As the FCC continues to exercise close oversight of the use of Customer Proprietary Network Information ("CPNI"), telecom stakeholders should also be sensitive to potential data security obligations under any relevant mitigation agreements with "Team Telecom," the collection of Executive Branch agencies tasked with reviewing and resolving any national security implications related to foreign ownership of telecom providers.
On June 13, 2024, the FCC's Enforcement Bureau released a consent decree ("Consent Decree") with Liberty Latin America ("Liberty") addressing Liberty's failure to comply with consumer data privacy commitments contained in its 2020 Letter of Agreement ("LOA") with Team Telecom.
LOAs are a common type of mitigation agreement, in which the operator (and often, the foreign ownership group) makes certain operational commitments to Team Telecom—e.g., how network traffic is managed, how foreign personnel access the work, and often, how data is securely collected, handled, and stored.
This Consent Decree underscores two intersecting areas where the FCC is quickly ramping up its enforcement activities: national security and data protection.
Background and Settlement: In 2020, Liberty, a Bermuda-based company, acquired telecommunications operations in the Puerto Rico and U.S. Virgin Islands regions from another carrier ("Acquired Carrier").
- Pursuant to the FCC review process of a transfer of control application, Liberty entered into an LOA with Team Telecom. Prior to the transaction, the Acquired Carrier had provided data regarding the Acquired Carrier's customers to a third-party vendor. In January 2023, that vendor experienced a data breach (the "Vendor Breach"). Although Liberty's systems and network were apparently not compromised, the Vendor Breach involved data that "referred or related" to Liberty customers.
- The Acquired Carrier notified Liberty of the Vendor Breach and notified the FCC (in February 2023) via the CPNI Data Breach Reporting Portal. Initially, Liberty did not make a similar notification, apparently believing the obligation to report the Vendor Breach resided with Carrier 1. Approximately seven weeks later—and after the Acquired Carrier made clear its notification would not address impacted Liberty customers—Liberty notified the FCC and (pursuant to the LOA) the Department of Justice of the Vendor Breach.
- As a result of these developments, the FCC concluded that Liberty failed to: (i) reasonably protect the confidentiality of customer information; (ii) timely file a report in the Data Breach Reporting Portal; and (iii) abide by the conditions of the LOA in connection with the Vendor Breach.
Key Takeaways. There are three key takeaways from the FCC's settlement with Liberty:
- Independent Obligations Under the LOA. Under the FCC's rules in effect at the time of the Vendor Breach, carriers were required to notify data breaches [a]s soon as soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach . . . ."1 However, under the LOA, Liberty was required to report to DOJ in writing "no later than 72 hours[] after [Liberty] learns of information that reasonably indicates . . . [u]nauthorized [a]ccess to, or disclosure of, any information . . . referring or relating in any way, to Liberty's customers."2 Telecom operators should be aware that LOAs often contain data breach reporting obligations far more aggressive than the FCC's rules, requiring operators to quickly determine the extent of the breach and to move forward with notification within a matter of a few days.
- Reporting of Vendor Breaches. It appears Liberty's network was not compromised and therefore Liberty initially presumed the Acquired Carrier's data breach notification was sufficient to address the Vendor Breach. Telecom operators should be aware the FCC and Team Telecom typically interpret the notification obligations quite broadly. Accordingly, operators should consider erring on the side of regulator and customer disclosure even if the breach was not the result of network security lapses or only involved a threat actor gaining unlawful access to a downstream vendor's operations.
- Heightened Scrutiny of LOA Compliance. In addition to the heightened data breach notification requirements noted above, operators subject to LOAs are also subject to regular compliance auditing. Given the FCC and Team Telecom's increased focus on the national security implications of foreign ownership of U.S. telecommunications assets, operators subject to LOAs should put in place internal processes allowing for the prompt identification and review of data incidents potentially requiring disclosure to the FCC or DOJ.
Navigating the potential disclosures related to a network security incident involves complicated regulatory and commercial considerations.
Footnotes
1. 47 CFR § 64.2011(b).
2. Letter of Agreement from John Winter, Senior Vice President, Chief Legal Officer & Secretary, Liberty, to the Assistant Attorney General for National Security, National Security Division, U.S. Department of Justice; Deputy Chief Information Officer for Cybersecurity, United States Department of Defense, [WT] Docket No. 19-384, File Nos. ITC-T/C-20191107- 00178 et al. (July 1, 2020).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.