Data Policy

USA Mobile Data Breach Response & Incident Response Plan

Effective Date: January 1, 2026

Applies to: USA Mobile services, systems, websites, applications, partner-branded services, and services powered by USA Mobile

USA Mobile, LLC (“USA Mobile”) operates the wireless service platform and maintains the subscriber relationship for services delivered on the USA Mobile platform unless expressly stated otherwise.

1. Purpose

USA Mobile maintains reasonable administrative, technical, and organizational safeguards and this Data Breach Response & Incident Response Plan to ensure that security incidents, unauthorized access, or data breaches are handled promptly, consistently, and in compliance with applicable laws, carrier requirements, and contractual obligations.

This plan establishes procedures for:

• Identifying security incidents
• Containing and investigating incidents
• Notifying affected parties when required
• Complying with federal, state, and carrier rules
• Protecting customers, partners, and the network

This plan applies to all services provided by USA Mobile, including services offered under partner-branded or powered-by USA Mobile programs.

2. Scope 

This plan applies to:

• USA Mobile internal systems
• Customer account data
• Billing and subscriber systems
• Wireless service records
• Websites and portals
• Mobile applications
• Partner-branded services powered by USA Mobile
• Third-party vendors used to operate the service
• Carrier network integrations
• Cloud infrastructure providers

This plan applies to incidents involving:

• Unauthorized access
• Data disclosure
• Data loss
• System compromise
• Network attacks
• Fraud or abuse activity
• Vendor security incidents
• Carrier-related incidents affecting customers

USA Mobile may use authorized carriers, subscriber-management platforms, billing systems, cloud providers, security providers, and other contracted vendors to operate the service, and incident response activities may involve coordination with those providers.

3. Definitions

• Security Incident: Any event that may compromise the confidentiality, integrity, or availability of systems or data.
• Data Breach: Unauthorized acquisition, access, use, or disclosure of personal information.
• Personal Information: Information that identifies or can be used to identify a customer, including:
  • Name
  • Contact information
  • Account information
  • Billing information
  • Device identifiers
  • Service records
• Vendor Incident: A security event involving a third-party provider that may affect USA Mobile customers or systems.

4. Incident Response Team

USA Mobile maintains an internal response function responsible for handling incidents.

Responsibilities may include:

• Security review
• Technical investigation
• Customer notification
• Legal and regulatory review
• Vendor coordination
• Carrier coordination

USA Mobile may engage external security, legal, or forensic specialists when necessary.

5. Detection and Reporting

Security incidents may be detected through:

• System monitoring
• Fraud detection tools
• Carrier notifications
• Vendor notifications
• Customer reports
• Law enforcement requests
• Internal audits

All suspected incidents must be reported internally as soon as possible.

Employees, contractors, and vendors must report any suspected breach affecting USA Mobile systems.

6. Incident Assessment

Upon detection, USA Mobile will evaluate:

• Type of incident
• Systems affected
• Data involved
• Number of users affected
• Risk of harm
• Legal obligations
• Carrier obligations
• Contractual obligations
• State notification requirements

USA Mobile will determine whether the event qualifies as a reportable breach.

7. Containment and Mitigation

When an incident is confirmed, USA Mobile will take reasonable steps to:

• Stop unauthorized access
• Secure affected systems
• Disable compromised accounts
• Block fraudulent activity
• Apply patches or fixes
• Coordinate with carriers and vendors if needed
• Implement corrective measures to prevent recurrence

Mitigation actions may include temporary service restrictions when required to protect the network.

8. Vendor and Partner Incidents

USA Mobile relies on third-party vendors and carriers to provide parts of the service.

Vendors may include:

• Network providers
• Billing platforms
• Cloud providers
• Payment processors
• Customer support providers
• Application providers

Vendors are required to:

• Maintain security safeguards
• Notify USA Mobile of incidents
• Cooperate in investigations
• Comply with applicable laws

USA Mobile may suspend vendor access if necessary to protect customers or the network.

9. Carrier Coordination

Because wireless service operates on third-party carrier networks, USA Mobile may coordinate with the carrier when an incident involves:

• Network activity
• Call records
• Location data
• Fraud detection
• Spam or robocalling activity
• Emergency services

Carrier rules and regulatory obligations may require specific handling of incidents.

10. Notification Requirements

USA Mobile will provide notice when required by law, contract, or regulation.

Notification may be provided to:

• Affected customers
• Regulators
• Law enforcement
• Carriers
• Partner brands
• Contract partners
• Insurance providers

Notification timing will follow applicable laws, including state breach-notification laws.

USA Mobile will not provide notice before confirming the facts of the incident unless required by law.

USA Mobile may coordinate with cyber-security providers, legal counsel, insurance carriers, and forensic specialists as part of incident response when appropriate.

Notification will be provided without unreasonable delay, consistent with applicable law, the needs of law enforcement, and the time required to determine the scope of the incident and restore system integrity.

11. State Law Compliance

USA Mobile will comply with applicable breach-notification laws, including but not limited to:

• California
• Virginia
• Colorado
• Connecticut
• Utah
• Nevada
• Texas
• Illinois
• New York
• Other states as applicable

Notification requirements may vary depending on:

• Type of information
• Number of users affected
• State of residence
• Risk of harm

USA Mobile will follow the most restrictive applicable requirement when necessary.

12. Federal and Regulatory Compliance

USA Mobile will comply with applicable federal requirements, including:

• FCC rules
• FTC rules
• COPPA (when applicable)
• Telecommunications regulations
• CALEA / lawful intercept requirements
• Emergency service requirements

USA Mobile may disclose information when required to comply with lawful requests.

13. Children’s Data

If a breach involves accounts used by minors, USA Mobile will:

• Notify the account holder
• Follow COPPA requirements where applicable
• Limit disclosure to required information
• Coordinate with vendors when needed

Additional information is provided in the Children’s Privacy & COPPA Policy.

14. Documentation

USA Mobile will maintain records of:

• Incident reports
• Investigation steps
• Notifications sent
• Remediation actions
• Vendor communications

Records may be retained as required by law or regulation.

15. Training and Review

Updates may occur due to:

• Legal changes
• Carrier requirements
• Vendor changes
• Security reviews
• Business changes

Employees and contractors responsible for operations may receive guidance on incident reporting procedures.

16. Limitation of Liability

This plan describes internal procedures and does not create contractual obligations to any customer unless required by law.

USA Mobile cannot guarantee that security incidents will never occur but maintains reasonable safeguards to reduce risk.

17. Contact Information

USA Mobile

Privacy & Compliance Office

Email: privacy@usamobile.com

Security incidents may also be reported through customer support channels.