Trevor Hughes, CEO and president of the International Association of Privacy Professionals, discusses AT&T's recent fine for data privacy violations.
Q. The Federal Communications Commission (FCC) reached a $25 million settlement with AT&T Services, Inc., for privacy violations at its call centers. What was surprising about the action?
A. One was the size of the settlement—I am not aware of a larger privacy settlement in the United States or even internationally.
The second is that this is not a traditional information security case, that zone between information and privacy and information security may actually be a gap in many organizations. The facts in the case are that AT&T had engaged a third-party vendor to provide call center services in Mexico and later in Latin America and the Philippines.
In that Mexican call center, rogue employees were selling AT&T customer data to a shadowy figure. That’s vendor management; that’s vendor compliance and risk management. Yes, there’s an information security intersect there, but that’s not the traditional stock-in-trade of the information security professional. It’s actually a bit more in the world of the information privacy professional, so this is a true privacy case and that I think was pretty compelling.
Q. What does this settlement mean for the U.S. marketplace as a whole?
A. First, there is a new cop on the beat carrying quite a large billy club, and that is the FCC. The FCC has arrived…and any industry subject to FCC regulation should be paying incredibly close attention to this very important new regulator.
Second is that the issue of information privacy is becoming more and more of a serious risk management concern for organizations, and that is being driven by the size of this award. Given the intensity of focus in the media—really in the public square—on privacy issues, we will continue to see an escalation in these fines for particularly egregious violations. So that’s the other message to industry: not only is there a new cop on the beat, but the risks associated with getting this wrong are getting bigger and bigger.
Q. AT&T is required to appoint a senior compliance manager who’s a certified privacy professional. Is this something companies should take note of?
A. If we look at the history of information security agreements through the Federal Trade Commission (FTC) and elsewhere, we see a pattern where initially there were cases that called for appropriately trained professionals. Later, they said certified professionals.
Finally, they specifically identified CISSPs, CISAs, CISMs, or other similarly certified professionals.
We’re seeing that exact same evolution in the information privacy space. We’ve gone from settlement agreements at the FTC involving requirements for appropriately experienced or trained experts managing privacy programs, to now the FCC saying quite specifically, you need a certified privacy professional in these roles.
Q. What’s the broader message for the marketplace with this evolution?
A. It’s that for managing data within a modern, digital economy enterprise, you need people who know how to do [privacy]. And I would expect to see much more of this in the future.