FCC Expands Data Breach Reporting Rules

The FCC has expanded requirements for telecommunications companies, including interconnected VoIP providers, to report data breaches. The new rules cover all personally identifiable information, not just customer proprietary network information (“CPNI”) and include inadvertent disclosures. Providers will also have to notify the FCC, as well as the U.S. Secret Service and the FBI and customers, in the event of a breach. The order can be found here.

Background

Under current FCC rules, telecommunications companies must notify the Secret Service and the FBI within seven business days of a reasonable determination that a breach involving CPNI has occurred. CPNI does not include information such as the customer’s name, address, and telephone number. The FCC defines a breach as “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” With limited exceptions, telecommunications companies cannot notify affected customers or publicly disclose the breach until seven business days following notification to the Secret Service and the FBI. States and other federal agencies also have data breach and general privacy rules.

New Rules

The new rules cover all personally identifiable information (“PII”) such as name, address, phone numbers, social security numbers, credit card information or driver’s license information, email, passwords, and unique genetic, biometric or medical information, not just CPNI. The rules also revise the definition of a breach to include inadvertent disclosures as well as intentional efforts to obtain information. Specifically, the FCC now defines a breach as any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed covered data. There is an exception, however, for the good-faith acquisition of covered data by an employee or agent of a carrier where such information is not used improperly or further disclosed.

The new rules also modify breach notification obligations. The FCC must now be notified along with the Secret Service and the FBI. The Commission will maintain a link to report breaches. Such notice must be made as soon as practicable, and in no event later than seven business days after reasonable determination of the breach. Consistent with current practice, the content of the notification must include, at a minimum, the following information: carrier address and contact information; a description of the breach incident; the method of compromise; the date range of the incident; the approximate number of customers affected; an estimate of financial loss to the carrier and customers, if any; and the types of data breached.

The order also eliminates the mandatory waiting period for carriers to notify customers, and instead requires carriers to notify customers of breaches of covered data without unreasonable delay after notification to the Commission and law enforcement, and no later than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement. The order establishes a harm-based trigger for consumer notification. No notification to consumers is required where a carrier or can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach or where the breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed.

The order sets a reporting threshold for notifying federal agencies. Carriers do not need to file a breach notification to federal agencies at the time of the breach if a carrier can reasonably determine that the breach affects fewer than 500 customers and is not reasonably likely to harm those customers. For such breaches, carriers must instead file an annual summary, by February 1^st for the preceding calendar year, using the FCC’s central reporting facility.

Effective Date

The new rules will become effective after approval by the Office of Management and Budget and the FCC will issue a public notice announcing the effective date.

Possible Appeal

The FCC’s data breach order drew sharp dissents from the two Republican commissioners who claimed that the agency’s order is barred by Congress’s action to overturn a similar privacy rule in 2017. They also raise questions concerning the FCC’s power to include personal information that is not CPNI and process issues. It is thus possible that the FCC order will be appealed.

Please feel free to contact CCA’s regulatory committee or Michael Pryor at mpryor@bhfs.com if you have any questions.