Federal Communications Commission settles a data breach action against Cox Communications for $595,000

November 16, 2015 |

It is not only the Federal Trade Commission that has been active in dealing with poor data security in the United States.  The Federal Communications Commission (the “FCC”) has been taking enforcement action for data breaches as it did against YourTel America (see my post here) which resulted in a $3.5million settlement. Heavy settlement payments have been extracted from malefactors as FCC did with AT & T Services Inc agreeing to pay $25 million in April this year when it failed to properly protect the confidentiality of almost 280,000 customers.

Earlier this month the FCC in a 18 page notification announced a settlement of $595,000 with cable company Cox Communications regarding poor privacy protections which were exposed when its customer’s personal information was breached by a hacker group called the Lizard Squad in August last year.  Cox not only exposed the personal information of many of its customers but failed to report the breach through the FCC’s breach reporting portal.

The breach has, as is often the case, attracted negative publicity as found with the Washington Post article In a first, the FCC is fining a major cable company for getting hacked and in arstechnica with FCC fines Cox for falling for Lizard Squad scam, exposing customer data.

The hacking was effected by pre texting, pretending to be a Cox IT employee [2].  As is often the case the breach was effected by human frailty, the hacker convinced a Cox customer service operator and a contractor to enter their account identifications and password into a fake website created by the hacker.  That enabled the hacker to access Cox customer personal information.  Simple and effective.  The hacker posted customer personal information on social media sites and changed some of their account passwords.

As is usually the way the breach leads to an investigation of the company’s infrastructure, practices and policies.  Here, apart from the poor training of Cox staff, the investigation revealed that the system lacked multi factor authentication.

The settlement is set out at [4].  The terms are fairly conventional and a similar structure is followed in Australia.  The difference is that the FCC has put a real financial sting to its settlements.  The Australian Privacy Commissioner has thus far adopted a more timid approach to breaches.  That is consistent with a general reluctance to take the necessarily muscular approach to regulation which would improve privacy compliance.

 The settlement  provides:

To settle this matter, Cox will pay a civil penalty of $595,000 and develop and implement a compliance plan to ensure appropriate processes and procedures are incorporated into Cox’s business practices to protect consumers against similar data breaches in the future. In particular, Cox will be required to improve its privacy and data security practices by:
(i) designating a senior corporate manager who is a certified privacy professional;
(ii) conducting privacy risk assessments;
(iii) implementing a written information security program;
(iv) maintaining reasonable oversight of third party vendors, to include implementing multi-factor authentication;
(v) implementing a more robust data breach response plan; and
(vi) providing privacy and security awareness training to employees and third-party vendors.
Cox will also identify all affected consumers, notify them of the breach, provide them with free credit monitoring, and file regular compliance reports with the FCC.

One Response to “Federal Communications Commission settles a data breach action against Cox Communications for $595,000”

  1. Federal Communications Commission settles a data breach action against Cox Communications for $595,000 | Australian Law Blogs November 16th, 2015

    […] Federal Communications Commission settles a data breach action against Cox Communications for $595,0… […]

Leave a Reply