The T-Mobile Data Breach and Your Basic Primer on CPNI – Part II: How Will the FCC Investigate T-Mo’s Data Breach?

In Part I, I provided all the legal and political background to understand why the Federal Communications Commission’s (FCC’s) investigation into T-Mobile’s data breach impacting about 53 million existing customers, former customers, and folks who applied for credit checks but never have been customers, may be complicated politically. But what are the mechanics of the investigation? How does this actually work? What are the rules, and what remedies or penalties can the FCC impose on T-Mobile?

 

I explore these questions below . . . . .

 

What are the Relevant FCC Rules?

 

The FCC rules governing Customer Proprietary Network Information (CPNI) are found at Part 64 Subpart U of the Commission’s rules, 47 C.F.R. §§ 64.2001-64.2011. Of these, two rules are of relevance here. Rule 64.2010 requires that carriers “must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” Rule 64.2011 requires carriers to notify law enforcement (including the FCC) on discovering a breach, and to notify customers 7 days after notifying law enforcement unless law enforcement asks the carrier to delay notifying the customers.

 

So far, we have no reason to assume that T-Mobile failed to comply with all the notification rules. That means the FCC will primarily be investigating whether T-Mobile took “reasonable measures” to protect the information. As I stressed last time, it is not a violation of the rules to get hacked. This isn’t a strict liability regime. Where carriers get in trouble is by failing to take reasonable precautions – including fixing known vulnerabilities once discovered (say, by being hacked previously).

 

 

What Are the Questions the FCC Will Need to Address in the Investigation?

 

The FCC will need to resolve three questions. First, did the breach actually involve CPNI (and if so, to what extent)? Second, did T-Mobile take “reasonable measures” to protect the information? Finally, after T-Mobile discovered the breach, did it follow the appropriate notification procedures?

 

Who Is a “Customer” for CPNI, and What “Customer Information” Is Protected?

 

As I discussed in Part 1, that depends on how you define CPNI. There are several wrinkles here, however, even if you take the broad view of CPNI that includes things like a customer’s name and social security number and not just technical information or billing information. The biggest issue will involve people who applied for service but were actually rejected by T-Mobile when they did credit checks, people who used to get service but don’t anymore, or people who bought equipment but not a phone contract. The statute talks about “customers,” but doesn’t define “customer.” Are these people “customers” under the statute?

 

Some of these questions were answered by the FCC in the Terracom/YourTel Notice of Apparent Liability. CPNI has been defined by the FCC as information that comes into the carrier’s possession “by virtue of the customer- carrier relationship.” Things like credit applications and credit checks for people approved for service clearly fall into this category. The only reason I gave T-Mobile this information was so they would provide me service. In the Terracom/YourTel NAL, the FCC interpreted “customer” to include people actively trying to get service from the provider, even if the provider ultimately rejects their application and never turns the service on. The question about a pure equipment purchase remains open, but I suspect that the number of people who ever bought equipment (or applied to buy equipment) without buying (or applying to buy) actual phone service (whether prepaid or post-paid) is sufficiently negligible we can ignore it.

 

OK, but what about former customers? As Matt Schettenhelm pointed out to me on Twitter, the FCC discussed this point in the 2016 Order applying CPNI to broadband, but also modifying CPNI rules for voice carriers. In the discussion around the definition of “customer” in Paragraphs 41-44, the FCC noted that its definition of “customer” in Rule 64.2003(f) defined a customer as “a person or entity to whom the carrier is currently providing service.” (Emphasis added) The FCC noted this contradicted the Terracom/Yourtel NAL, which found that applicants for service were protected by Section 222(a) even after their application was denied. For that reason, and for other reasons of policy, the FCC decided to change the definition of customer in Rule 64.2003(f) to unambiguously include applicants and former customers.

 

Then came the 2017 Congressional Resolution of Disapproval repealing the FCC’s 2016 CPNI Order. As the FCC found in its Order implementing the CRA, this Congressional repeal rendered the entire 2016 CPNI Order a “legal nullity.” It also prevents the FCC from enacting “similar regulation” without Congressional authority.

