In an unprecedented move, the Committee on Foreign Investments in the U.S. (CFIUS) is nailing T-Mobile with a $60 million fine for failures related to 2020 and 2021 data leaks. This is the largest penalty ever enacted by CFIUS, and it’s one of the few CFIUS actions to be publicized by U.S. officials.

CFIUS is an offshoot of the Treasury Department that reviews the national security implications of foreign business in the United States. Under normal circumstances, CFIUS would not be involved in the fallout of an American company’s poor data security. But T-Mobile’s largest shareholder, Deutsche Telekom, is based in Germany—some of T-Mobile’s major business dealings, particularly its acquisition of American companies, are subject to CFIUS' scrutiny.

T-Mobile’s takeover of Sprint is the origin of today’s $60 million penalty. The Sprint acquisition was approved in 2018 after T-Mobile agreed to followstrict guidelinesdrafted by CFIUS, the Justice Department, Homeland Security, and the DoD. These guidelines, which pertained to “potential national security, law enforcement, and public safety issues,” required that T-Mobile take steps to mitigate and report any unauthorized data access.

Evidently, the German-controlled telecom did not comply with these requirements. A senior U.S. official toldReutersandBloombergthat T-Mobile violated its obligations by failing to disclose 2020 and 2021 data leaks in a timely manner. These failures “delayed CFIUS' efforts to investigate and mitigate any potential harm to U.S. national security.” The fact that these leaks occurredat allmay have also contributed to CFIUS' decision.

But the data leaks in question had little to do withconsumerdata. As explained by T-Mobile, technical problems during the early days of the Sprint acquisition affected “a small number of law enforcement information requests.” The details are scarce—we don’t know how the information requests were affected—but T-Mobile claims that sensitive data never left the law enforcement “community.”

It’s interesting to see that these data security failures have produced such a strong federal response. Larger, morewell-known incidentsthat exposed the private data of U.S. consumers led to little more than a slap on the wrist.

For reference, T-Mobile has disclosedninedata breaches since 2018. The impact of this penalty on the telecom’s security practices is currently unknown. That said, CFIUS appears to be ramping up its enforcement policy. It, like theJustice Departmentand theFCC, has taken more action against corporations in the last two years than it did at the turn of the century.