United States of America: Issued consent decree with AT&T addressing vendor cloud breach including enhanced data protection and vendor management requirements

On 16 September 2024, the Federal Communications Commission adopted a Consent Decree with AT&T Services Inc. to resolve an investigation into the company’s data protection and privacy practices, triggered by a significant data breach in January 2023 involving the exposure of customer information stored in a vendor's cloud environment, which AT&T had not ensured was properly managed or deleted as required. The Consent Decree imposes several obligations on AT&T, including enhancing protections for customer proprietary network information and sensitive personal data, establishing a robust information security programme, implementing rigorous vendor due diligence and oversight, improving data inventory processes, enforcing strict data retention and disposal practices, and conducting annual compliance audits. The Decree highlights that the measures are designed to enhance AT&T’s data protection practices and ensure more effective oversight of vendor-managed data.