 

So where does that leave us? Does the FCC simply get to ignore its prior characterization of the definition in 64.2003(f) as it did in Terracom (which is still binding precedent) by finding that “customer” for purposes of Section 222(a) and Section 201(b) is not the same as the definition of “customer” for Section 222(c), which deals with CPNI rather than “proprietary information” (the somewhat different term used in 222(a))? On the one hand, this would seem to violate the basic cannon of interpreting the same word in a statute used in different places as having the same meaning — unless the statute indicates otherwise. But the statute does sort of indicate otherwise, by providing different levels of responsibility for “CPNI” under Section 222(c), but “proprietary information” under Section 222(a). It is not irrational to conclude that Congress intended for carriers to have a continuing general obligation to past customers and applicants, while prescribing very specific protections for existing customers. Additionally, Section 201(b) (which the FCC applied in the Terracom NAL), focuses on unreasonable practices by carriers. The FCC could certainly decide that even if “customer” for purposes of all of Section 222 means a customer currently receiving service from the carrier, it is unjust and unreasonable for carriers to collect information as a condition of providing service, then have the freedom to do whatever they want with it after the fact. Finally, given the “common carrier exception” that prevents the FTC from enforcing its rules against a common carrier engaged in common carrier activities, an FCC decision that excludes former customers and/or applicants would create a situation where neither the FCC or the FTC has jurisdiction.

 

On the flip side. If I were T-Mobile, I would argue that the FCC affirmatively changed the regulation in 2016 and that the CRA prevents the FCC from adopting the same definition of customer it adopted in 2016 because the CRA prevents the agency from adopting “substantially similar” regulation under any statutory authority. But the definitional issue was such a small part of the overall 2016 Order, is that really “substantially similar?” Besides, as I noted above Terracom remains good law. So it seems that the discussion in the 2016 Order characterizing Section 222 as applying only to current customers is the “legal nullity.”

 

Since the breach impacted 7.8 Million existing customers, there is plenty of authority for the FCC however you slice it. Whether the FCC includes the remaining 40 million perspective and former customers in the breach as violations of Section 222 or 201(b) (assuming there is any violation at all) goes to how big a fine the FCC can legally impose.

 

What About Data Service Only Customers?

 

The other issue is that T-Mobile offers data contracts without a voice component (say, for a tablet). Since the Restoring Internet Freedom Order (RIFO) went into effect, mobile data services are classified as Title I information services. Information on customers that are data only (after RIFO went into effect) certainly falls outside the CPNI rules. It is possible that some of the information on data only customers may include information collected when broadband was classified as Title II, which raises its own questions since the specific CPNI rules applicable to phone service information were never applicable to broadband even when the CPNI statute applied to broadband. But, to the extent there is information about data only customers collected while 47 U.S.C. § 222 applied to such customers, I expect it is such a small component of the overall breach that it is not really worth worrying about. (Unless, of course, it happens to be your personal information.)

 

Even with all these exclusions, odds are good that there is at least some CPNI included in a breech this big. Which brings us to the next question. Did T-Mobile take “reasonable measures” to secure the information and discover the breach?

 

What Does “Reasonable Measures” Mean?

 

As the FCC explained when it adopted the “reasonable measures” standard in the 2007 Pretexting Order, it is hard to define reasonable measures with precision. Standards for the industry constantly evolve and change along with the technology. The carrier industry (and those supporting the “narrow CPNI” definition discussed in Part I) frequently complain that this is vague, unfair and thus impossible for them to comply with any certainty.

 

In reality, however, we deal with evolving industry standards all the time across multiple fields of law – including things like negligence. We use similar industry standards of reasonableness for things like financial information and medical information under HIPAA. Additionally, the Federal Trade Commission (FTC), which is held up as the gold standard by the carrier industry and others who don’t like the FCC doing anything on privacy, uses a similar idea when determining whether businesses have complied with their terms of service which usually also promises to take “reasonable measures to protect your information.” See FTC v. Wyndam Worldwide Corp. As the FCC explained in the 2007 Pretexting Order, any “safe harbor” the FCC created that did not rely on evolving industry standards would quickly become outdated.

 

I’ll add that, as a practical matter, the industry never appealed this aspect of the 2007 Pretexting Order. That doesn’t foreclose as applied challenges that the FCC’s determination in a specific case is unreasonable. But it does mean it is rather late to complain about the standard adopted almost 15 years ago.

