Last year the Spanish DPA tackled sim swapping cases and issued monetary penalties to four telecoms for failure to adequately protect the confidential information of consumers, resulting in loss of service to consumers, but also leaving them victims or potential victims of bank fraud. Four decisions have now been posted on the EDPB website. The links will take you to an English summary of each case. As you can see below, there was a large range in the monetary penalties.
Decision: Imposition of a fine of 3.940.000’00 euros for the violation. The penalty also included a fine for a second finding that they had not implemented an effective GDPR compliance and management model to avoid the risk of identity theft.
Decision: Imposition of a fine of 700,000 euros
Decision: Imposition of a fine of 200,000 euros
Decision: Imposition of a fine of 70.000 euros
Meanwhile, in the U.S……
Last year, the FCC proposed rulemaking to address sim swapping, after more than one and a half years of everyone saying that something needed to be done. The big telecoms responded with statements explaining what they were already doing and suggesting that any new regulations might hinder those efforts.
Has any U.S. regulator ever fined a telecom for failure to prevent sim swapping or for harm that occurred to consumers? Or is it the situation that we still have no regulations or laws and no real consequences for telecoms that fail to protect consumers from this?