On January 6, 2023, the Federal Communications Commission (FCC or the “Commission”) released a Notice of Proposed Rulemaking (“Notice”) with updates to its data breach rules and reporting requirements. Considering the growing number of data breaches in the telecommunications industry in recent years, the proposed changes aim to strengthen the Commission’s rules governing breaches involving certain sensitive customer information, also known as customer proprietary network information (CPNI). Like other definitions of personal information or personal data in global privacy laws, CPNI is defined broadly and includes both personally identifiable information and usage data that communications providers collect from or about their customers.
The FCC’s proposed changes come at a time where the data breach notification obligations for companies are constantly evolving. A number of states have expanded their breach notification laws in recent years, and a few have also added affirmative cybersecurity obligations with regard to protected information. Companies subject to the FCC’s jurisdiction will have to account for these new changes (if finalized) along with these other evolving requirements at the state level.
We have provided relevant background and a description of the key takeaways related to the Notice below. The Notice also invites comments on other related matters including the adoption of harm-based trigger notifications for data breaches, setting minimum requirements for the content of customer breach notices, and addressing breaches of sensitive personal information. A detailed summary of the Notice was published in the Federal Register on January 23, 2023, and comments to the Notice are due on February 22, 2023.
Section 222 of the Communications Act of 1934 (the “Act”) requires telecommunications carriers to protect the privacy and security of customer information to which they have access to as network operators. In addition to requiring carriers to protect the confidentiality of proprietary information of and relating to their customers (i.e., CPNI), the Act also restricts carriers’ use, disclosure, and providing access to such information. Notably, the Act defines CPNI broadly, and includes information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service, as well as certain information contained in the bills received by customers. Examples of CPNI include phone numbers called by a customer, the frequency, duration, and timing of such calls, and location data of mobile devices.
Moreover, with respect to Telecommunications Relay Service (TRS) providers specifically, Section 225 of the Act has been found to authorize the Commission to apply the same privacy protections afforded to telecommunications users to TRS users. Thus, in 2013 the Commission adopted rules concerning CPNI that applied to all TRS providers. Effectively, today, the data breach rules and reporting requirements for telecommunications carriers and TRS providers are largely identical.
Inadvertent Disclosures. The first update proposed by the Commission would broaden the definition of “breach” to include the inadvertent access, use, or disclosure of customer information. By broadening the definition to include both intentional and inadvertent breaches, the Commission hopes that carriers will be incentivized to strengthen their data security practices. Moreover, by gathering more information about accidental breaches, the Commission will be able to better identify and remediate any vulnerabilities to prevent similar breaches from occurring in the future.
Commission Notification. In addition, the Commission proposes updating their notification requirements to require telecommunications carriers and TRS providers to notify the Commission of data breaches, in addition to notifying the Secret Service and FBI as their current rules require. Notification to the Commission would improve their ability to track and enforce ongoing compliance with their rules. The Commission notes that this requirement aligns with other data beach notification rules, including, for example, HIPAA, which requires notification to the department of Health and Human Services.
Notifying Customers without Unreasonable Delay. The Notice also proposes adopting a without unreasonable delay standard for notifying customers. This update would eliminate the current mandatory waiting period, and instead, require telecommunications carriers and TRS providers to notify customers of CPNI breaches without unreasonable delay after discovery of a data breach, unless a delay is requested by law enforcement. It is the Commission’s belief that implementing such a standard that still allows for necessary delays, would allow affected customers to receive information about breaches and take preventative action sooner, while still not impeding the actions of law enforcement.