Privacy & Cybersecurity Law Blog

On September 30, 2024, the Federal Communications Commission announced that T-Mobile has entered into an agreement to settle multiple data protection and cybersecurity investigations stemming from data breaches in 2021, 2022 and 2023. The breaches involved the personal information of millions of current, former and prospective T-Mobile customers and end-user customers of T-Mobile wireless network operators, and resulted from various threat vectors, including a 2021 cyberattack, a 2022 platform access incident, a 2023 sales application incident and a 2023 API incident. T-Mobile previously settled class action claims in federal district court related to the 2021 cyberattack. In addition to a $15.75 million penalty, T-Mobile also will be required to spend $15.75 million over the next two years to strengthen its cybersecurity program and implement a plan to protect consumers from similar future breaches.

The FCC’s order and resulting consent decree resolve the investigations into whether T-Mobile, in violation of Section 222 of the Communications Act of 1934: (1) failed to protect the confidentiality of customers’ personal information; (2) impermissibly used, disclosed or permitted access to individually identifiable customer proprietary network information (“CPNI”) without customer approval; (3) failed to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI; (4) engaged in unjust and unreasonable information security practices; and (5) made misrepresentations to its customers regarding its information security practices.

Under the terms of the consent decree, T-Mobile will pay a civil penalty of $15.75 million and invest another $15.75 million in cybersecurity, privacy and data security. Such measures include investments in: corporate governance, implementing a modern zero-trust architecture, identity and access management controls, data minimization and deletion measures, a critical asset inventory, and independent third party assessments of its information security practices. According to the FCC, these measures are “long overdue” and are intended to “shift the consequences of poor cybersecurity away from the consumers who entrust their sensitive data with telecom service providers.”

The settlement’s commitments reflect the FCC’s expectations for cybersecurity standards, setting out a number of practices that “will serve as a model for the mobile telecommunications industry.”