One year ago, in March 2015, the Federal Communications Commission (“FCC”) reclassified broadband Internet access service as a common carrier Telecommunications Service subject to regulation under Title II of the Communications Act. At that time, however, the FCC recognized that the then-current rules were not well suited to broadband privacy. On March 10, 2016, the FCC’s Chairman Tom Wheeler circulated for consideration by the full Commission a Notice of Proposed Rulemaking (“NPRM”) that effectively represents the start of the process of adopting rules suitable to broadband service.
The proposed rules would be built on three core principles: Customer choice, transparency, and data security.
Choice – Internet Service Providers (“ISPs”) would be required to provide customers with varying degrees of choice (i.e., no consent required, opt-out or opt-in), depending on how the customer’s personal information is used.
Transparency — ISPs would be required to disclose in “an easily understandable and accessible manner” the types of information they collect, how they use that information, and the circumstances in which they will share customer information with third parties.
Security — The proposal would require broadband providers to take reasonable steps to safeguard customer information from unauthorized use or disclosure. And, at a minimum, the proposal would require broadband providers to adopt risk management practices; institute personnel training practices; adopt strong customer authentication requirements; identify a senior manager responsible for data security; and take responsibility for use and protection of customer information when shared with third parties.
In order to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information, the Chairman’s proposal includes common-sense data breach notification requirements. Specifically, in the event of a breach, providers would be required to notify:
- Affected customers of breaches of their data no later than 10 days after discovery.
- The Commission of any breach of customer data no later than 7 days after discovery.
- The Federal Bureau of Investigation and the U.S. Secret Service of breaches affecting more than 5,000 customers no later than 7 days after discovery of the breach.
The proposed rule would apply exclusively to providers of broadband Internet access service and not to providers such as Amazon and Facebook or other operators of social media websites.
The proposal will be voted on by the full Commission on March 31, and, if adopted, would be followed by a period of public comment.