https://kaamel.com

AT&T fined US$57 million for illegally disclosing customer location data
HomepageBlog
AT&T fined US$57 million for illegally disclosing customer location data

AT&T fined US$57 million for illegally disclosing customer location data

Kaamel Lab
Kaamel LabMay 16, 2024

On April 29, 2024, the Federal Communications Commission (FCC) issued a series of fines totaling over $200 million against AT&T, Verizon, Sprint, and T-Mobile. This article focuses on the fine case against AT&T.
On February 28, 2020, the FCC issued a Notice of Apparent Liability for Forfeiture and Admonishment (NAL) to AT&T. The notice stated that AT&T leaked customer proprietary network information (CPNI) to unauthorized third parties without customer consent, violating regulations that mandate reasonable measures to protect customer location information. The FCC proposed a fine of $57,265,625. After reviewing AT&T's response, the Commission rejected AT&T's reasons for canceling, withdrawing, or reducing the fine and ultimately decided to impose the full amount.

Case Background

1. Factual Background

AT&T Inc. is a wireless network service provider offering mobile voice and data services across the United States. Prior to March 2019, AT&T operated a location-based services (LBS) program, selling customer location information to "location information aggregators," who then resold it to third-party location service providers or intermediaries. In total, AT&T sold access to its customers’ location information to 88 third-party companies. The LBS program was primarily governed through contractual terms, under which AT&T had the power to oversee aggregators, who in turn had separate contracts with location service providers. The ultimate obligation to provide notice to customers and obtain consent fell on the location service providers, not the aggregators or AT&T. Despite AT&T’s claims of “a series of safeguards” under layers of contracts, AT&T did not verify customer consent before providing access to location information. Additionally, AT&T provided findings from only two of the five audits it conducted between 2016 and 2019. In those two audits, there were numerous issues with aggregators’ noncompliance with security requirements and AT&T’s own violations of user consent integrity and user consent record retention practices when providing customer location information.
The FCC investigated Securus, a company that provides location services to law enforcement agencies in the LBS program, and found that as early as 2018, the New York Times revealed that the company had violated the law by allowing officials to obtain their location data without the knowledge of customers when providing location search services to law enforcement officials, and its services completely exceeded the data use purposes in the contract signed with the aggregator. At the same time, it did not verify the legal authorization of law enforcement officers to use such data, so there were incidents of law enforcement officers abusing location information without legal authorization. Another data security issue was revealed with the confession of Hutcheson, a telecom fraudster. Hutcheson was an authorized user of LBS software. In his confession, he stated that he only needed to enter the phone number of the device he wanted to locate, then manually check a box and upload an arbitrary file (the content was "Check this box, I hereby certify that the attached file is an official file that allows the location of the requested phone number to be queried"), and the LBS platform would immediately provide the requested location information (regardless of whether the uploaded file is true and sufficient). This shows that AT&T has not set up a real and effective mechanism to obtain user consent, and the authorized party can circumvent the "opt-in consent" procedure. After the incident, AT&T terminated its cooperation with several location service providers, but did not gradually stop the LBS plan until 2019, and did not make reasonable data protection rectifications during this period.
On February 28, 2020, the FCC issued an AT&T NAL recommending that AT&T be fined $57.26 million for its clear willful and repeated violations of Section 222 of the Communications Act and Section 64.2010 of the Commission's CPNI Order, failing to take reasonable safeguards to prevent unauthorized access to customer location information. The FCC also warned AT&T about disclosing customer location information to unauthorized third parties without obtaining customer consent. AT&T submitted a response to NAL. AT&T made the following points: First, customer location information is not CPNI and should not be subject to the Act and CPNI rules. Even if the location information belongs to CPNI, the company has not received official notification; second, AT&T was not aware of the outbreak of the above-mentioned data security incident. Reasonable remedial measures have been taken before and after; thirdly, AT&T does not recognize the amount of the fine. After reviewing the response, the FCC rejected AT&T's argument and imposed a fine of $57.26 million.

2. Legal Points

This case involves two data security risks:
  1. Failure to verify whether requests to use, disclose, and access CPNI were validly authorized.
  1. Failure to obtain customer consent (opt-in approval) when disclosing CPNI to third parties.
Combined with the case facts and NAL, this case mainly includes the following legal points:
  1. Does the customer location information disclosed by AT&T in the case constitute CPNI?
  1. Does the FCC need to provide AT&T with fair notice of a violation of its statutory CPNI protection obligations before enforcing the law?
  1. Can operators transfer CPNI protection obligations to third parties through delegation?
  1. Does AT&T need to obtain customer consent before disclosing CPNI to third parties?
  1. Has AT&T taken reasonable measures to protect the location information of the customers involved?

