In August 2024, the Committee on Foreign Investment in the United States (CFIUS) imposed a $60 million fine on T-Mobile US, Inc. due to unauthorized data access incidents that occurred after its 2020 merger with Sprint. CFIUS, an interagency body responsible for reviewing foreign investments that could pose national security risks, had approved the merger under the condition that T-Mobile adhered to a national security agreement (NSA). This agreement was designed to mitigate potential security risks stemming from the merger, a requirement often applied to transactions reviewed by CFIUS.
CFIUS revealed that between August 2020 and June 2021, T-Mobile violated a critical provision of the NSA. The company failed to take adequate steps to prevent unauthorized access to sensitive data and did not report some of these incidents promptly to CFIUS. This delay hindered the agency’s ability to investigate the breaches and mitigate any harm to U.S. national security. CFIUS deemed that the company’s actions resulted in significant risks to the country’s security.
The $60 million fine imposed on T-Mobile is the largest penalty disclosed by CFIUS to date. This case is also notable because it marks the first time the agency has publicly named the target of its enforcement actions. The penalty highlights the importance of compliance with national security agreements and the severe consequences of failing to protect sensitive data in such high-stakes transactions.
In conjunction with the penalty, the U.S. Treasury Department launched a new CFIUS enforcement website aimed at providing more transparency around the agency’s actions and penalties. The site will offer greater visibility into the regulatory measures taken by CFIUS and help inform businesses about their obligations when national security risks are involved in their transactions. This step underscores the government’s commitment to protecting sensitive data and enforcing compliance with national security protocols.
Reference: