Privacy & Cybersecurity Law Blog

On August 14, 2024, the Committee on Foreign Investment in the United States (“CFIUS”) disclosed that it had assessed a $60 million penalty against T-Mobile US, Inc. (“T-Mobile”) in connection with unauthorized data access incidents following T-Mobile’s 2020 merger (the “Merger”) with Sprint Corporation (“Sprint”). CFIUS is a U.S. government interagency body with regulatory authority over certain investments by foreign persons in U.S. businesses that may pose risks to U.S. national security. Among the various regulatory clearances sought in connection with the Merger, T-Mobile and Sprint sought approval from CFIUS. CFIUS approved the Merger subject to a national security agreement (“NSA”) to be entered into by T-Mobile and the U.S. government. In recent years, approximately 30% of transactions cleared by CFIUS required some kind of national security agreement to bind the transaction parties to certain actions and undertakings designed to mitigate the perceived national security risks.

In announcing the penalty, CFIUS disclosed that “between August 2020 and June 2021, in violation of a material provision of the NSA, T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS, delaying [CFIUS’s] efforts to investigate and mitigate any potential harm. CFIUS concluded that these violations resulted in harm to the national security equities of the United States.”

The penalty assessed by CFIUS against T-Mobile was (by far) the largest of any of the penalty actions that have been disclosed by CFIUS to date and the only penalty action where the target of the action was identified by name. The U.S. Treasury Department also just announced that it has unveiled a new CFIUS enforcement website to provide greater transparency regarding its enforcement actions and penalties.