Demonstrating its continued commitment to data security enforcement, the Federal Communications Commission (FCC) recently announced Cox Communications Inc., the nation’s third largest cable operator, agreed to pay $595,000 to resolve an investigation into whether the company failed to properly protect its customers’ personal information. The agreement ends the first data security enforcement action brought by the FCC against a cable operator.
![](https://www.workplaceprivacyreport.com/wp-content/uploads/sites/938/2015/06/fcc-logo-300x260.gif)
Under the Communications Act, a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior consent of the subscriber and shall take steps necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator. Importantly, during its investigation, the FCC found Cox’s data security systems did not include readily available measures that might have prevented the use of the compromised credentials. Additionally, the company never reported the breach to the FCC’s data breach portal, as required by law.
According to Travis LeBlanc, Chief, Enforcement Bureau: “Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections….This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.”
In addition to identifying (and notifying) all affected individuals, the order and consent decree also requires the company to provide free credit monitoring services for one year. Further, Cox must improve its privacy and data security practices, by: (i) designating a senior corporate manager who is a certified privacy professional; (ii) conducting privacy risk assessments; (iii) implementing a written information security program; (iv) maintaining reasonable oversight of third party vendors; (v) implementing a more robust data breach response plan; and (vi) providing privacy and security awareness training to employees and third-party vendors.
In the past year, the FCC has taken three enforcement actions for violations of the Communications Act and Commission rules related to protection of customer personal information resulting in over $28 million in penalties.
This resolution, and the facts underlying the data incident, demonstrate not only the lengths that hackers will go in order to obtain personal information, but also how easily the hacker was able to obtain IDs and passwords. As we have discussed, implementation of a written information security program, including prohibitions on sharing user access credentials (IDs and passwords) and employee training on data security, may very well have prevented this incident.