T-Mobile announced recently that it experienced a major cybersecurity breach, exposing personal information (including credit card numbers) for at least 53 million customers and former customers. Because T-Mobile is a Title II mobile phone provider, this automatically raises the question of whether T-Mobile violated the FCC’s Customer Proprietary Network Information (CPNI) rules. These rules govern, among other things, the obligation of telecommunications service providers to protect CPNI and how to respond to a data breach when one occurs. The FCC has confirmed it is conducting an investigation into the matter.
It’s been a long time since we’ve had to think about CPNI, largely because former FCC Chair Ajit Pai made it abundantly clear that he thought the FCC should not enforce privacy rules. Getting the FCC to crack down on even the most egregious violations – such as selling super accurate geolocation data to bounty hunters was like pulling teeth. But back in the Wheeler days, CPNI was a big deal, with Enforcement Bureau Chief Travis LeBlanc terrorizing incumbents by actually enforcing the law with real fines and stuff (and much to the outrage of Republican Commissioners Ajit Pai and Mike O’Reilly). Given that Jessica Rosenworcel is now running the Commission, and both she and Democratic Commissioner Geoffrey Starks are both strong on consumer protection generally and privacy protection in particular, it seems like a good time to fire up the long disused CPNI neurons with a review of how CPNI works and what might or might not happen in the T-Mo investigation.
Before diving in, I want to stress that getting hacked and suffering a data breach is not, in and of itself, proof of a rule violation or cause for any sort of fine or punishment. You can do everything right and still get hacked. But the CPNI rules impose obligations on carriers to take suitable precautions to protect CPNI, as well as obligations on what to do when a carrier discovers a breach. If the FCC finds that T-Mobile acted negligently in its data storage practices, or failed to follow appropriate procedures, it could face a substantial fine in addition to the FCC requiring it to come up with a plan to prevent this sort of hack going forward.
Assuming, of course, that the breach involved CPNI at all. One of the fights during the Wheeler FCC involved what I will call the “broad” view of CPNI v. the “narrow” view of CPNI. Needless to say, I am an advocate of the “broad” view, and think that’s a proper reading of the law. But I wouldn’t be providing an accurate primer if I didn’t also cover the “narrow” view advanced by the carriers and Pai and O’Reilly.
Because (as usual) actually understanding what is going on and its implications requires a lot of background, I’ve broken this up into 2 parts. Part I gives the basic history and background of CPNI, and why this provides the first test of how the Biden FCC will treat CPNI enforcement. Part II will look at application of the FCC’s rules to the T-Mobile breach and what issues are likely to emerge along the way.
More below . . .
As usual, I’m going to provide lots of background before I get to the actual T-Mobile breach so that folks can understand the issues. Hey, it’s what we do here at Tales of the Sausage Factory. If you just want the T-Mo relevant stuff, skip to Part II.
Why Does the FCC Have Anything to Do with Privacy?
Despite about 500 years of common law requiring common carriers to protect the privacy of communications, and a provision protecting the privacy of communications going back to the Federal Radio Act of 1927 (now found at 47 U.S.C. § 605), you still run into plenty of people arguing that the FCC really doesn’t do privacy, shouldn’t do privacy, and should leave everything to the wonderfully awesome experts at the Federal Trade Commission (FTC). Rather than repeat these arguments for the zillionth time, I will refer folks to this 100-page White Paper I wrote on the subject back in 2016 and to “The Common Carrier Privacy Model” by Adam Candeub (yes, that Adam Candeub).
So What Is CPNI and Where Does It Come From?
For those interested in really digging into this, I will refer folks to this 100-page white paper I wrote back in 2016. Briefly, CPNI started as a set of FCC regulations designed primarily to protect competition. The rules prevented an incumbent provider (Ma Bell, then the Baby Bells) from using information from rival service providers that needed to interconnect with the network to provide service to customers. For example, alarm companies used to use a customer’s phone line to offer service. AT&T ran its own alarm company. To protect competition, the FCC prevented AT&T from using the information that rival alarm companies had to provide to AT&T for the system to work.
