August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

Cox Communications to Pay $595,000 in Data Breach Settlement

Yesterday the FCC announced that it has entered into a $595,000 settlement agreement with Cox Communications to resolve an investigation into whether the company failed to protect its customers’ personal information when it suffered a data breach in 2014.  This is the first privacy  and data security enforcement action the FCC Enforcement Bureau has brought against a cable operator.

The Enforcement Bureau’s investigation found that Cox’s electronic data systems were breached last August by a hacker pretending to be from Cox’s IT department, who convinced a Cox customer service representative and a Cox contractor to enter their account IDs and passwords into a phishing website.  The hacker gained access to data including cable customer names, addresses, email addresses, and partial Social Security and driver’s license numbers and telephone customers’ Consumer Proprietary Network Information (CPNI).  The hacker — a member of the “Lizard Squad” hacker group — posted some of this personal information on social media sites, changed customer account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.

The Enforcement Bureau found that Cox’s data security systems at the time of the breach did not include several measures that might have prevented the use of compromised credentials to access personal data.  Cox did not report the breach to the FCC’s CPNI data breach portal.

In addition to the $595,000 civil penalty, the settlement also requires Cox to adopt a comprehensive compliance plan that the FCC will monitor for the next seven years.  Under this plan, Cox will be required to establish an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information and CPNI.  Cox also will identify affected customers, notify them of the breach, and provide them with one year of free credit monitoring.

This post was written by Hannah Lepow.

© 2020 Covington & Burling LLPNational Law Review, Volume V, Number 313


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...