What contractors should take from T-Mobile's '100million people' cybersecurity breach

Do you use T-Mobile as part of your contracting operations?

If so, you may be impacted by a huge T-Mobile security breach.

In fact, even though the US brand is synonymous with mobile phones, it’s not just handheld customers who are affected-- if you use the company’s other services like cloud storage or as a tool for providing services to your clients as a contractor, you’re still likely to be impacted – that’s how big this breach is, writes Leila Saidi and Alix Balsan of Gerrish Legal.

What happened at T-Mobile?

On Monday August 16th, the Bellevue-based telecom company confirmed reports which first surfaced on Motherboard that it had been hit by a cybersecurity breach – presumably some time during the first two weeks of August 2021.

In its cybersecurity update dated August 16th, T-Mobile admitted that an unauthorised access to some of its data had occurred – but, frustratingly for customers, that it was unable to confirm if any personal data was involved.

In an update published the next day, T-Mobile admitted that a preliminary analysis had revealed that as many as 7.8 million current T-Mobile customers were impacted, as well as just over 40 million records of former or prospective customers. And as part of its most recent update (August 19th), T-Mobile explained that although the exact nature of the personal data that had been compromised could vary by individual, information included individuals’ names, drivers’ licences, government identification numbers, Social Security numbers, dates of birth, and T-Mobile account PINs.

That amounts to a massive cybersecurity breach. The company added that approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed. That compares to the claims of hackers who reportedly put the total number of T-Mobile customers affected by the breach at 100 million. The company has not agreed to that figure, indicating instead that it’s more like half that number of customers who have been exposed.

The T-Mobile data breach: possible implications for contractors

What could all this mean for you as an IT, data or telecoms contractor – especially in relation to your security and confidentiality obligations, as per the relevant privacy laws?

Well, under the General Data Protection Regulation (which concerns all controllers processing the data of EU residents), “integrity and confidentiality” is indeed one of the key principles of any data processing operations.

In particular, Article 5(f) of the GDPR states that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Principles, articles, recitals, of note

Along with the six other GDPR principles of data processing (lawfulness, fairness and transparency; purpose limitation; data minimisation, accuracy; storage limitation and accountability), responsibility for compliance with the principle of integrity and confidentiality rests with the data controller of a given data processing operation (See Article 5 (2) of the GDPR).

Not just that though. Recital #39 of the GDPR also stresses the importance of guaranteeing the confidentiality and integrity of personal data during data processing operations, highlighting the obligation to prevent “unauthorised access to or use of personal data” and - in particular - to “the equipment used for the processing.” And ‘Equipment used for processing’ here would seem to extend to the equipment indirectly used by the data controller – say, for example, the equipment used by a service provider which is acting as a data controller.

Fortunately, Article 32 of the GDPR is informative to this effect, specifying to what standard controllers can be held to in respect of their obligation to use appropriate measures to ensure the integrity of personal data and the equipment relied on to process it.

Risk

So contractors processing personal data need to implement technical and organisational measures which must be “appropriate to the risk” -- a standard which assumes its full importance in light of the recent string of supply chain ransomware attacks over the last few months.

These types of attacks have become so common that on July 29th 2021, the European Union Agency for Cybersecurity felt it necessary to issue a report with a view to shifting the cybersecurity focus from end-users and consumers, to the now more at-risk suppliers and service providers, who have found themselves disproportionately victimised in recent attacks.

Contractors working in IT, data and/or telecoms should be aware that Article 33 of the GDPR imposes a personal data breach notification obligation, with controllers finding themselves under the obligation to notify the relevant Data Protection Authority of a cybersecurity breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”.

Do these EU rules apply to my contractor business, even if I'm based in the UK?

Even if you are a contractor based in the UK, or are not processing personal data of EU residents but rather of UK residents, you still fall under the scope of the UK’s version of the GDPR, also known as the UK GDPR. As the EU GDPR and the UK GDPR are still very much aligned, this means that contractors based in the UK or processing personal data of UK data subjects are still bound by the ensuing obligations.

