T-Mobile’s Breach Highlights the Importance of Data Minimization and CPRA

By Andrew Scott

On August 17, 2021, a criminal cyberattack hit T-Mobile and compromised the personal information held by the communications carrier of more than 50 million. 

Three days later, T-Mobile shared updated information regarding the ongoing investigation into the cyberattack.   According to the update, three categories of customers had their data compromised:  current customers, former customers, and prospective customers. Depending on the type of customer, however, different types of personal information were compromised.

• The 13 million current customers had the following information compromised:  first and last names, date of birth, SSN, and driver’s license/ID information, phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone.  Also, 850,000 phone numbers and account PINs were exposed.

• The 40 million former or prospective customers had the following personal information compromised: first and last names, date of birth, SSN, and driver’s license/ID information.

On a positive note, T-Mobile has expressed no indication that the data contained in the stolen files included any customer financial information, credit card information, debit card information, or other payment information.  The company’s breach response included an around-the-clock forensic investigation and an update that the access point to the breach had been closed.  The business also appears to have taken action to comply with its notification duties and offer its customers remediation, helping the company rebuild its trust.  

As expected, a class-action lawsuit has been filed against T-Mobile in the United States District Court of Washington.  Among the claims alleged, the suit argues that, pursuant to Section 1798.150 of the California Consumer Privacy Act (CCPA), T-Mobile violated its duty “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information….”  Essentially, when insufficient security results in a breach, the CCPA provides for statutory damages of between $100 and $750 per customer per violation or actual damages, whichever is greater.

Was T-Mobile’s security insufficient under the CCPA?  In a recent article from The Wall Street Journal, a 21-year-old claiming to take responsibility for the hack told the news outlet that the company’s security is “awful.”  The hacker went on to say he accessed the customer (current, former, and prospective) data by scanning for an unprotected router, which gave him access to a Washington state data center that stored credentials for over 100 servers.

While the company’s CEO did not respond directly to the comments made by the hacker, he released a statement that recognized “significant steps” are needed to enhance the businesses’ approach to cybersecurity, needing to take its cybersecurity expertise “to the next level” and develop “improved security measures.” 

Putting aside the discussion of whether T-Mobile had in place reasonable security measures, the more important question is why did the company find it relevant or necessary to retain the personal information of the 40 million people it was not doing currently doing business with?  Had the company only retained the personal information of people it had been doing business with, 40 million people would not have to be worrying about their identity being stolen. 

In the United States, the requirement to minimize the amount of data collected to that which is “necessary and relevant” does not exist in any enacted law (compare HIPAA’s Minimum Necessary Rule).  To adhere to this data minimization principle, a company would have to voluntarily hold itself to a higher standard.  

The Importance of Data Minimization

The concept of limiting the amount of data that is collected and retained is known as the Data Minimization, which is a privacy principle.  The principle can help businesses respect their customers’ privacy, reduce liability, save money, and mitigate breach. 

Generally, the principle asks businesses to only collect personal information for specified, explicit, and legitimate purposes; to not collect more personal information than is needed; to not store personal information for longer than is necessary. 

The U.S. has supported this principle.  In March 2012, the Federal Trade Commission issued a report that made recommendations to businesses and policy makers about how to protect consumer privacy.  In the report, the commission recommended that “companies should implement reasonable restrictions on the retention of data and should dispose of it once the data has outlived the legitimate purpose for which it was collected.”  The commission also recommended to create enact baseline privacy legislation to incorporate data principles, but that (as we know) has yet to happen.

Across the Atlantic, the European Union (EU) has codified six data principles into its General Data Protection Regulation (GDPR).  In Article 5:  Principles relating to processing of personal data, the six data principles provide the framework on how personal data must be processed. Three of those principles–legitimate purpose limitation 5 (1)(b), data minimization 5 (1)(c) , and storage limitation (5 (1)(e)–impose some form of the data minimization requirements:

In particular, Article 5 (1)(c) states that personal data of an EU citizen that is processed must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”  Examples of processing irrelevant data could be anything from an employer asking a job applicant about health conditions that are relevant to his or her prospective job, a website that asks visitors for their social security number in order to sign up for their mailing list, or, as in T-Mobile’s case, collecting and retaining sensitive data of prospective and former customers.

Unlike the GDPR’s requirement, the United States does not have any currently enacted privacy laws that have a similar data minimization requirement; however, some do recommend data minimization as a best practice; however, privacy laws worldwide are becoming stricter.

The California Privacy Rights Act (CPRA), passed in 2020, contains the first “data minimization” requirements of any U.S. privacy law.   On January 1, 2023, CPRA will be enacted, adding to the California Consumer Privacy Act (CCPA) several data minimization requirements:

• A business shall not collect additional categories of personal or sensitive personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.” (See 1798.100 (a)(1)-(2);
• “…a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”(1798.100 (a)(3).

It is clear that the CPRA’s data minimization requirements are not as restrictive as the GDPR’s requirements under Article 5.  For example, the GDPR requires that a business does not collect or retain irrelevant personal information.  In comparison, CPRA more broadly requires that additional categories of personal information or sensitive personal information are not collected for an incompatible purpose.  Additionally, the CPRA does not define how long is a “reasonably necessary” period of storage.

Even though CPRA’s requirements may not require as much on companies as the GDPR, it is a step in the right direction for privacy legislation in the U.S. 

California Businesses Should Not Wait to Implement CPRA’s Data Minimization Requirements

It seems unfortunate that T-Mobile could legally keep detailed records on millions of people who may never have been their customers, but to expect businesses to hold themselves to a higher standard than the law requires is unlikely.  Proactively investing in a privacy department, or voluntarily adopting a framework that calls for more compliance than necessary is still a foreign concept for many businesses. 

For example, the Department of Commerce’s Privacy Shield Framework is our nation’s only federal privacy framework. While it was created soon before the GDPR, the framework was created with the GDPR in mind.  Participation in the Privacy Shield is voluntary and requires adhering to the Framework, which may be enforced by the FTC.  The Framework’s Data Integrity and Purpose Limitation Principle provides, in part, that “personal information must be limited to the information that is relevant for the purposes of processing.”  In a footnote, the text states that the purpose of the processing “must be consistent with the expectations of a reasonable person given the context of the collection.” It is hard to imagine that the former and prospective T-Mobile customers had a reasonable expectation that the business was going to retain their data. 

Until the U.S. adopts an omnibus federal privacy law similar to the EU’s GDPR, Brazil’s General Data Protection Law (known as the LGPD), China’s Personal Information Protection Law (PIPL), or any state-level legislation like CPRA that requires stronger adherence privacy principles, data minimization will not be a priority. 

Businesses subject to the CCPA might consider implementing CPRA the data minimization requirements early.  Even applying the more restrictive GDPR-framework could be even more helpful. There is nothing stopping any company from holding itself to a higher standard and making sure that data is collected that is only relevant and necessary.  After all, the more compliant a company is, the more trust it will engender from business partners and/or consumers.