Potential Update to Federal Communications Commission Data Breach Rule Would Expand Notification Requirements
Key Takeaways
The Federal Communications Commission’s proposed updates to the federal data breach rule for telecommunication carriers could expand the scope of data breach response and notification requirements for carriers. While only telecommunications carriers are subject to the law, these carriers will likely seek to impose equivalent requirements on the third parties, such as SaaS or software service providers or marketing agencies with whom they share data, in order to ensure that they are able to comply with response and notification requirements for all data in the event of a breach. The proposed rule would apply to both inadvertent and intentional disclosures and would require that notice be provided to authorities and consumers within a shorter timeframe.
Scope of Rule
On January 6, 2023, the Federal Communications Commission (“FCC”) released a Notice of Proposed Rulemaking in an attempt to strengthen the federal data breach rule and offer greater protection of consumers’ proprietary network information (“CPNI”). The proposed rule (“Proposed Rule”) would expand the definition of a breach to include inadvertent disclosures, require telecommunications carriers to notify the FCC of data breaches as soon as practicable, and remove the mandatory seven-day waiting period for notifying consumers after a breach of their CPNI. The FCC requested public comment regarding the potential adoption of minimum requirements for the content of disclosure notices and a harm-based trigger for breach notifications. The comment period for the proposed rule ended on February 22, 2023, and reply comments were accepted until March 24, 2023.
The Proposed Rule builds on the current federal data breach regulation governing unlawful disclosures of CPNI by telecommunication carriers (“Current Rule”).[1] The Proposed Rule is still targeted at telecommunication carriers, and the definition of a telecommunication carrier remains unaltered. Telecommunication carriers, as defined in 47 U.S. Code § 153, are any providers of telecommunications services, not including persons who in the ordinary course of their operations make telephones available to the public.[2] Common examples of telecommunication carriers are wireless, prepaid card, prepaid wireless phone, and pay telephone providers.[3] Unauthorized disclosures, or breaches, by these telecommunication carriers are disclosures of CPNI that are not required by law, done with the consumer’s approval, or done in the provision of the telecommunication service. CPNI, as defined by the FCC, includes information about consumers such as phone numbers called by a consumer, the frequency, duration and timing of such calls, the location of a mobile device, and any services purchased by a consumer.
Under the Current Rule, when an unauthorized disclosure of carrier-held CPNI occurs, the carrier is required to notify the Federal Bureau of Investigation (“FBI”) and the United States Secret Service (“Secret Service”) within seven days after reasonably determining the breach has occurred. Only after the initial seven-day period (unless otherwise directed by the FBI or Secret Service) is the carrier permitted to notify the consumer of the breach in whatever language and method they deem appropriate. However, states are permitted to create their own data breach laws and regulations that may differ from the foregoing. To address the disparity in state laws, the Proposed Rule attempts to create a strong federal statutory scheme that incorporates both U.S. state and international data privacy standards.
Expanded Definition of Breach
Under the Current Rule, a breach of CPNI occurs “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” The Proposed Rule expands this definition to include inadvertent breaches of CPNI by removing “intentionally”. The FCC has explained that the element of intentionality is limiting, as a carrier must only disclose breaches when a bad actor has intentionally gained access to CPNI, a somewhat unclear standard. The FCC states that it is not always apparent when a breach is “intentional,” and by removing the element of intent, carriers will be required to disclose all breaches. The expanded definition would require carriers to disclose breaches to both federal agencies and their consumers upon any intentional or accidental use, access, or disclosure of CPNI, including disclosures made when a carrier falls victim to a phishing scam. The inclusion of inadvertent breaches is likely to dramatically increase the number of breaches that will need to be reported by carriers moving forward.
