Alert 01.10.23
Alert
Alert
01.26.23
The Federal Communications Commission (FCC) has proposed to update its data breach reporting requirements to address increasing security breaches in the telecommunications industry. In December 2022, the FCC released a Notice of Proposed Rulemaking (NPRM) launching a proceeding to improve the process for notifying customers and federal law enforcement of breaches that may have exposed customer proprietary network information (CPNI). In the NPRM, the FCC proposed several revisions to its data breach rules (which have not been updated since 2007) and seeks comment on those proposals.
Comments are due on February 22, 2023; reply comments are due on March 24, 2023.
Background
The FCC requires telecommunications carriers and VoIP providers to protect the privacy and security of information about their customers to which the providers have access as a result of their customer relationships. Carriers may only use, disclose or permit access to CPNI received as a result of providing telecommunications or VoIP services: (1) as required by law; (2) with customer approval; or (3) in its “provision of the telecommunications service from which such information is derived, or services necessary to or used in the provision of such telecommunications service.” The Communications Act defines CPNI as “(A) information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.” CPNI can include information such as phone numbers called by a consumer; the frequency, duration and timing of calls; the location of a mobile device when it is in active mode; and services purchased by the consumer.
The FCC first adopted rules restricting the use and disclosure of CPNI in 1998 and amended those rules in 2007 to, among other things, apply the rules to interconnected VoIP providers and require carriers to notify federal law enforcement (U.S. Secret Service and the FBI) and customers of security breaches involving CPNI. Currently, the rules define a “breach” as occurring when a person without authorization intentionally gains access to, uses or discloses CPNI. Carriers must notify law enforcement of a breach no later than seven business days after determining a breach occurred, and may notify customers/publicly disclose the breach after seven business days following notification to law enforcement. Under the current rules, a carrier may immediately notify customers/publicly disclose the breach only after it has consulted with relevant law enforcement and only if it believes there is an urgent need to notify customers to avoid irreparable harm.
Revisions to the Rules
Since 2007, data breaches of CPNI have increased in scale and frequency. Although the FCC adopted an order in 2016 to revise its breach notification rules, Congress acted to nullify those revisions under the Congressional Review Act in 2017. In the NPRM, the FCC seeks comments on proposed updates to its breach notifications rules, including refining “breach,” requiring carriers to notify the FCC in addition to law enforcement, adjusting the timeframe for customer notifications, updating breach reporting requirements for Telecommunications Relay Services (TRS) and the impact of Congress’ disapproval of the FCC’s proposed 2016 revisions to the rules.
New Definition of “Breach”
The FCC proposed to expand the definition of “breach” to include inadvertent access, use or disclosures of customer information. Currently, breach is defined as “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” The FCC recognizes that inadvertent exposure of customer information can result in the loss and misuse of sensitive information by scammers just as much as intentional exposure of information. Additionally, it may not always be immediately apparent to carriers whether a breach was intentional. The FCC asks whether it should retain the intent limitation in certain contexts, if so, what contexts, and asks whether requiring reporting of accidental breaches will result in a significant increase in the number of reported breaches.
The Commission also asks whether it should remove the requirement to notify customers or law enforcement of a breach in certain instances where a carrier can reasonably determine that the breach is not likely to result in harm to customers. The current rule does not require harm to trigger a carrier’s responsibility to report the breach, and the FCC seeks comment on the potential benefits and drawbacks of adopting a “harm-based” notification trigger. The FCC also seeks comment on how carriers and the FCC should determine the likelihood of harm, and what factors should be considered when evaluating whether harm is likely to occur. The FCC proposes that if a carrier cannot determine harm, the obligation to notify will remain.
Notifying the FCC and Law Enforcement
The FCC proposed requiring telecommunications carriers and VoIP providers to notify the FCC of breaches, in addition to the Secret Service and FBI. The FCC explains that breach notifications will provide FCC staff with important information about data breach vulnerabilities and will shed light on carriers’ compliance with the rules. The FCC proposed creating a centralized portal for carriers to report breaches. The FCC also seeks comment on how it can minimize data breach reporting burdens for carriers. The Commission proposed applying existing requirements for breach notifications to law enforcement to breaches reported to the FCC. Currently, breach notifications must include information relevant to the breach, such as carrier contact information, a description of the breach, the method of compromise, the date range of the incident, approximate number of affected customers, an estimate of financial loss to the carriers and customers, types of data breached and the addresses of affected customers.
The FCC proposed requiring that its notifications be made contemporaneously with reports to law enforcement—which now must be made no later than seven business days after a reasonable determination of a breach. The FCC seeks comment on this proposal and asks whether it should set a threshold for the number of customers affected to require a breach report. Under the current rule, all breaches must be reported, regardless of the number of customers affected.
Notifying Customers
The FCC proposed eliminating the mandatory seven-day waiting period before notifying customers and instead proposed requiring carriers notify customers of CPNI breaches “without unreasonable delay” after discovering a breach (unless requested by law enforcement). The existing rule prohibits carriers from notifying customers or publicly disclosing the breach until at least seven business days after notifying law enforcement. When it adopted the current rule, the FCC believed that publicly disclosing a breach could impede law enforcement’s ability to investigate the breach, but now believes that approach does not reflect the urgent need to notify victims about breaches. The FCC seeks comment on the “without unreasonable delay” standard, and asks if it should provide guidance on what is considered “reasonable” or should it instead take a different approach and adopt a fixed number of days for notification.
TRS Breach Reporting
In 2013, the FCC adopted CPNI rules that apply to all forms of Telecommunications Relay Services (TRS), as well as to point-to-point video calls handled over the video relay services (VRS) network. In the NPRM, the FCC proposed to amend its rules for TRS services in the same manner as its proposed changes to the rules for telecommunications and interconnected VoIP services. In short, the FCC proposed to: (1) expand the definition of “breach” to include inadvertent disclosures of customer information; (2) require TRS providers to notify the FCC (in addition to the Secret Service and FBI) as soon as practicable after discovering a breach; and (3) eliminate the mandatory waiting period to notify customers, instead requiring that TRS providers notify customers of CPNI breaches without unreasonable delay (unless law enforcement requests a delay).
Impact of Congressional Disapproval of the FCC’s Proposed Revisions in 2016
Finally, the FCC notes that it tried to revise the CPNI breach notification rules in 2016 as part of a larger proceeding addressing privacy requirements for broadband internet access service providers (ISPs). However, Congress quashed those revisions under the Congressional Review Act in 2017. In the NPRM, the FCC seeks comment on the effect and scope of Congress’ disapproval of the rule revisions.