This week, the Federal Communications Commission (FCC) announced a data protection and cybersecurity settlement with T-Mobile, resolving the FCC’s investigations related to the data breaches suffered by T-Mobile that affected millions of consumers in 2021, 2022, and 2023.

As part of the settlement, T-Mobile has agreed to:

  • Remediate security flaws;
  • Improve the company’s cyber hygiene;
  • Implement standard security safeguards, such as multi-factor authentication;
  • Implement stronger corporate governance, including regular reports to the board by T-Mobile’s Chief Information Security Officer;
  • Implement a modern zero trust architecture and segment its networks; and,
  • Consistent application of best practice identity and access methods.

T-Mobile has agreed to invest $15.75 million in cybersecurity pursuant to the settlement, in addition to the civil penalty it will pay, $15.75 million.

FCC Chairwoman Jessica Rosenworcel said, “Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections.  We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.” This settlement exemplifies why security safeguards are just as important as privacy compliance—you can’t have privacy without security.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.