The Federal Communications Commission (“FCC”) is on the verge of proposing new federal privacy regulations for internet broadband service providers (“ISPs”). ISPs were previously policed by the Federal Trade Commission (“FTC”). The FCC’s rulemaking is an outgrowth of its determination last year that wireline and wireless ISPs are telecommunications common carriers subject to Title II of the Communications Act, including the privacy provisions in Section 222 thereof. That determination, which is still under attack in court, effectively moved ISPs from FTC to FCC jurisdiction. ISPs will soon be forced to grapple with the details of a proposed FCC privacy regulatory scheme that has already been broadly outlined in a “Fact Sheet” released by the FCC. The FCC will fully unveil its specific proposals in a formal Notice of Proposed Rulemaking (“NPRM”) scheduled for an FCC vote on March 31.
While many of the proposals in the March 10 Fact Sheet are very general and ill-defined, one specific proposal on ISP data breach notifications is likely to trouble ISPs because the proposed notification deadlines are extremely short:
- 10 days to notify affected customers
- 7 days to notify the FCC
- 7 days to notify the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service if the breach affects more than 5,000 customers
ISPs are currently required to comply with state breach notification laws, which typically require notice to customers in the most expedient time possible and without unreasonable delay. Where specific timelines for customer notification do exist in state law, the shortest is 30 days. In light of existing state laws, a 10 day window to notify customers is very ambitious and seems ill considered. ISPs are likely to confront highly sophisticated, technical breaches whose scope is difficult to ascertain after detection. A 7 day deadline for notifying the FCC and possibly the FBI seems even more unrealistic. Until an ISP can determine both the number and identity of the customers affected, it cannot provide any useful notification to its customers or to law enforcement agencies.
However, reformation of the FCC’s proposal could yield a rule helpful to ISPs. A single, national breach reporting standard for ISPs would be more efficient for ISPs than the current patchwork of nearly 50 state laws concerning breach notice. Such a standard would be especially beneficial to ISPs if the timeline for reporting a breach took a safe harbor approach. Under such an approach, an ISP could establish compliance by meeting a specific reasonable timeline for notification of a breach, or by showing that its notification beyond the timeline was reasonable under the particular circumstances it faced.
This approach would require the FCC to preempt inconsistent state law. The FCC has already asserted that it can preempt state laws that impose obligations on ISPs that are inconsistent with the FCC’s regulatory scheme for broadband communications. States, however, are likely to oppose any initiative by the FCC to preempt state laws. The NPRM that the FCC intends to release after its March 31 meeting should be the next significant step in this process, but certainly not the final step.