The Federal Communications Commission (FCC) has begun to make good in its intention to join other federal agencies such as the Securities and Exchange Commission and the Federal Trade Commission in enforcing cybersecurity safeguard requirements. On Nov. 5, it issued an Order assessing a civil penalty of $595,000 against Cox Communications, Inc., and requiring Cox to enter into a Consent Decree comprising remediation actions that will undoubtedly raise the expense of Cox far above the amount of the fine. By this Order, the FCC serves notice that it is another cybersecurity cop on the beat.
The Commission, not to put too fine a point on its intentions, began the Order as follows:
Consumers of cable and satellite services are entitled to have their personal information protected. The Communications Act already imposes heightened obligations on cable and satellite operators to protect the personally identifiable information of their subscribers, and to take such actions as are necessary to prevent unauthorized access to this information. Inadequate security of subscribers’ personal information can result in real world consequences for those customers, who are put at risk of financial and digital identity theft.
The proceeding arose from a “spoofing” breach in August of 2014 and, as with many previous breaches, it involved a vendor. A bad actor pretended to be from Cox’s IT Department, and “convinced a Cox contractor, and a Cox customer service representative, to enter their credentials into a fake website. The hacker was thereby able to obtain subscribers’ names, home addresses, account-related data, partial Social Security Numbers and partial drivers’ license numbers. Personal information of at least eight subscribers was posted on social media sites. The hacker also changed the passwords of at least 28 subscribers and shared information of others with another hacker.
The Commission found violations in Cox’s failures to properly protect its customers proprietary information with appropriate technical safeguards, such as multi-factor authentication. Further, the FCC found that Cox “engaged in unjust and unreasonable” security practices, failed to monitor for intruders, and failed to timely notify the potentially affected customers. In addition to the civil penalty, the Consent Decree requires Cox to implement a written information security program, “maintain reasonable oversight of third party vendors, “implement a more robust breach response plan,” and provide privacy and security awareness training to employees.
Clearly, the Commission found as a fact that Cox was lacking these basic cybersecurity safeguards, the very controls that the SEC and the Department of Health and Human Services have long enforced, through audits and examinations, of its covered entities. If there were any doubt, this Order makes clear that the FCC is serious about cybersecurity in the telecommunications industry, and will enforce its requirements in that regard. Security programs and training can avoid a result such as the one that befell Cox.
If you have any questions regarding security and privacy compliance for telecommunications organizations, please contact Kenneth N. Rashbaum.