Recently, the FCC reminded telecom providers that the cost of failing to protect their customers’ privacy is steep. In a July 28, 2023 Notice of Apparent Liability for Forfeiture, the Federal Communications Commission fined Q Link Wireless LLC and Hello Mobile Telecom LLC, an affiliate of Q Link, $20 million for impermissibly relying upon readily available biographical information and account information to authenticate online customers.
Background. Q Link and Hello Mobile are both mobile virtual network operators, or MVNOs. As such, they are both subject to Section 222 of the Communications Act, which requires service providers to take reasonable measures to discover and protect against unauthorized use, access, and disclosure of customer proprietary network information, or CPNI, which generally includes customer calling records and location information.
In an effort to mitigate against the threat of unauthorized third parties masquerading as customers, the Commission passed rules prohibiting carriers from authenticating a customer with “readily available biographical information [or] account information.” Additionally, processes to recover lost passwords cannot authenticate customers by using biographic or account information as prompts.
Q Link and Hello Mobile set default passwords to “readily available” biographical information. If the customer neglected to change the password, that customer was forced to use biographical information to log in. While the specific category of information used by the Companies was redacted in the Commission’s Notice, the Commission determined that such information is “easily associated with [a customer’s] life story” and thus constitutes “readily available biographical information.” The mechanism to recover lost passwords also impermissibly contained readily available biographical information.
Specific FCC Rule Violations: The Commission concluded that Q Link and Hello Mobile violated its rules requiring providers to:
- Take “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI.” The Companies failed to meet this standard because customers’ CPNI was available to “effectively any party who knew—or could obtain—a customer’s readily available biographical information or account information.”
- Authenticate a customer “without the use of readily available biographical information, or account information,” prior to allowing the customer online access to CPNI related to a telecommunications service account. Once authenticated, the customer may only obtain online access to CPNI through a password that is not prompted by the carrier asking for readily available biographical information, or account information.
- Not include “readily available biographical information” or “account information” when creating a backup customer authentication method prompt in the event that a customer loses or forgets the account password.
Based on its forfeiture guidelines, the Commission determined a penalty of $40,000 per violation to be reasonable. Notably, the Commission concluded that each time the companies used readily available biographical information or account information to authenticate a customer or effectuate a password reset (conservatively estimated at 500 occurrences) constituted a separate violation—thus resulting in a $20 million forfeiture.
Analysis and Key Takeaways. This case signals the Commission’s renewed interest in rigorously safeguarding the privacy of subscriber information. Telecommunications providers, and MVNOs in particular, should be aware of the FCC’s CPNI rules and the potentially large fines that can accrue.
 Q Link Wireless LLC and Hello Mobile Telecom LLC, Notice of Apparent Liability for Forfeiture, FCC 23-59 (2023) (“Notice of Apparent Liability for Forfeiture”).
 47 CFR § 64.2010(c) & (e) .
 Id. § 64.2010(a).
 Notice of Apparent Liability for Forfeiture, at ¶ 19.
 47 CFR § 64.2010(c).
 Id. at § 64.2010(e).