Requirement to Notify Agencies as Soon As Practicable
Currently, upon a breach of CPNI, carriers are required to notify the Secret Service and the FBI seven days after reasonably determining a breach has occurred. The Proposed Rule requires that carriers must notify the FCC as well as the Secret Service and the FBI, and that they do so “as soon as practical after discovery.” The FCC has indicated that they will create a centralized portal where carriers may disclose breaches to all three agencies at once. This change creates uncertainty as “as soon as practical” is an indefinite standard, and is a stark contrast to the previous seven-day bright line rule. However, the FCC is aware of the issues that may come with this change, and has asked for public comment as to whether the seven-day deadline will be retained, or perhaps even reduced to a 24-hour[4] or 72-hour[5] deadline. Only a handful of state breach laws include a timing standard, with most states instead mandating that their residents be notified of a disclosure without unreasonable delay.[6]
Requirement to Notify Consumer without Unreasonable Delay
After the seven-day waiting period, current regulations permit carriers to notify consumers of CPNI breaches, unless the FBI and Secret Service forbids them from doing so. The Proposed Rule not only alters the seven-day deadline for federal agency notification, but strikes the mandatory waiting period for consumer notification. The Proposed Rule requires carriers to notify consumers “without unreasonable delay,” unless otherwise requested by law enforcement agencies. Again, this standard is not definite and creates ambiguity regarding how much time carriers have to notify consumers. Although there is no exact timeline, the FCC has seemingly prioritized consumer notice with this change. By no longer mandating that carriers wait to notify consumers, and requiring them to do so in a timely manner, the FCC is working to further its goal of stronger consumer protection.
Seeking Comment: Adoption of Required Content within Notice
The FCC does not currently set forth requirements for the contents of a consumer breach notice. In contrast, 23 states have established minimum requirements for consumer breach notices.[7] These requirements typically include the type of personal information subject to breach, the date on which the breach occurred, and a general description of the breach incident. The Proposed Rule asks the public whether mandating minimum requirements would create too much of a burden on carriers, or if more transparency and uniformity would be preferred. Specifically, the FCC asks for public comment on whether the addition of the following would be acceptable minimum content to require in a consumer notice: “carrier contact information; a description of the breach incident; the method of compromise; the date range of the incident, approximate number of consumers affected; an estimate of financial loss to the carriers and consumers, if any; types of data breached; and the addresses of affected consumers.”
Seeking Comment: Adopting a Harm-Based Trigger for Notification
In addition, the FCC sought comment on whether the Proposed Rule should contain a harm-based trigger for notification. A harm-based trigger would only require notice to be sent to consumers when there is harm reasonably detected. While a breach would still require notice to the appropriate federal agencies, it would strike the consumer notice requirement in hopes of reducing “breach notice fatigue” to the general public. Currently, 44 state breach rules already permit a risk of harm analysis to be conducted in order to determine if notice is required.[8]
For more information on how you can ensure your business is in compliance with FCC requirements, please contact a specialist in Koley Jessen’s Data Privacy and Security Practice Area.
Special thanks to Kristin Thompson, Koley Jessen Summer Associate, for her contributions to this article.
[1] 47 C.F.R. § 64.2011.
[2] For example, a library with publicly accessible phones would not be a telecommunications carrier under the Current Rule or Proposed Rule.
[3] Verizon Wireless, AT&T, Boost Mobile and Metro by T-Mobile are specific examples of telecommunications carriers under the Current Rule and Proposed Rule.
[4] This suggested deadline follows the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires covered entities to notify the Cybersecurity and Infrastructure Security Agency within 72 hours after the entity reasonably believes a covered cybersecurity incident has occurred, and to report ransomware payments within 24 hours.
[5] This suggested deadline follows the EU’s General Data Protection Regulation, which requires notification of a personal data breach within 72 hours of the discovery of the breach.
[6] The following states mandate disclosure within 30 days: Washington, Colorado, and Florida. The following states mandate disclosure within 45 days: Arizona, New Mexico, and Wisconsin. Nebraska mandates that notice is given to residents as soon as possible without unreasonable delay.
[7] Alabama, California, Florida, Hawaii, Illinois, Iowa, Maryland, Massachusetts, Michigan, Missouri, Montana, New Hampshire, New Mexico, New York, North Carolina, Oregon, Rhode Island, South Carolina, Vermont, Virginia, Washington, West Virginia, and Wyoming currently have content requirements for notifications.
[8] California, North Dakota, Minnesota, Texas, Illinois, and Georgia are the only states that do not permit a harm-based trigger.