As part of the Telecom Act of 1996, Congress expanded this idea of CPNI to include a subscriber privacy protection element as well as a pro-competition component. (Like many good things in the 1996 Telecom Act, you can thank then-Representative now-Senator Ed Markey for this provision.) The 1996 Act added Section 222 (47 U.S.C. § 222) to the Communications Act. Section 222 imposes both a general obligation on carriers to protect a customer’s “proprietary information” and very specific obligations to protect “Customer Proprietary Network Information.” Section 222(h) defines CPNI as:
(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and
(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier;
“Broad CPNI” v. “Narrow CPNI.”
This being law, we have two ways to look at this definition. What I call “broad CPNI” means looking at this as broadly as possible, with the comprehensive list being an effort to ensure that as much information about an individual and their use of the telecommunication service is protected by CPNI. The other view, which I call “narrow CPNI,” argues that by including a list of technical things such as “technical configuration” but not including such obvious things as “name” or “social security number,” Congress was deliberately narrowing the definition of CPNI. There is a subset of this argument over whether the general statement in Section 222(a) requiring carriers to protect the confidentiality of “proprietary information” imposes a separate duty on carriers to protect anything not explicitly designated as CPNI, or is merely an opening introductory statement. As you would expect, consumer protection guys such as me support the broad CPNI theory, while carriers and my opposite numbers in the Libertarian world support the narrow CPNI theory.
The 2007 Pretexting Order Establishes Broad CPNI, But Everyone Kind of Ignores It Until 2014.
Few people give Kevin Martin the credit he deserves for his pro-consumer protection rulings. This is a pity, as – while he did a lot of traditional Republican deregulatory stuff – he also did a lot of old-school Republican consumer protection stuff. One of these was on privacy. Yes, there was a time when a lot of Republicans cared deeply about privacy and believed that we needed regulations to protect privacy. But I digress.
In 2007, the Martin FCC voted out an order designed to address concerns raised by EPIC over how easy it was for stalkers and scammers to get access to people’s personal information from phone companies. Basically, although people agreed that the CPNI rules prevented carriers from selling the information, there was no industry consensus on any obligation to protect that information. So people could just call up and pretend to have some reason to want someone’s address or whatever and the phone company would just give it to them. This practice was called “pretexting,” so the 2007 CPNI Order is generally referred to as the “Pretexting Order.”
The Pretexting Order did a bunch of things. First, it adopted the broad CPNI theory. Footnote 2 declares that “CPNI includes personally identifiable information derived from a customer’s relationship with a provider of communications services.” Whether one likes this interpretation or not, no one appealed this particular aspect of the Order so this is the definitive statement of the expert agency on the interpretation of the statute. Next, the Order adopted extremely comprehensive rules governing the obligations of a carrier to take adequate precautions to protect CPNI (including personal information), mandatory reporting obligations to the FCC and law enforcement on discovery of a data breach, mandatory reporting to customers, and lots of other real good stuff that we should have as general privacy rules.
From 2007 to 2017, the FCC’s CPNI rules were fairly effective against preventing phone companies from using customer information for advertising and for enforcing obligations on carriers to protect the information. Carriers must file an annual report where an officer of the company certifies that they have honestly reported all data breaches or violations of the CPNI regulations. The system has been so effective that the cable and telephone industry have spent millions of dollars lobbying to have it eliminated, and to transfer all privacy enforcement to Federal Trade Commission, aka “Toothless.”
But until 2014, the FCC didn’t impose significant fines. Generally, it operated by consent decree. These decrees mostly focused on remediation. Companies would usually get a modest fine (depending on the severity of the breach and whether the company complied with the rules) and would need to come up with a compliance plan to prevent the same sort of breach from happening again. As always, there are pros and cons to this approach. Supporters argue that it conserves agency resources and focuses on preventing future harms. Any subsequent violations of the consent decree are much easier to enforce, and much easier to impose substantial penalties. Critics argue that this lets companies off cheap, and that the agency doesn’t do enough to punish consent decree violations.