 

In practice, what the FCC has done (and what usually ends up happening with the FTC and in other areas of law), is focus on behavior that is particularly egregious. While some cases may be close calls, there are a bunch of things that are pretty clearly negligent and therefore unreasonable. This is where the fact that T-Mobile has had 4 breaches in 4 years potentially becomes relevant. Was T-Mobile “on notice” about security flaws due to past breaches but failed to take adequate remedial action? Alternatively, did T-Mobile adopt reasonable precautions to ensure the same breach did not happen again, but hackers managed to find a new vulnerability to exploit? This is the sort of thing the FCC will look at and evaluate in its investigation.

 

What Happens When the FCC Concludes Its Investigation?

 

After the Enforcement Bureau finishes its investigation, it will then consider what recommendation to make to the full Commission on whether T-Mobile violated the CPNI rules (or other relevant FCC authority, such as 47 U.S.C. § 605). This will inform whether the Enforcement Bureau negotiates a consent decree with T-Mobile, and what such a consent decree should include. If the Bureau decides that T-Mobile’s conduct was reasonable, it may decide to take no action at all. Usually, however, the FCC will at least want assurances that the company has corrected the vulnerability and taken steps to ensure that a similar vulnerability is not exploited in the future. The FCC may also want the carrier to do some extra reporting on its response to the breach and what systems it put in place to ensure this doesn’t happen again.

 

In addition, the FCC will have to consider how much CPNI was involved, and whether it thinks it has a strong case to prove that a substantial amount of CPNI was involved and that T-Mobile failed to take reasonable measures to protect this CPNI. Another reason the FCC and carriers tend to favor consent decrees is that it avoids having to make hard calls and take risks on litigation. A consent decree may or may not include an admission of wrongdoing, but –as with the FTC – it settles the matter with regard to this particular company.

 

Also, as with the FTC, this approach has its critics. Some folks think that it lets companies off too easily, whereas others argue that the agency bullies the company into concessions on cases it knows it is unlikely to win. Both camps argue that it leaves the law in limbo, since the consent decree applies only to the specific company. Others argue that consent decrees do have an impact on the industry as a whole by signaling to the industry what the regulator expects. Again, whether you think that’s a bug or a feature depends on your POV.

 

A voluntary consent decree entered into between the Enforcement Bureau and the agency is binding and can be enforced in court. One of its advantages is that whether or not the agency could have won on the underlying conduct, it can (usually) win on violation of the consent decree. The FTC’s experience in FTC v. LabMD, however, shows that a company can get out of a consent decree under the right circumstances.

 

Finally, and importantly, the Enforcement Bureau can enter into a consent decree on delegated authority. That is to say, it does not require a vote of the full Commission. As a general rule, in a high profile case like this, the Bureau will only enter into a consent decree where the Chairman signs off. But it does mean that the FCC can get a consent decree even in a 2-2 Commission if T-Mobile decides it would prefer to settle rather than wait for a 3-2 Commission, which might impose a much harsher penalty despite the objections from the Republicans.

 

What Happens If There Is No Consent Decree.

 

The FCC’s enforcement processes are very different from those of the FTC or Department of Justice. The FCC was created back in the day when people expected that agencies would act like courts and actually adjudicate disputes, as well as investigate and prosecute them. This predates even formal Administrative Law Judges (ALJs). So whereas the FTC would refer a matter to its ALJ or file a complaint in district court, the FCC works very differently.

 

The relevant provisions governing the FCC’s power to impose forfeitures are found in Title V of the Communications Act. Section 502 gives the Commission general authority to fine anyone who willfully and repeatedly violates any rule of the Commission. Section 503 provides for higher penalties for common carriers and broadcasters, and also sets forth the process by which this works. You can find the Commission’s implementing rules at 47 C.R.F. § 1.80.

 

First, the Commission must vote out a Notice of Apparent Liability (NAL) that provides sufficient detail about the conduct and what rules were broken and why the FCC is proposing this particular amount as a fine. That can be done on delegated authority, but the FCC’s internal rules limit the forfeiture amount that can be imposed at the Bureau level, and also prevents the Bureau from deciding “novel questions of law.” That makes it very unlikely that any NAL would issue on delegated authority in this case, so assume the entire Commission has to vote it out. (If the Bureau issues the NAL, add an extra step to appeal to the full Commission.)

