CFIUS Fines TMobile 60 Million Over Unauthorized Data Access and Breach Response

pOn August 14 2024 the Committee on Foreign Investment in the United States CFIUS disclosed that it had assessed a 60 million penalty against TMobile US Inc TMobile in connection with unauthorized data access incidents following TMobiles 2020 merger the Merger with Sprint Corporation Sprint CFIUS is a US government interagency body with regulatory authority over certain investments by foreign persons in US businesses that may pose risks to US national security Among the various regulatory clearances sought in connection with the Merger TMobile and Sprint sought approval from CFIUS CFIUS approved the Merger subject to a national security agreement NSA to be entered into by TMobile and the US government In recent years approximately 30 of transactions cleared by CFIUS required some kind of national security agreement to bind the transaction parties to certain actions and undertakings designed to mitigate the perceived national security risksppIn announcing the penalty CFIUS disclosed that between August 2020 and June 2021 in violation of a material provision of the NSA TMobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS delaying CFIUSs efforts to investigate and mitigate any potential harm CFIUS concluded that these violations resulted in harm to the national security equities of the United StatesppThe penalty assessed by CFIUS against TMobile was by far the largest of any of the penalty actions that have been disclosed by CFIUS to date and the only penalty action where the target of the action was identified by name The US Treasury Department also just announced that it has unveiled a new CFIUS enforcement website to provide greater transparency regarding its enforcement actions and penaltiesp