The $25 Million Fine Isn’t The Real AT&T-FCC Story

Editor’s Note: J. Trevor Hughes is the president and chief executive officer of the International Association of Privacy Professionals (IAPP).

It’s easy to focus on big financial penalties. All of us intuitively feel the pain of writing the FCC a check for $25 million. But if you’re focusing on the monetary pay out in the FCC’s consent agreement with AT&T for a data privacy lapse, you’re missing the real story.

First, you need to be paying more attention to the agency that’s doing the fining here: the Federal Communications Commission. Notably, when President Obama launched his Privacy Bill of Rights effort in January of this year, he did it from within the bowels of the Federal Trade Commission, as the FTC has traditionally been the privacy cop on the beat serving and protecting U.S. consumers.

However, the FCC has now placed a badge firmly on its chest by delivering the single largest fine for data privacy violations in U.S. history. In fact, we believe it to be the largest anywhere in the globe. This is a clear signal that the FCC has high expectations of companies for protecting the trove of consumer data they collect and process, but also that data being collected and processed by the vendors contracted by the telecommunications industry.

Do you know who’s looking at your customer data in that offshore call center you’ve been using? The FCC has now made it clear that you’d better.   More broadly –how are you managing data that flows from your company to all third-party vendors?  What contractual protections do you have?  Have you ever audited the privacy programs of a vendor or service provider?  It is not too much of a stretch to see that the FCC will care about those data relationships as well.

Further, while the FCC has traditionally only held sway over the telecoms space, the recent net neutrality rule the agency put forward now brings a whole host of internet service providers under their purview. We should expect that the FCC will bring its new privacy focus to bear on that ISP sector, which deals in countless amounts of consumer data.

Secondly, this is the first privacy enforcement action that specifically calls for a “certified privacy professional,” indicating that expectations have been reset.

This is a clear indication that the FCC – and you can expect the FTC and other agencies around the world to follow suit – has recognized the importance of training and experience in privacy matters. Privacy is not a check-box compliance issue anymore, where you go through a little exercise once a year and call it good.

No, privacy and data security are efforts that need to be overseen by a designated person and team that is accountable for ensuring data is handled and secured appropriately. It’s an everyday activity, an ongoing and constant vigilance.

Now is the time, before businesses finds themselves in the crosshairs of what is becoming one of the most active privacy regulators in the world, for assessing data privacy and security practices and making sure there are trained and experienced staff on hand.