On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule). The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.
The current data breach reporting rule was adopted in 2007 for breaches of customer proprietary network information (CPNI). At the time the Commission adopted its current data breach rule, it was intended to protect customers from pretexting, the practice of pretending to be a customer or other authorized person to obtain access to that customer’s call detail or other private communications records. Since then, the transformation in digital services has significantly expanded cybersecurity risks to CPNI, and multiple additional data breach notification laws and regulations have come into effect. According to the Commission’s press release, this proposal seeks to align the Commission’s rules with state and federal laws.
The Commission’s current data breach reporting rule requires providers with more than 5,000 customers to notify law enforcement agencies of breaches involving CPNI within a seven-day period, while breaches affecting providers with less than 5,000 customers within 30 days. The Proposed Rule would include the following:
Breach Definition: Expand the definition of a “breach” to include inadvertent disclosures of customer information. This definition is broader than the Commission’s current rule, which defines a breach as “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.”
Commission and Law Enforcement Notification: Require carriers to notify the Commission of any accidental access, use, or disclosures as soon as practicable after discovery of a breach. Additionally, any reportable breaches to the Commission shall require notification to the Federal Bureau of Investigations and the U.S. Secret Service.
Customer Notification: Require carriers to notify customers of breaches without unreasonable delay after discovery of a breach – eliminating the current seven-day mandatory waiting period before notifying customers.
Law Enforcement Exception: Include a law enforcement exception which permits delaying Commission and customer notification.
Comment Period: Among other things, the Commission sought comment on the following:
Definition of Breach: The Commission is interested in the proposed expanded definition of “breach” and the impact of such a change on the number of reported breaches, as well as any benefits and burdens associated with such a change. The Commission also sought comment on whether it should provide an exemption for, (1) good-faith acquisition of covered data by an employee or agent of the company where such information is not used improperly or further disclosed; and (2) instances where a telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. The Commission also seeks comment on whether to expand the definition of a breach to include situations where a telecommunications carrier or a third party discovers conduct that could have reasonably led to exposure of customer CPNI, even if no such exposure occurred. The Commission also sought comment on its authority to establish breach-reporting obligations for information other than CPNI, such as Social Security numbers and financial records.
Consistency with other Laws: The Commission is interested in how to minimize data breach reporting burdens for telecommunications carriers, including with respect to state and federal laws. The Commission specifically references the recently-passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires certain covered entities to notify the Cybersecurity and Infrastructure Security Agency (CISA) of cyber security incidents and establishes an interagency Cyber Incident Reporting Council intended to streamline interagency cyber incident reporting.
Notifying Commission and Federal Law Enforcement: The Commission is interested in the benefits and costs of requiring notification to the Commission in addition to notifying the Secret Service and the FBI, including whether a threshold for notification is helpful. The Commission requested comment on the benefits and burdens of the law enforcement exception which would permit telecommunications carriers to delay notification in certain circumstances.
Method of Notification to Commission: The Commission proposes to create and maintain a centralized portal for reporting breaches to the Commission, and requested comment on such a portal as well as timing requirements for Commission notice.
Content of Notification to Commission: The Commission is interested in what information should be required to be included in data breach notifications. The Commission is not proposing changes to the required contents of data breach notifications to the Commission at this time, which currently requires information relevant to the breach, including carrier contact information, a description of the breach incident, the method of compromise, the date range of the incident, the approximate number of customers affected, an estimate of financial loss to the carriers and customers, if any, the types of data breached and the addresses of affected customers.
Notification to Customers: The Commission sought comment also on the elimination of the seven-day waiting period and whether a “without unreasonable delay” notification requirement permits carriers enough time to determine the scope and impact of the breach. The Commission also requested comment on whether it should require customer breach notifications to include specific minimum categories of information.
Method of Notification to Consumers: The Commission is interested in whether the Commission follow state regulations that specify the form of customer notice.
Legal Authority: The Commission also sought legal comment on its legal authority to implement the Proposed Rule.