A person walks past an AT&T Store in Midtown Manhattan on January 23, 2024 in New York City.
New York CNN —
This week, AT&T notified millions of customers that their data was likely stolen in an April leak that the company disclosed earlier this month. Meanwhile, comprehensive laws that would protect customers from hacks keep struggling to pass, as AT&T and its rivals have fought back against and heavily influenced a patchwork of data laws – arguing the approach has failed to rein in the problem.
AT&T customers’ pilfered information was so valuable to cybercriminals that the FBI asked the company to delay filing a disclosure with the Securities and Exchange Commission because of potential national security and public safety concerns. The data was breached from “nearly all” of AT&T’s cellular customers and the customers of wireless providers that used its network between May 1, 2022, and October 31, 2022.
It’s not the first time – even this year – that AT&T has been breached. The company was already grappling with an unrelated data leak that took place in March. At that time, AT&T said personal information, such as Social Security numbers on 73 million current and former customers, was released onto the dark web.
Consumer advocates and some lawmakers have long argued for more protection of customer data. Though state laws have passed across almost 20 states, the patchwork of regulations across states and agencies that regulates data privacy, can lead to inconsistencies, contradictions and lacunae. Complicating things further, lobbies from Big Tech to phone carriers have been heavily influencing many of these state and local regulation efforts.
In a statement, AT&T said, “We have long supported a comprehensive federal privacy policy protecting all Americans that applies across the internet ecosystem. We continue to believe that a federal privacy policy should establish a consistent set of protections, enforced by a single regulator, for all consumers.”
Lobbies are at the ‘crux of the problem’
Keepers of private information like who you texted, what you’re watching – in addition to your address and Social Security number – makes telecom companies’ data a high-value target. That could be invaluable data for phishing and targeted scam attempts.
The data phone carriers hold is “the gateway into everything else on the internet,” Dominic Sellitto, a cyber security professor at University at Buffalo, said. “Every communication that we have, everything goes through a telecom provider or internet service provider.”
And that wealth of data draws hackers.
“These larger companies, because of their size and the treasure trove of data, certainly have a target on their backs,” Sellitto noted.
They’re not alone: In just the past year, large cyberattacks have frozen car dealerships and delayed ambulances.
Currently, data privacy laws exist in 19 states covering at least 150 million Americans, though differing in scale and scope. There are federal regulations on specific areas of privacy, like laws covering medical data or information about children, and agencies like the FCC regulate telecommunications. But there is no large, comprehensive data privacy law at the federal level, and many state laws are basically written by industries through their lobbyists, said Alan Butler, executive director and president of the Electronic Privacy Information Center.
“The crux of the problem in legislating telecoms is the lobbyists and their effectiveness over many, many decades,” said Eric Noonan, CEO of cybersecurity provider CyberSheath.
Cybersecurity and data privacy go hand in hand. The heaviest proposed regulation would impose data minimization rules — meaning if companies collected less data, there would be less available for hackers to steal in the first place. There would also be stricter data security and notification rules if a hack does happen.
It’s unclear whether those rules would have prevented AT&T’s hacks or better protected their customers. But consumer advocates have lambasted the telecom industry for getting in the way of more comprehensive laws.
Trade groups stressed that realistic privacy laws have had success passing through many states.
“In the absence of workable federal data privacy legislation, our multi-sector coalition is proud to have been one of many stakeholders that have worked on a comprehensive privacy framework that now covers well over 100 million Americans and has received overwhelming bipartisan support across state legislatures with dramatically different political dynamics,” Andrew Kingman, counsel to the State Privacy and Security Coalition said in a statement.
Industry trade groups say that while cyber security and data privacy can be interrelated, there is tension between those concepts that might not be fully covered in a data privacy law.
What it’s like trying to pass data privacy laws
When Collin Walke, a data privacy and cybersecurity attorney, was in the Oklahoma House, he focused on data privacy legislation. After California passed its landmark data privacy law in 2018, he attempted to get similar legislation passed in his state.
“We had lobbyists from Amazon. We had lobbyists from Google. We had all of that. But the number one impediment to us getting it passed in Oklahoma was AT&T and Verizon,” Walke said to CNN. Verizon declined to comment.
In a statement, Amazon said it supports “U.S. federal privacy legislation that requires transparency, access to one’s own personal information, and the ability to delete personal information, and prohibits the sale of personal data without consent. In the absence of congressional action, we support well-crafted state laws that protect consumers’ privacy, while continuing to allow for innovation.”
Monique Priestley, a state representative in Vermont, said lobbyists from across industries “came out in full force at the last minute,” even hosting webinars and calls at the town or city level, against a landmark privacy bill this year. One lobby, the State Privacy & Security Coalition, represents AT&T, T-Mobile, Verizon, Meta, as well as automobile, healthcare and payment card companies.
The Vermont governor vetoed the bill in June, which would have been one of the strongest in the country.
Industry trade groups said that the ability to sue companies for data violations and strict data minimization requirements would have been too costly for Vermont small businesses to comply to.
“The hardest part about these bills is they are so technical in nature, and the industry tends to hand the state a policy and encourage them to run with that,” Priestley said. “Industries created this monster that is out of control, and they themselves are at risk. And something’s got to change.”
Why doesn’t a national privacy law exist?
Advocates say Big Tech lobbies and telecommunications lobbies have shifted their focus from squashing the federal conversation to getting deeply involved at the state level.
“A national law puts everyone on a level playing field,” Noonan said. “It establishes the baseline of what good looks like for these critical infrastructure providers, including telecommunications companies, and then it gives the government a standard to enforce.”
Advocates for a sweeping law say the average consumer shouldn’t have to parse dense user agreements to find out what is going on with their data.
In a statement, AT&T said, “Our customers can manage how we use and share their information for certain activities including advertising and marketing, and can opt out at any time.”
But tighter regulations mean companies must spend more resources beefing up their cybersecurity. Companies also lobby against allowing individuals to sue for damages.
A lot of a telecommunication company’s business is rooted in the data brokerage market, multiple privacy experts told CNN. And it’s valuable data.
“Like many other industries, the telecommunications industry sees the commercialization of data for advertising uses as an additional revenue source,” Butler said.
In April, the FCC fined AT&T, Sprint, T-Mobile and Verizon nearly $200 million for illegally sharing customers’ personal data without their consent. The fines stem from allegations in 2020 by the Federal Communications Commission that for years, the companies had improperly shared users’ geolocation histories to third parties, including to prisons, as part of their commercial programs.
In response to the FCC fines, all of the wireless carriers said they expect to appeal the decision.
The FCC is also not the only regulator for telecom companies, which can be giant entities.
“It’s a very opaque space that is begging for clarity, and that clarity can only come through regulation,” Noonan said.