 

The NAL must contain a description of the conduct and why the Commission finds that this conduct appears to violate the rules. Although the Commission has no formal obligation to give the companies a chance to make their counter arguments during the investigation, it generally does so and describes these in the NAL. Because the NAL is a finding of “apparent” liability, you will see some folks argue that NALs aren’t real Commission precedent. Since NALs are full orders voted out by the Commission, I would argue that their legal conclusions are sound Commission precedent unless reconsidered and either modified or reversed, like any other order via adjudication.

 

After explaining the conduct and why it appears to violate the statute and/or rules, the FCC will then assess the penalty. Rule 1.80 provides guidelines for assessing penalties. These include the factors like whether the conduct is particularly egregious, how many people are impacted, and what was the nature of the harm. The FCC also considers mitigating factors. If the carrier is found to have broken multiple rules, the fine is calculated based on each violation and specific act. Note that a violation of Section 222 may also be a violation of Section 201(b)’s prohibition on “unjust and unreasonable” practices if the FCC finds that the carrier acted in a particularly deceptive or negligent way.

 

After the FCC votes out the NAL, the parties subject to the NAL (e.g. T-Mobile) have a “reasonable time” to respond. Under Rule 1.80, that is generally 30 days from issuance and service of the NAL, but the FCC can extend that if it wants. Once the parties file their response to the NAL, and assuming they haven’t simply paid the money, the FCC will then decide whether to issue a forfeiture order. The forfeiture order deals with the response by the parties and decides whether the parties raised new arguments or brought mitigating facts to the FCC’s attention. The FCC can either reverse the NAL entirely, decide to modify it, or affirm it.

 

How Does a Company Appeal a Forfeiture Order?

 

A forfeiture order is like any other order of the Commission. You appeal pursuant to 47 U.S.C. § 402(a), which means either to the Federal Court of Appeals for the District of Columbia Circuit or the Federal Court of Appeals for the circuit where the object of the forfeiture order resides. In addition, because this is an appeal of an agency order, the burden is on the object of the forfeiture order – not on the agency – to show the FCC acted arbitrarily and capriciously. That means the agency also gets Chevron deference for its determinations, although this is modified somewhat by due process concerns so that a fine can’t be totally out of a clear blue sky. (This standard is a bit fuzzy, See Trinity Broadcasting v. FCC. (If offender could not reasonably have foreseen conduct would violate a rule, imposing a criminal penalty violates due process.)

 

If the object of the forfeiture order doesn’t pay up, the FCC can ask a federal district court (or get the DoJ to ask a federal district court) to enforce the forfeiture order. The district court doesn’t get to reexamine the merits. As long as the forfeiture order was issued in accordance with appropriate procedures, and there are no outstanding appeals, the district court must issue an order to collect the money. 47 U.S.C. § 504.

 

Is This Like an FCC License Transfer Proceeding with a Public Docket and an Opportunity for the Public to Weigh In?

 

Nope. This is a closed and confidential proceeding. The FCC doesn’t talk about it while it is ongoing, and nobody gets to weigh in or try to influence it. In that respect, it is like a trial.

 

Does the Federal Trade Commission Do Anything Here?

 

The Federal Trade Commission (FTC) is subject to the “common carrier” exception in Section 5 of the FTC Act. That means that on matters pertaining to telephone providers, to the extent it involves providing a telecommunications service, the FTC has no authority. The FCC and FTC do have a Memorandum of Understanding to coordinate on consumer protection issues that implicate both agencies. So if a chunk of the data falls outside of the CPNI rules because they relate to T-Mobile’s Title I broadband service, the FTC would handle that piece of the investigation and go through its own process.

 

Conclusion

 

I think that pretty much covers the mechanics of the process. FCC NALs happen fairly rarely because most enforcement actions either take no action or settle. I want to stress yet again that just because a breach happened doesn’t mean that T-Mobile did anything wrong. Just because the FCC is investigating doesn’t mean the FCC even thinks that T-Mobile did anything wrong. An investigation whenever there is a breach, particularly one of this magnitude, is routine. The FCC is not going to talk about it during the investigation, nor is T-Mobile likely to say anything beyond “we are fully cooperating with the FCC and other relevant state and federal authorities.”

 

Stay tuned . . .

Comments are closed.