This week, the Federal Communications Commission (FCC) announced a settlement with TracFone Wireless to resolve investigations into whether TracFone failed to reasonably protect its customers’ information from unauthorized access in connection with three data breaches.

The breaches occurred between January 2021 and January 2023. Each of these data breaches involved the exploitation of application programming interfaces (APIs), which allow system programs and components to communicate with each other. The incidents led to unauthorized access to proprietary customer information and personal information. The FCC’s complaint against TracFone stated that TracFone’s alleged failure to reasonably secure customers’ proprietary information violated a carrier’s duty under Section 222 of the Communications Act and constituted an unjust and unreasonable practice in violation of Section 201.. It is also a violation of Section 222 to impermissibly use, disclose, or permit access to customers’ proprietary information without customer approval.

Loyaan A. Egal, Chief of the Enforcement Bureau and Chair of the Privacy and Data Protection Task Force, said, “Carriers—and the customer information they have access to—are prime targets for threat actors. The Commission takes matters of consumer privacy, data protection, and cybersecurity seriously, including in the context of emerging security issues. The Enforcement Bureau’s investigations and resulting Consent Decree make clear that API security is paramount and should be on the radar of all carriers.”

In addition to a $16 million civil penalty, the settlement specifically requires TracFone to update its API security, implement an information security program, conduct annual security assessments, and provide privacy and security awareness training to its employees.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.