T-Mobile announced recently that it experienced a major cybersecurity breach, exposing personal information (including credit card numbers) for at least 53 million customers and former customers. Because T-Mobile is a Title II mobile phone provider, this automatically raises the question of whether T-Mobile violated the FCC’s Customer Proprietary Network Information (CPNI) rules. These rules govern, among other things, the obligation of telecommunications service providers to protect CPNI and how to respond to a data breach when one occurs. The FCC has confirmed it is conducting an investigation into the matter.
It’s been a long time since we’ve had to think about CPNI, largely because former FCC Chair Ajit Pai made it abundantly clear that he thought the FCC should not enforce privacy rules. Getting the FCC to crack down on even the most egregious violations – such as selling super accurate geolocation data to bounty hunters was like pulling teeth. But back in the Wheeler days, CPNI was a big deal, with Enforcement Bureau Chief Travis LeBlanc terrorizing incumbents by actually enforcing the law with real fines and stuff (and much to the outrage of Republican Commissioners Ajit Pai and Mike O’Reilly). Given that Jessica Rosenworcel is now running the Commission, and both she and Democratic Commissioner Geoffrey Starks are both strong on consumer protection generally and privacy protection in particular, it seems like a good time to fire up the long disused CPNI neurons with a review of how CPNI works and what might or might not happen in the T-Mo investigation.
Before diving in, I want to stress that getting hacked and suffering a data breach is not, in and of itself, proof of a rule violation or cause for any sort of fine or punishment. You can do everything right and still get hacked. But the CPNI rules impose obligations on carriers to take suitable precautions to protect CPNI, as well as obligations on what to do when a carrier discovers a breach. If the FCC finds that T-Mobile acted negligently in its data storage practices, or failed to follow appropriate procedures, it could face a substantial fine in addition to the FCC requiring it to come up with a plan to prevent this sort of hack going forward.
Assuming, of course, that the breach involved CPNI at all. One of the fights during the Wheeler FCC involved what I will call the “broad” view of CPNI v. the “narrow” view of CPNI. Needless to say, I am an advocate of the “broad” view, and think that’s a proper reading of the law. But I wouldn’t be providing an accurate primer if I didn’t also cover the “narrow” view advanced by the carriers and Pai and O’Reilly.
Because (as usual) actually understanding what is going on and its implications requires a lot of background, I’ve broken this up into 2 parts. Part I gives the basic history and background of CPNI, and why this provides the first test of how the Biden FCC will treat CPNI enforcement. Part II will look at application of the FCC’s rules to the T-Mobile breach and what issues are likely to emerge along the way.
More below . . .