Legal Analysis

1. Location Information as Customer Proprietary Network Information (CPNI)

Section 222(c) of the Communications Act defines CPNI as “information relating to the quantity, technical configuration, type, destination, location and usage of telecommunications services subscribed by any customer of a telecommunications operator” and “solely because the customer-provided to operators based on the operator relationship.” The FCC issued a CPNI order implementing Section 222, requiring operators to take reasonable steps to detect and prevent unauthorized attempts to obtain CPNI.
First, the FCC believes that AT&T's wireless network mobile service is a "telecommunications service" under Section 222(h). Mobile devices authenticate and connect to the operator's wireless network through the nearest signal tower. After the mobile device is authenticated and connected to the wireless network, it may be in a connected (sending/receiving data/voice) or idle state. In both states, the operator must collect the device's location information to enable customers to make and receive calls. Therefore, as long as AT&T enables customers' devices to make and receive calls, AT&T is providing telecommunications services to these customers.
Second, according to the definition of CPNI in Section 222(h) of the Act, as long as the customer location information is related to telecommunications services, it belongs to CPNI. There is no need to distinguish whether the customer is using communications services when the location information is collected, or whether the operator collects the location. Purpose of information.
Third, another part of the definition of CPNI emphasized in Article 222 is the "customer-operator bilateral relationship," and the data is "provided by the customer to the operator" rather than simply described as "obtained by the operator." AT&T argued in its response that the information involved in the case was obtained through special technology (LBS software) that is different from the information provided by customers when using communication services. But AT&T was unable to prove that it had entered into another information-providing agreement with its customers, or that there was no way for customers to use its mobile services without providing location information. Therefore, location information collected by AT&T should be considered customer-provided. Although the information of some users who have subscribed to services but never used them (such as tablet computer users) is also collected, the location information involved in AT&T's case is not only the information of such special users, and the fines proposed by the FCC are not targeted at such users alone.

2. The FCC Does Not Need to Notify AT&T Before Enforcing the Law

The FCC rejected AT&T's claim that it did not receive fair notice that the customer location information involved in the LBS program would be subject to the Communications Act. The D.C. Circuit Court has explained that the principle of fair notice is a due process requirement, and fair notice should be given before law enforcement only when the authority's interpretation is "far from the general public's understanding of the regulations." When the regulated party is reasonably believed to know or should know the requirements of the regulations, there is no need for law enforcement agencies to implement notification. In fact, in this case, AT&T is reasonably believed to know or should know the following:
First, the customer location information involved by AT&T is CPNI. The FCC explained in its declaratory ruling that the regulations do not exhaustively enumerate all types of CPNI data. The statute contains a rebuttable presumption that information that meets the definition of § 222(h)(1) is CPNI. Moreover, the Commission’s interpretation of the definition of CPNI is consistent with previous case law and does not discriminate against AT&T.
Second, AT&T can fully understand its obligations to protect CPNI through Section 64.2010 of the CPNI Act. The decree states that operators should take all possible measures to protect CPNI. Once CPNI is disclosed to a third party, relying solely on "contractual safeguards" is not enough to deal with data risks, and it must be prevented from providing "unauthorized" information to bad actors. "Guidelines for Obtaining CPNI" and other actions.
Third, based on the above, AT&T should know that it will be punished if it fails to perform its obligations in accordance with Section 222 of the Act and Section 64.2010 of the Decree.

*3. Prohibiting

Operators from Transferring CPNI Protection Obligations to Third Parties through Delegation**
Section 217 of the Communications Act provides that “any officer, agent or other person acting for or in the employment of any common carrier or user” Any act, omission or default within the scope of his or her employment shall in any case be deemed to be the same act, omission or default on the part of the operator or user." This article clearly prohibits operators from entrusting the obligation to protect CPNI to third parties. In this case, it can be explained as follows:
  1. AT&T has an obligation to obtain customer "opt-in consent" when receiving an authorization request, and this obligation cannot be transferred by contract.
  1. AT&T has an obligation to take reasonable steps to prevent the disclosure of data to unauthorized parties. AT&T should audit the legality of authorizations and cannot be exempted from liability simply because it is not directly responsible for operating the process where unauthorized disclosure occurs. This obligation cannot be transferred through contract.
  1. AT&T has the special identity of an "operator" and is the original collector and actual discloser of data. Other non-operator third parties can only play a connecting or auxiliary role in data disclosure. Therefore, the operator's CPNI protection obligations are "permanent and continuous" and cannot be transferred through contracts.

4. AT&T Failed to Obtain Customer Consent Before Disclosing CPNI to Third Parties

Section 64.2003 (k) of the CPNI Act provides for "opt-in approval." Operators should issue appropriate notices to customers and obtain the customer's affirmative and explicit consent to use, disclose, or access the requested CPNI. Section 64.2003(l) provides another method of obtaining customer consent: opt-out approval. When the customer receives notice of the request and does not raise an objection within the specified waiting period, it is deemed to have consented to the use, disclosure, or access to CPNI. Regardless of the method adopted, operators are required to send notifications to users and obtain consent before disclosing CPNI. In order to prevent others from impersonating customers to give opt-in consent or circumventing the opt-in consent process through false official authorization, operators should take effective customer identity authentication measures, such as setting passwords and login notifications. In this case, AT&T’s opt-in consent process could be circumvented by uploading false official documents, and the FCC concluded that it did not truly and effectively fulfill its obligation to obtain customer consent.

