Millions of Customers Affected
This week, AT&T warned millions of customers that their data was likely stolen in a breach dating back to April. Amidst far-reaching legislation that is supposed to keep consumers safe from exactly this, AT&T and other telecommunication rivals have worked hard to mold these rules, saying this current approach hasn’t done enough to solve this problem.
Precious Data at Stake
Stolen information is so valuable that it has made the FBI plead for a postponed reporting date of the breach to the Securities and Exchange Commission due to concerns over national security and public safety. The breached data contained nearly all AT&T cellular customers and those of wireless providers using its network from May 1, 2022, through October 31, 2022.
Repeated Breaches in a Short Span
This isn’t the first time AT&T has been breached this year alone. Back in March, another, unrelated data leak exposed the Social Security numbers and other personal information of 73 million current and former customers, which was then dumped on the dark web.
Stronger Data Protection Called for
Consumer advocates and many lawmakers have been working to create better consumer protection of data. Despite having nearly 20 states laws in this area, huge patchworks are found with inconsistency and gaps. Big tech and telecom lobbies have stood against efforts geared toward pushing stronger laws.
AT&T on Its Stand Regarding Federal Privacy Policy
“We have long supported a comprehensive federal privacy policy protecting all Americans that applies across the internet ecosystem. We continue to believe that a federal privacy policy should provide a consistent set of protections, enforced by a single regulator, for all consumers,” said AT&T.
At the very core of the problem
Communication companies collect huge amounts of extremely valuable data, making them ‘juicy’ targets for cybercriminals. According to Dominic Sellitto, a cybersecurity professor at the University at Buffalo, “The data phone carriers hold is the gateway into everything else on the internet. Every communication that we have goes through a telecom provider or internet service provider.”
More Hacker Targets
With the size and treasure trove of data these large companies hold, such as AT&T, they become prime targets for hackers. None of the smaller companies compare in size and treasure trove of data to these large ones like AT&T, so naturally, because of their size and treasure trove of data, they certainly have a target on their backs, Sellitto noted. From the last year, to this far, major cyber-attacks hit car dealerships, emergency services, and other industries.
The Need for Comprehensive Data Privacy Laws
Currently, 19 states have data privacy laws that cover at least 150 million Americans. Federal regulations, however, appear to only exist in very narrow or limited areas, such as medical data or children’s information. Alan Butler, executive director and president of the Electronic Privacy Information Center, said, “The crux of the problem in legislating telecoms is the lobbyists and their effectiveness over many, many decades.”
Cybersecurity and Data Privacy
Effective data privacy laws would include data minimization rules, whereby companies collect less data, so less is available for hackers to steal. Tighter data security and notification rules would be required as well. Whether these rules would have stopped AT&T’s breaches is unknown, but consumer advocates say so far the telecom industry has worked to block more stringent laws.
Industry Mixed on Privacy Laws
Trade groups say practical privacy laws have been enacted in most states. Andrew Kingman, counsel to the State Privacy and Security Coalition, says, “Absent workable federal data privacy legislation, our multi-sector coalition is proud to have worked on a comprehensive privacy framework that now covers well over 100 million Americans.”
The Battle Over Data Privacy Laws
Collin Walke, a data privacy and cybersecurity attorney, shared his story about trying to pass data privacy legislation in Oklahoma. Though he had the help from many lobbyists, opposition came first and foremost from AT&T and Verizon. The same happened in Vermont, where eleventh-hour lobbying efforts quashed a strong privacy bill.
Lack of a National Privacy Law
Advocates argue a national law would create a level playing field because it would set a baseline standard. “A national law puts everyone on a level playing field. It lays down what good looks like at baseline for these critical infrastructure providers including telecommunications companies,” said Eric Noonan, CEO of cybersecurity provider CyberSheath.
Opposition from Companies to Tighter Regulations
Tighter regulation would force companies to spend more on cybersecurity and might allow individuals to sue for damages. Much of the telecommunications industry’s business is built upon the concept of data brokerage. Alan Butler said, “The telecommunications industry sees the commercialization of data for advertising uses as an additional revenue source.”
Recent Fines and Appeals
Back in April, the FCC fined AT&T, Sprint, T-Mobile, and Verizon nearly $200 million for selling customers’ personal data to third parties without their consent. All of the wireless carriers say they plan to appeal.
The Need for Clarity in Regulation
This space is very opaque, begging for clarity, and the only way this clarity can come is by being regulated, says Eric Noonan. The ongoing debate and legal rows reflect the need for data privacy laws to protect consumers in an increasingly digital world.
