FCC Provides Telcos with Cybersecurity Expectations
A new Federal Communications Commission settlement with T-Mobile who has suffered multiple data breaches requires the major carrier to upgrade its business practices.
The full implications of the recent case are outlined in the commission's statement that accompanied the settlement, where the FCC indicated that the extensive cybersecurity measures T-Mobile agreed to will "serve as a model for the mobile telecommunications industry."
The FCC's action against T-Mobile stemmed from four incidents between 2021 and 2023 that compromised customer data. The commission referenced its authority under both Section 222 of the Communications Act, which mandates that telecommunications carriers protect the confidentiality of customer proprietary information, and Section 201(b), which requires that all charges and practices related to communication services be just and reasonable. The FCC has previously interpreted Section 201(b) as applying to carriers' efforts to safeguard customer data from unauthorized access or disclosure.
Under the settlement, T-Mobile will pay a civil penalty of $15.75 million and has also committed to invest an additional $15.75 million over the next two years to enhance its cybersecurity program.
Given the commission's view that this settlement serves as a benchmark for the industry, here are some key requirements outlined in the settlement:
Corporate Governance: Appointing a chief information security officer to report regularly to the board on cybersecurity issues.
Information Security Program: Maintaining a comprehensive program designed to protect the confidentiality, integrity, and availability of customer data.
Training: Offering annual cybersecurity training for relevant personnel.
Segmentation and Zero-Trust Architecture: Implementing a hybrid zero-trust framework and segmenting networks to ensure only authorized communication channels are used.
Network Access Controls: Conducting regular vulnerability scans.
Account and Password Management: Implementing phishing-resistant multifactor authentication, ensuring access controls for accounts handling sensitive information, and securely managing administrative passwords.
Logging and Monitoring.
Data Retention and Minimization: Limiting consumer data collection to what's necessary, establishing policies for data destruction or anonymization, and minimizing long-term data storage.
Third-Party Oversight.
Critical Asset Inventory: Identifying and removing unnecessary assets on T-Mobile's network.
Patch and Security Update Management.
Vulnerability Management.
Risk Assessments: Regularly reviewing a risk assessment program to identify and manage material cybersecurity risks, using standards from recognized information security bodies.
Consumer Data Inventory.
Forensic Reports: Providing forensic reports for any incidents affecting over 10,000 consumers, upon formal request.
Independent Third-Party Assessments: Obtaining assessments of its information security practices from external entities.
The order, effective for three years, emphasizes that implementing these practices will require substantial and overdue investments, likely exceeding the civil penalty amount. The commission will hold T-Mobile accountable for these mandatory changes.
While the FCC stated that the commitments imposed on T-Mobile would serve as a model for the industry, it also noted that what constitutes reasonable practices can vary based on specific circumstances. The information security program T-Mobile must establish should include safeguards that are "reasonably appropriate" for the size, complexity, nature, and sensitivity of its operations and data.
The order defines terms like "reasonable" and "reasonably" to mean a level of care that aligns with industry norms or relevant risk assessments, considering both the quality and scope of effort and the timing of implementation. This interpretation of the term used regularly to describe a standard of care is useful across industries.
