FCC Proposes Changes to its Reporting Requirements for Customer Data Breaches
On December 28, 2022, the Federal Communications Commission (“FCC”) adopted a Notice of Proposed Rulemaking (“NPRM”) seeking to modernize and strengthen its rules to better protect consumers from the harm caused by breaches of their data and personal information. Under current FCC rules, telecommunications carriers and Voice over Internet Protocol (“VoIP”) service providers (together “carriers”) must notify customers and federal law enforcement of data breaches involving certain customer proprietary network information – known as CPNI – including, for example, the number a customer calls, the frequency or duration of calls, and a mobile device’s location. The FCC developed the current rules to address a specific type of data breach – specifically, “pretexting,” which is the practice of pretending to be a customer to gain access to their call data or other personal records. But because pretexting has rarely been responsible for recent data breaches, the FCC proposes and seeks comment on new requirements to address the more sophisticated and diverse breaches occurring more frequently today. Among other things, the FCC proposes expanding the definition of “breach” to include “inadvertent” breaches, requiring carriers to notify the FCC in addition to federal law enforcement of data breaches, and eliminating certain waiting periods before carriers may notify customers of breaches. Public comments and reply comments on the NPRM will be due 30 and 60 days, respectively, after the NPRM is published in the Federal Register.
Definition of “Breach”
Inadvertent Disclosures. Under current FCC rules, a “breach” occurs “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” The NPRM proposes to expand this definition to include the inadvertent unauthorized access, use, or disclosure of CPNI to address the increasingly diversified methods used to steal CPNI – such as “phishing” attacks. The FCC seeks comment on the impact of requiring accidental breach reporting, such as the burden and costs to carriers, and asks whether it should (as many states do) exempt from the definition of breach a good-faith acquisition of CPNI by employees or agents where the information is not used improperly or disclosed. The FCC also questions whether it should expand the definition of breach even further to include conduct that could reasonably have led to CPNI exposure, even if it has not.
Harm-Based Notification Trigger. While the current rules require notification in every instance of a breach, the FCC asks whether it should adopt a “harm-based notification trigger” utilized by many states that would permit a carrier to forego notification when it reasonably determines that no harm to customers is reasonably likely to occur due to the breach. The FCC seeks comment on how it should define “harm” – such as financial and/or physical or emotional harm – and asks about the factors, or standard, carriers should use to evaluate whether customers are reasonably likely to be harmed. Though, the NPRM notes that even if the FCC adopts a harm-based notification trigger, a carrier’s obligation to notify would remain in place if it could not determine a reasonable likelihood of harm. The FCC also asks whether the harm-based trigger should apply to both notifications to customers and law enforcement. The FCC also asks whether it has the authority under the Communications Act to establish reporting obligations for other information carriers possess, such as social security numbers and financial records.
FCC and Law Enforcement Notification
FCC Notification. Currently, when a carrier has reasonably determined that there has been a breach involving CPNI, it is obligated to notify only the U.S. Secret Service and Federal Bureau of Investigation (“FBI”). The FCC proposes requiring carriers to notify the FCC of breaches involving CPNI contemporaneously with law enforcement because this approach (i) is consistent with other federal sector-specific privacy reporting rules and (ii) would provide important information about non-criminal breaches to the FCC so that it can investigate and remediate broader network security vulnerabilities.
Method of Notification. The FCC’s breach notification rules require that carriers notify law enforcement through a “central reporting facility” that may be accessed through its website. To streamline the notification process, the FCC proposes to create and maintain a centralized portal for reporting breaches to both law enforcement and the FCC and asks whether it could leverage, for example, the recently created Cybersecurity and Infrastructure Security Agency Incident Reporting System used for cybersecurity incidents to minimize burdens on carriers.
Notification Contents. Carriers are currently required to include certain information in their breach notifications to the Secret Service and FBI, such as contact information, a description of the breach, the method of compromise, the date range of the breach, the approximate number of customers affected, an estimate of the financial loss to the carrier and customers, and the addresses of the affected customers. The FCC proposes to require the same information in carrier notifications to the FCC.
Timeframe. While carriers today must report breaches to law enforcement no later than seven days after the reasonable determination of a breach, the FCC proposes requiring carriers to notify the FCC and law enforcement “as soon as practicable” after discovering a breach to minimize burdens on carriers and reduce confusion around reporting obligations. The FCC, however, also seeks comment on whether it should maintain the “no later than seven days” deadline or adopt a new deadline, such as within 24 or 72 hours.
Threshold Trigger. Under the existing rules, the notification requirements apply to all breaches, regardless of severity. However, the FCC notes that breaches affecting only a small number of customers may not require the same level of attention as larger breaches. Thus, to reduce administrative burdens and excessive reporting, the FCC asks whether it should, instead, adopt (as many states have) threshold levels of affected customers that would trigger carriers’ notification obligations, such as 250, 500, or 1000 affected individuals.
Notifying Customers of Data Breaches without Unreasonable Delay. The FCC’s rules currently prohibit carriers from notifying customers or disclosing a data breach to the public until seven full business days after notifying law enforcement, with some exceptions to avoid immediate and irreparable harm to customers. The FCC proposes eliminating this waiting period and requiring customer notification “without unreasonable delay” after discovering a breach unless law enforcement requests a delay. It asks whether it should provide guidance on a specific notification deadline and notes that many states have imposed an outside time limit on when consumers must be notified, such as 30, 45, or 60 days after the discovery of a breach. The FCC also asks whether any notification deadline it adopts should apply equally to all carriers or whether different reporting deadlines should apply to small carriers. The FCC notes that a federal agency would still be allowed to direct a carrier to delay a customer notification for up to 30 days, as is currently permitted by the FCC’s rules, if that notification would interfere with an investigation.
Contents of Customer Breach Notification. Although the FCC does not currently require carriers to include any specific information in customer notifications, it now seeks comment on whether it should require some minimum information, including:
the date of the breach;
a description of the customer information that was used, disclosed, or accessed;
information on how customers, including customers with disabilities, can contact the carrier to inquire about the breach;
information about how to contact the FCC and other relevant federal and state regulatory agencies;
information about credit reporting and the steps customers can take to guard against identity theft if the breach poses a risk of identity theft; and
other steps customers should take to reduce the risk of harm from the breach based on the specific information leaked.
Method of Customer Breach Notification. Similarly, the FCC asks whether it should require a particular notification method, such as e-mail, physical mail, or telephone calls.
Telephone Relay Service Requirements
The FCC explains that its current breach notification rules for Telephone Relay Services (“TRS”) and point-to-point video calls over the Video Relay Service (“VRS”) – services that are designed to help those with hearing, speech, and sight disabilities communicate by telephone – are the same as those generally applicable to carriers. Accordingly, to maintain an equivalent level of protection for TRS and VRS users, the FCC proposes to amend its TRS and VRS data breach rules to include identical requirements as those proposed and explained above for carriers.
While the FCC tentatively concludes that it has the legal authority to adopt its proposals under Section 222 of the Communications Act, which governs carriers’ use, disclosure, and protection of CPNI, it seeks comment on that tentative conclusion.