5. AT&T Failed to Take Reasonable Measures to Protect CPNI

1. Operators Should Bear the Burden of Proof Under the CPNI Rules

The 2007 CPNI Act states that if an unauthorized disclosure occurs, the operator has the burden of proving that its measures to protect consumer data were reasonable. In this case, the data security incident occurred directly at Securus, but the ultimate burden of proof lies with AT&T. According to Sections 217 and 222 (c) (1) of the Act, operators cannot be exempted from their obligations by delegating the obligation to protect customer CPNI to a third party, that is, AT&T cannot be exempted from liability simply because it is not directly responsible for operating the procedures where unauthorized disclosure occurs. It should be noted that the burden of proof here only requires the provision of evidence and is not equivalent to the burden of persuasion.
AT&T has attempted to justify its disclosure of information using the statutory disclosure exception (as required by law) provided in Section 222(c)(1) of the Act. However, the prerequisite for applying the disclosure exception is that AT&T has verified that the authorization truly complies with the exception. As stated in the factual background section, Securus's authorization review before data disclosure was in vain, and AT&T did not conduct a substantive review of the request and consent before transferring the data to Securus. Therefore, customer location data was disclosed from AT&T to Securus and then to unauthorized parties. The recipient actually experienced a double unauthorized and unlawful disclosure. Exceptions to statutory disclosure do not apply in this case.

2. The Safeguards AT&T Took Before the Securus Incident Were Not Reasonable

AT&T's purported CPNI protections rely almost entirely on its contracts with third parties. If the contractual measures are to be effective, AT&T should take measures to ensure compliance with the contract and should also be able to distinguish whether a CPNI request submitted by a third party is a request that has been validly agreed to by the customer and has been authorized. Apparently, AT&T failed to meet these requirements. After the incident, AT&T was unable to force Securus to cooperate with the investigation, which further illustrates the weak nature of the contracts between AT&T and its third parties, over which AT&T has little control.

3. The Safeguards AT&T Took After the Securus Incident Were Also Unreasonable

AT&T did not immediately shut down the LBS project completely after the incident but continued to disclose CPNI with other third parties on this system with data security risks. It was not until it received another report of abuse of the LBS system that AT&T began to consider developing a new system. During this period of time, AT&T did not take any effective protection measures to remedy the core vulnerabilities of the system. In response to AT&T's defense, the FCC pointed out that the focus of this case is whether AT&T has reasonably protected the location information of its customers, rather than how much benefit the LBS project brings to customers. The latter may be used as a law enforcement consideration, but in this case, the benefits it brings are obviously less than the damage caused.

Compliance Analysis

The compliance entity mainly targeted in this case, AT&T, is an operator that provides mobile communication services. It is different from other companies in the dissemination of personal data and is the original collector of data. Article 222 of the Communications Act and its CPNI decree specifically deal with the obligations of the operator. Based on the content of this case, enterprises that provide mobile communication services should pay attention to the following points when collecting customer proprietary network information such as location:
  1. Operators should obtain valid customer consent before disclosing CPNI. It is recommended that the internal system of the enterprise establish a mechanism for distinguishing and substantially reviewing different disclosure requests and customer consent to disclosure, so as to avoid the situation in this case where the legitimacy of the request and the authenticity of the consent cannot be distinguished. In addition, it should be ensured that the object of obtaining consent is the real data subject. Specifically, the enterprise should have an identity authentication mechanism, such as setting account passwords, remote login notifications, etc.
  1. The operator cannot contractually transfer the obligation to protect CPNI to a third party. Section 222 of the Communications Act focuses on the bilateral relationship between the customer and the operator. During the data disclosure process, the risk of data leakage increases with each disclosure. Third parties have their own independent data protection obligations. Directly comply with the operator's obligations.
  1. Operators should take all feasible and reasonable measures to effectively protect CPNI. Section 222 of the Communications Act sets out the minimum standards for "customer authentication," and Section 64.2010 of the CPNI Decree increases the requirements for protection obligations. Enterprises should conduct risk monitoring and regular reviews and establish an incident response mechanism. When a data breach occurs, affected customers should be communicated promptly. According to the FCC's explanation, companies are also required to take thorough remedial measures immediately and quickly when a data breach occurs.

Kaamel's Response

Kaamel has always been at the forefront of privacy protection, and we believe in helping enterprises identify and address privacy compliance risks through a technology-driven approach.
The innovative Kaamel AI detection engine relies on mainstream laws and regulatory precedents to help enterprises quickly and comprehensively identify their own privacy compliance risks. Kaamel also provides enterprises with a full range of privacy compliance solutions, helping them more effectively respond to regulatory and user needs in their overseas business operations, reduce privacy risks and compliance risks, and build privacy trust in the international market.

Start Your Compliance Journey !

Contact security and privacy veterans at Kaamel

https://kaamel.com
info@kaamel.com
340 E Middlefield Rd, Mountain View, CA 94043
Privacy PolicyCookie PolicyTerms of Use
© 2024 Kaamel Inc. All rights reserved.