The Federal Communications Commission (FCC) recently fined Cox Communications, Inc. (Cox) $595,000 for failing to properly protect its customers’ personal information related to a 2014 data breach. In the November 5, 2015, FCC order, the FCC stressed the importance of protecting cable and satellite consumers’ personal information and the consequences of failing to protect such information. This may be a signal that the FCC is ready to be more vigilant against cable and satellite service providers for data breaches.
Cox’s electronic data systems were breached in August 2014 when a hacker pretended to be from Cox’s IT department and convinced a Cox customer service representative and a Cox contractor to provide their Cox IDs and passwords to a fake website controlled by the hacker. With these Cox IDs and passwords, the hacker then gained access to personal data of Cox’s current and former customers, including their name, home addresses, email addresses, phone numbers, partial social security numbers, and partial license numbers. The hacker then posted some of this personal information on social network sites, changed the passwords of some customers, and shared some customers’ personal information with another hacker.
As part of the settlement with the FCC, Cox agreed to improve its privacy and data security practices, including designating a senior corporate manager, who is a certified privacy professional, to:
- oversee compliance with the consent decree,
- conduct privacy risk assessments,
- implement a written information security program,
- maintain a reasonable oversight of third-party vendors,
- implement a better data breach response plan, and
- provide privacy and security awareness training to employees and third-party vendors.
Over the last year, we have seen the Securities and Exchange Commission address cybersecurity in addition to the U.S. Court of Appeals for the 3rd Circuit’s holding that the Federal Trade Commission has the authority to regulate cybersecurity for American businesses and corporations. In addition to the FCC’s fines against telecommunications providers, this action brought by the FCC provides the latest example in a long line of government agencies having to regulate emerging issues concerning data security.