Another agency has adopted rules concerning data security and privacy, this time focused on the telecommunications industry – broadening the scope of data to be protected. On Thursday, October 27, 2016, the Federal Communications Commission (FCC) adopted rules affecting Internet Service Providers’ (ISP) use of their customers’ information generated by using the ISP’s services. The rules also address data security practices and data breach notification timeframes. The text of the rules will be available when published in the Federal Register, which is expected this week.
Based on the information available from the FCC at this time, the new rules focus on the following items:
1 Privacy for Broadband Consumers’ Information – Customer Consent for Use of Sensitive Information
ISPs must obtain consent from their customers to use certain “sensitive information” and disclose how they intend to use it, including with whom they intend to share the information.
According to information provided by the FCC, sensitive information includes precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, the content of communications and call-detail record information.
As stated in its press release, the FCC has divided the types of information to be used and client consent requirements as follows:
- Opt-in: ISPs are required to obtain affirmative “optin” consent from consumers to use and share sensitive information.
- Opt-out: ISPs would be allowed to use and share nonsensitive information unless a customer “opts out.” All other individually identifiable customer information (such as email address or service tier information) would be considered non-sensitive, and the use and sharing of that information would be subject to opt-out consent.
- Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the rules, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.
The “Notice and Choice” requirements described above will become effective approximately 12 months after publication. Small providers (as defined in the rules) will have an additional 12 months to come into compliance.
2 “Reasonable” Data Security Practices
The rules require broadband providers to engage in reasonable data security practices and contain guidelines regarding steps ISPs should consider taking to develop reasonable data security practices. It is unclear what the FCC will consider “reasonable,” particularly when the federal, state and international laws are still being developed. The telecommunications industry will need to analyze their current practices to determine if they will meet the “reasonable” requirement.
The data security requirements will go into effect 90 days following the summary in the Federal Register.
3 Breach Reporting Requirements
The myriad of federal, state and international laws addressing breach notification are inconsistent and each have different notice and reporting requirements. The FCC has now added yet another requirement. The rules contain data breach reporting requirements and timeframes, including: (1) notification to affected customers as soon as possible, but no later than 30 days after reasonable determination of a breach; (2) notification to the FCC, FBI and U.S. Secret Service of breaches affecting 5,000 customers or more no later than seven days following reasonable determination of a breach; and (3) notification to the FCC at the same time as customers for breaches affecting fewer than 5,000 customers. Just as with all reporting requirements, it is vital to discuss with legal counsel breach response and notice requirements.
The data breach notification requirements will become effective approximately six months after publication in the Federal Register.
4 FCC’s Informal Dispute Resolution – Mandatory Arbitration Clauses The FCC’s Order reaffirms the right of broadband and voice customers to use the agency’s informal dispute resolution process and expresses concern about the use of mandatory arbitration agreement, which will be the subject of a rulemaking in February 2017.