FCC Chairman Tom Wheeler's broadband privacy framework is in jeopardy the Republicans in Congress and the incoming FCC majority, but that didn't stop the FCC from using its authority to fire a warning shot at T-Mobile, and other carriers, about protecting their customers personal info (PI).
While it did not propose a fine--but suggested that was only because it couldn't--the FCC's Enforcement Bureau "admonished" the carrier for "failing to take reasonable measures to protect the confidentiality of its customers data.
It was actually Experian that T-Mobile contracted with to store personal information of its customers. But about 15 million of those customers were the subject of a 2015 hack via which a third party was able to access "names, Social Security numbers, addresses" and more.
"Though T-Mobile made a business choice to rely on its vendor, Experian Information Solutions, Inc. (Experian) to keep this information safe and secure," Enforcement Bureau Chief Travis LeBlanc wrote in the admonishment order, "T-Mobile nonetheless failed the responsibility it owed to its customers to protect their data. Providers are responsible for their supply chain and while they can outsource functions, they cannot transfer accountability."
The bureau suggested that if T-Mobile had exercised reasonable oversight, it would have found out that Experian's security practices were lacking, including that "Experian stored the data on computer servers with several critical vulnerabilities and also failed to take basic data protection measures to isolate T-Mobile’s customer data from that of other companies and from the Internet."
The FCC also pointed to an Experian data breach in 2013 it said should have put T-Mobile on notice. "T-Mobile failed to engage in basic oversight even after Experian’s servers had been breached and T-Mobile customer data compromised in 2013."
LeBlanc suggested that it was the fact that the statute of limitations had expired that prevented the FCC from imposing a fine. But it said that the admonishment should be a lesson to others that if they outsource data processing and credit storage, they can't outsource the responsibility for what happens to the associated customer info.
"Carriers must protect their customers’ PI regardless of where they choose to maintain that data – whether on their own servers or on the servers of a third party," said the bureau.