As stated, for the most part, the UK GDPR requirements equal those of the EU GDPR. For example, Article 33(3) of the UK GDPR defines a ‘personal data breach’ as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

If a reportable data breach occurs, the UK GDPR requires controllers to notify the Information Commissioner’s Office of such personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. If a notification is not made within the 72 hours when it is legally required to do so, the UK GDPR mandates that reasons for the delay must be provided to the ICO.

What if I am a processor of personal data on behalf of my clients?

If you are acting as a processor of personal data on behalf of your clients, this means that you are acting in a controller-processor relationship, which is regulated by Article 28 of the GDPR.

This means you need to ensure that you have a contract in place – commonly known as a Data Processing Agreement – which sets out the rights and obligations of each of the parties and also the instructions for data processing that your client has set out for you.

Indeed, the Data Processing Agreement should set out the process for handling data breaches (such as notification and reporting requirements), so it is important that you check your contractual obligations as regards your client and reach out to them as soon as possible.

Where T-Mobile is your subprocessor...

Similarly, if you are using T-Mobile’s services as a tool for providing your services to your clients, this means that you are in a processor-subprocessor relationship – whereby T-Mobile is acting as a subprocessor of your client’s data. Much like the provisions for data breaches, your Data Processing Agreement with your client will usually set out the procedure for appointment and replacement of subprocessors – so do check your contract to ensure that your subprocessors that you use to provide your business services (such as cloud storage or any online tools, or providers such as T-Mobile), have been expressly authorised by your client, or indeed have been appointed pursuant to the contractual process.

It is also worth noting that processors are required to stand behind the subprocessors they appoint – including being liable for breaches of such subprocessors as if the breaches were their own. It is therefore really important to ensure technology-related contractors have appropriate contracts in place throughout the chain, including relevant liability and indemnity provisions and insurance requirements to cover off data or cyber-security breaches.

In a nutshell, yes, you're potentially liable

Unfortunately, all this suggests that as a contractor who relies on suppliers like T-Mobile as part of your business operations, you could potentially be held liable for failing to ensure that the processing operations which your service provider engages in are secure, or (for example) for failing to evaluate and audit the levels of security afforded by a provider. And we believe, increasingly this is the case going forward.

Even if a processor such as T-Mobile would be liable for its own breaches of the GDPR requirements, this applies whether you are acting as a controller appointing a service provider as a processor for your business, or whether you are a processor appointing a subprocessor which handles client personal data.

This dual assessment would seem to hold, irrespective of the fact that you may be acting as a processor or sub-processor yourself as part of your contracting operations – so long as you act as a controller in some situations (for instance with respects to your own consumer-facing website), you will have to comply with all the security, integrity and confidentiality listed above. This includes an obligation to notify affected data subjects of the breach without undue delay where you are legally required to do so.

So what can contractors do to address the consequences of a T-Mobile-style mass data breach?

As is often recommended, it is important to review your EU or UK GDPR practices to ensure that you are operating on a compliant basis before any potential breach is contemplated.

This includes ensuring that you keep a Processing Register of all of your data processing activities as a data controller, and also as a processor when you are processing data on behalf of your clients.

You should also audit all of your processors and subprocessors and ensure that they provide you with sufficient guarantees as to GDPR compliance.

Then ensure that you have appropriate agreements in place – such as client contracts containing appropriate GDPR provisions, and data processing agreements with your processors and subprocessors.

Further recommendations

On the sharp data breach side of things, you may wish to create a data breach policy and data breach register to set out how you will deal with such eventualities and also to keep track of any issues you encounter. Penultimately, you should also ensure that you have a privacy policy in place covering off any personal data you handle, which should also set out data subject rights as well as details as to how data subjects can complain if they feel their rights have been compromised. Finally, we would always recommend that contractors take out appropriate insurance to cover their business activities and any potential GDPR, data breach or cybersecurity risks.

Of course, this can all seem very daunting to tackle, so it can be helpful to be guided through the process by a data protection specialist or privacy lawyer. We’re here to help if you struggle to ring-in these changes to your contractor business in wake of this huge T-Mobile data breach.