United States of America: Issued consent decree with T-Mobile addressing data breaches including enhanced corporate governance requirements

On 27 September 2024, the Federal Communications Commission (FCC) adopted a consent decree with T-Mobile to resolve its investigation into various data breaches by the company. FCC noted that T-Mobile experienced data breaches in 2021, 2022, and 2023, affecting customers of wireless service resellers that utilise T-Mobile's network as mobile virtual network operators. The breaches exposed sensitive customer information, including names, dates of birth, social security numbers, and customer proprietary network information, such as subscribed services and the number of lines on customer accounts. The investigation focused on possible inadequate customer data protection, insufficient security measures, and misleading claims regarding T-Mobile's information security practices. The decree imposes several obligations on T-Mobile, including corporate governance measures where the chief information security officer will report regularly to the board on cybersecurity risks, a transition to a modern zero-trust architecture to enhance security, and the implementation of broad multi-factor authentication to protect critical infrastructure. T-Mobile's improvements of its cybersecurity programme require an investment of USD 15.75 million, and the company must pay an additional USD 15.75 million civil penalty to the US Treasury.