Demonstrating its continued commitment to data security enforcement, the Federal Communications Commission (FCC) recently announced Cox Communications Inc., the nation’s third largest cable operator, agreed to pay $595,000 to resolve an investigation into whether the company failed to properly protect its customers’ personal information. The agreement ends the first data security enforcement action brought by the FCC against a cable operator.
The investigation by the FCC Enforcement Bureau determined that Cox’s electronic data systems were breached in 2014 by a hacker who pretended to be from Cox’s information technology department and convinced both a Cox customer service representative and Cox contractor to enter their account IDs and passwords into a fake, or “phishing,” website. The user access information was then utilized to obtain customers’ personally identifiable information, which included names, addresses, email addresses, secret questions/answers, PIN, and in some cases partial Social Security and driver’s license numbers, as well as Customer Proprietary Network Information (CPNI) of the company’s telephone customers.
Under the Communications Act, a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior consent of the subscriber and shall take steps necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator. Importantly, during its investigation, the FCC found Cox’s data security systems did not include readily available measures that might have prevented the use of the compromised credentials. Additionally, the company never reported the breach to the FCC’s data breach portal, as required by law.
According to Travis LeBlanc, Chief, Enforcement Bureau: “Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections….This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.”
In addition to identifying (and notifying) all affected individuals, the order and consent decree also requires the company to provide free credit monitoring services for one year. Further, Cox must improve its privacy and data security practices, by: (i) designating a senior corporate manager who is a certified privacy professional; (ii) conducting privacy risk assessments; (iii) implementing a written information security program; (iv) maintaining reasonable oversight of third party vendors; (v) implementing a more robust data breach response plan; and (vi) providing privacy and security awareness training to employees and third-party vendors.
In the past year, the FCC has taken three enforcement actions for violations of the Communications Act and Commission rules related to protection of customer personal information resulting in over $28 million in penalties.
This resolution, and the facts underlying the data incident, demonstrate not only the lengths that hackers will go in order to obtain personal information, but also how easily the hacker was able to obtain IDs and passwords. As we have discussed, implementation of a written information security program, including prohibitions on sharing user access credentials (IDs and passwords) and employee training on data security, may very well have prevented this incident.