Modern energy companies should pay close attention to the Federal Communications Commission's recent order adopting rules protecting the privacy of customer proprietary information. Although not particularly focused on energy companies, this order will have a direct impact on their service contracts with telecommunications carriers, as well as potentially control liability for data breaches at the carrier level which can impact the companies as the carriers' customers.
On November 2, 2016, the FCC released a report and order In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106FCC 16-148 (Privacy Order). In the Privacy Order the FCC adopted general rules to protect the privacy of broadband customers receiving broadband Internet access service (BIAS) [e.g. retail broadband voice and data internet connection]. For the most part, services provided by telecommunications carriers to modern electric companies were exempted from the being covered by these rules on the theory that power companies were enterprise customers that did not take BIAS service from carriers. However, the FCC did not completely ignore the potential impact of carrier data breaches on enterprise customers. It required that for any exemption of non-BIAS services from coverage of the overall rules to be valid, the carrier/enterprise service contract in question must contain certain provisions. It stated:
Recognizing that enterprise customers of telecommunications services other than BIAS have different privacy concerns and the capacity to protect their own interests, we find that a carrier that contracts with an enterprise customer for telecommunications services other than BIAS need not comply with the privacy and data security rules we adopt today if the carrier’s contract with that customer specifically addresses the issues of transparency, choice, data security, and data breach and provides a mechanism for the customer to communicate with the carrier about privacy and data security concerns. Id. ¶ 15.
The FCC's rationale was that "the existence of contractual terms between two businesses addressing privacy ensures that the enterprise customer’s privacy is in fact protected without the need for our [FCC] rules." Id. ¶ 308. Even then the Commission's exemption was not absolute because carriers are still subject to 47 U.S.C. § 222 which provides that telecommunications carriers have a duty to protect the customer proprietary network information (CPNI) of their customers.1 Moreover, the exemption does not apply to BIAS services enterprise customers, because BIAS services by definition are "mass market retail service[s]," and as such the FCC did not anticipate that it would be typical for purchasers to negotiate the terms of their contracts. Id. Further, the FCC strongly encouraged telecommunications providers to adhere to the NIST Framework as a model for protecting the privacy and security of CPNI.
Consequently, modern energy companies should review their carrier service contracts to determine whether they contain the necessary provisions and in the event that the contracts do not, make a decision with regard to coverage.