As you are reading this article, the US telecommunications giant AT&T is collecting the staggering amount of $25 million dollars that have to be paid to the US Federal Communication Commission (FCC) and appointing a Compliance Officer who must be privacy certified.
AT&T has entered into the settlement with FCC to resolve an investigation on whether AT&T failed to protect the confidentiality of data of 51,422 customers. The settlement will impact not only AT&T's financial performance results, but also it will affect the way companies such as AT&T conduct their business when it comes to safeguarding consumer personal data.
So what did happen?
For more than six months in late 2013 and early 2014, employees of Mexico, Columbia and the Philippines call centres, with systems maintained and operated by the AT&T and subject to the company's data security practices, used their login credentials to access customer's accounts and grab the names and last four digits of Social Security numbers. The personal information that employees had taken without authorization was used by mafia gangs to submit 290,000 handset unlock requests for mobile phones through the AT&T's website. The FCC concluded that AT&T security measures failed to prevent or timely detect the ongoing breach.
By allowing unauthorised access to customer data, AT&T failed to secure customers proprietary information and therefore violated the statutory duty under the Communications Act.
The privacy certificate is a must
In light of the severity of the case, the FCC has issued a wide range of duties and obligations to be observed by AT&T, among them, the company is required to appoint privacy certified Compliance Officer. In additional to general privacy knowledge the Compliance Officer must have specific knowledge of information security principles and practises that are necessary to implement the requirements of the FCC decision. One of the new requirements, is to ensure that the Compliance Officer or team that reports to the Compliance Officer is privacy certified by an industry certifying organisation and must keep knowledge up to date by continuing their privacy education. This is the first decision of this kind that requires a privacy certification when appointing a privacy compliance officer.
Impact on companies
FCC suggested looking at the decision as guidance for other companies that process personal data. The FCC decision shows the importance of putting the consumer first not only when it comes to creating and selling products, but especially when it comes to protect consumer's valuable information. At the same time, by requiring to appoint privacy certified Compliance Officer, the FCC has officially recognised the role of the privacy officer as a career speciality.
Telecoms are expected to step up and take "every reasonable precaution" to protect their consumer's data, Companies who fail to create appropriate technological and organizational measures will face not only civil penalties from enforcement agencies, but may experience the decline in consumer trust, which eventually may lead to drop in share prices and possible job losses. Just last year, the data breach suffered by the US retailer Target cost $148 million in revenues and some top executive jobs.
When creating a compliance programme, companies should appoint a privacy certified employee who will have not only wider experience in building a compliance programme, but also understands what is required to preserve and maintain the consumer's trust when handling their private information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