What Happened in 2014?
In 2014, Then-Chairman Tom Wheeler appointed Travis LeBlanc as chief of the Enforcement Bureau. LeBlanc came from the California AG’s office (where he worked with Kamilla Harris) and the DoJ. Travis brought a very different perspective to the Enforcement Bureau. i.e., It was about actual enforcement and punishing offenders. Consumer protection folks like me totally loved Travis (and not just because he is a fellow Princeton Alum who shares the same cycle of reunions as I do, being Class of ’99), and basically wanted the FCC to put a giant “Travis Signal” on top of the FCC HQ that we could turn on whenever we needed consumer protection. Most industry folks regarded him as a cross between Vlad the Impaler and Genghis Kahn.
In October 2014, the FCC voted out a Notice of Apparent Liability (NAL) against two telecom carriers: Terracom and YourTel. The FCC found that these companies had exposed customer social security numbers and other personal information on the web and basically ignored this breach for months. The FCC imposed a whopping $10 million fine (ultimately reduced to $3.5 million in a subsequent consent decree). The Terracom NAL also contained a lengthy discussion of the FCC’s overall authority to protect consumer personal information collected by carriers. It was widely regarded as a statement by the FCC that they intended to take privacy protection very, very seriously.
Needless to say, both Republican Commissioners vigorously and vociferously dissented. (Pai dissent here; O’Reilly dissent here.) This is where we first saw any FCC Commissioner, including any Republican Commissioner, come out against the FCC getting serious on enforcing CPNI and privacy. As the privacy fight continued for the remainder of the Obama Administration, the line of division between the Democrats and Republicans on the FCC’s responsibility to protect privacy became ever more pronounced – with Pai and O’Reilly ultimately taking the position that the FCC should just stay out of privacy altogether and leave it to the FTC.
2017-2021: CPNI Goes Bye-Bye.
Unsurprisingly, after Trump won the election and appointed Ajit Pai chair of the FCC in 2017, CPNI pretty much disappeared from the FCC’s enforcement agenda. Pai made it abundantly clear in the “Restoring Internet Freedom Order” reclassifying broadband as a Title I information service that he wanted the FCC to have nothing whatsoever to do with privacy protection (or much else on consumer protection outside going after robocalls). This is rather important for T-Mobile, since T-Mobile suffered a number of data breaches during this time. Generally, the FCC ignored these. But when Joseph Cox over at Motherboard did a series of investigative articles on how mobile carriers were selling extremely precise geolocation data to bounty hunters and taking virtually no precautions to protect the information, even Pai felt pressure to act. In February 2020, the FCC issued NALs against all four major carriers for violation of the CPNI rules totaling $200 Million in fines. Unfortunately, there is zero evidence that the FCC ever issued a final forfeiture order or entered a consent decree against any of these carriers.
This last four years of inaction sets the stage for the current T-Mobile data breach, and why this will be such an interesting case to follow. Both Acting Chair Jessica Rosenworcel and Democratic Commissioner Geoffrey Starks made it clear in their concurring/dissenting statements in the 2020 CPNI Notices of Apparent Liability (and elsewhere) that they care deeply about protecting consumer privacy and regard the last 4 years as inexcusably lax. Meanwhile, Republicans Brendan Carr and Nathan Simington were not around in 2014-16, and therefore did not stake out positions as extreme as those of Pai and O’Reilly. Indeed, Simington was not even on the Commission when the FCC decided the February 2020 NALs, so his positions on CPNI and FCC enforcement remain a big question mark.
Armed with this background, we can now proceed to Part II. So how will the FCC investigate the T-Mobile breach, how will this play with any FTC investigation, and what legal issues are likely to emerge?
Stay tuned . . . .