T-Mobile to conduct credit checks on customers. Although T-Mobile relied on its vendor, Experian Information Solutions, Inc., (“Experian”) to keep the information secure, the Bureau concludes that T-Mobile cannot transfer its accountability to its outsourced vendors and therefore failed to protect its customers’ data. The Bureau additionally notes that there were early warning signs to T-Mobile that Experian’s security practices were unreasonable and T-Mobile failed to engage in reasonable oversight of those security practices.
The Bureau is prohibited from fining T-Mobile for its violations by the one-year statute of limitations in the Communications Act, but holds T-Mobile responsible for the acts and omissions that led to the data breach and for the lack of reasonable oversight over Experian, thus warranting this Order. The Order does not affect any liability T-Mobile may have under other federal and state investigations and civil proceedings that might be underway in connection with the 2015 data breach.
Please contact us with any questions.