Cox Communications To Pay $595,000 To Settle FCC's First Privacy and Data Security Enforcement Action Against a Cable Operator

In the first privacy and data security enforcement action by the Federal Communications Commission (FCC or Commission) against a cable operator, the FCC Enforcement Bureau recently reached a US$595,000 settlement with Cox Communications, Inc. (Cox) to resolve the Bureau's investigation into whether Cox failed to properly protect its customers' personal information when it experienced a data breach in 2014.¹ "This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media," stated Enforcement Bureau Chief Travis LeBlanc. "We appreciate that Cox will now take robust steps to keep their customers' information safe online and off."² 

The Enforcement Bureau's investigation found that Cox's electronic data systems were breached by a hacker who pretended to be from Cox's information technology department, and convinced both a Cox customer service representative and a Cox contractor to divulge their Cox IDs and passwords.³ The hacker then gained unauthorized access to Cox's current and former cable customers' personally identifiable information, including names, addresses, email addresses, phone numbers, secret questions/answers, PINs, and partial Social Security and driver's license numbers, as well as the Customer Proprietary Network Information (CPNI) of Cox's telephone customers.⁴ The hacker posted some customers' information on social media websites, changed some customers' account passwords, and shared the compromised account credentials with another hacker.⁵

Section 631(c) of the Communications Act requires that a cable operator not disclose personally identifiable information concerning a subscriber without the prior written or electronic consent of the subscriber, and take actions to prevent unauthorized access to such information.⁶ In addition, Section 222(a) of the Act provides that "[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to . . . customers."⁷ Section 222(c) of the Act and Section 64.2010(a) of the FCC regulations require a telecommunications carrier to protect the confidentiality of customers' CPNI.⁸ Section 64.2011(b) of the Commission's regulations requires carriers to provide notification of a CPNI breach via the FCC's data breach portal "[a]s soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach."⁹ The Commission has interpreted Section 201(b) of the Act to require companies to employ "just and reasonable" data security practices to protect customers' proprietary information.¹⁰

The Enforcement Bureau commenced an investigation into whether Cox failed to: (a) properly protect the confidentiality of customers' personally identifiable information; (b) take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI; (c) provide timely notification of a CPNI breach to law enforcement; (d) employ reasonable data security practices to protect proprietary information and CPNI, and monitor for customers' breached data online; and (e) notify all potentially affected customers of the breach.¹¹ The Enforcement Bureau's investigation found that Cox's relevant data security systems did not include readily available measures for all of its employees or contractors that might have prevented the use of the compromised credentials, and that Cox did not report the breach to the FCC's data breach portal as required by law.¹²

To settle the matter, Cox agreed to pay a US$595,000 civil penalty, and to identify all affected customers, notify them of the breach, and provide them a year of free credit monitoring.¹³ In addition, Cox agreed to develop and implement a compliance plan. Among other compliance remedies, Cox agreed to:¹⁴

• designate a senior corporate manager as a Compliance Officer who will work with a privacy-certified Chief Privacy Officer and a Chief Information Security Officer to develop, implement, and administer the compliance plan;
• implement a compliance plan that requires Cox to, among other things
  • conduct privacy risk assessments,
  • develop a written information security program,
  • maintain policies and procedures for third-party vendor oversight, including multi-factor authentication,
  • implement a more robust data breach response plan, with annual test exercises and subject to third-party review,
  • review breach notification practices to ensure that, in the event of a breach, Cox shall, among other things, (a) act as required by federal or state law, or by law enforcement guidance, when notifying affected customers, (b) offer such customers free credit monitoring for at least one year, and (c) conduct targeted monitoring of known websites for breach activity;
• maintain a compliance manual;
• provide a copy of the consent decree to all existing and future employees covered by the decree; and
• provide privacy and security awareness training for employees and third-party vendors.

The Enforcement Bureau will monitor Cox's compliance with the consent decree for seven years.¹⁵