The FCC’s Enforcement Bureau has entered into a Consent Decree with AT&T Services Inc. to resolve an investigation concerning whether AT&T, in connection with its 2023 data breach: (1) failed to properly protect customer proprietary information; (2) improperly disclosed or permitted access to individually identifiable customer proprietary network information; (3) failed to take reasonable measures to protect CPNI; and (4) engaged in unreasonable privacy, cybersecurity, and vendor management practices. To settle the matter, AT&T will pay a $13 million civil penalty and commit to implementing robust data governance practices and procedures, including limiting vendor access to CPNI, engaging in due diligence in selecting vendors, and conducting annual compliance audits.
