Data Security

The FCC Adopts New Breach Notification Rules

Published: Dec. 13, 2023

The Federal Communications Commission (“FCC”) voted today to adopt updated breach notification rules for telecommunications and interconnected Voice over Internet Protocol (“VoIP”) service providers (together, “carriers”), and telecommunications relay service (“TRS”) providers. Before this week, the FCC had not updated its rules in 16 years! The final order will be published in the coming days, so our summary of the rules is based on the draft Report and Order (available here).

Highlights

The Order makes some key changes bringing this set of rules in line with other sectoral and state data breach laws, including: 

  • Expanding the scope of reportable data types to now cover all personally identifiable information (“PII”) of customers that carriers and TRS providers maintain;
  • Expanding the definition of “breach” to include the inadvertent access, use, or disclosure of customer information;
  • Requiring carriers and TRS providers to notify the FCC of beaches in addition to existing requirements to notify law enforcement;
  • Removing the requirement to notify customers of a breach if the carriers and TRS providers reasonably determine that no harm occurred; and 
  • Eliminating the existing mandatory waiting period and requiring immediate notification to customers, the FCC, and law enforcement.

Summary

Defining Breach

The original breach notification rules narrowly covered only customer proprietary network information (“CNPI”), which includes information such as called phone numbers, billing information, and telephone service information. Put differently, CPNI does not include any of the data elements that we typically consider “personal information” under other legal regimes. The new rules significantly expand the scope of reportable information to include all PII. Notably, the FCC intentionally kept the definition of PII broad, not providing any list of data elements, but instead incorporating the definition of PII from the OMB Circular A-130: “‘personally identifiable information’ means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” 

The FCC also expanded the definition of what constitutes a breach of customer information. The new rules expand the definition to cover instances where customer information was inadvertently disclosed, expanding on the previous definition that only accounted for intentional attempts to gain access. The new breach definition—capturing “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed covered data”—is more in line with state data breach laws and will likely result in many more reportable incidents than the prior rules. This definition is limited with a “good-faith exception,” that excludes instances of good-faith acquisition of covered data by an employee or agent of a carrier, presuming that the information acquired is not “used improperly or further disclosed.” 

Notifying the Government

Under the new rules, carriers are required to notify not only federal law enforcement (the Secret Service and the Federal Bureau of Investigation), but now also the FCC itself. This additional notice corrects one of the oddities of the existing rules, which left the FCC in the dark on many data breaches. The addition of the FCC will not impose any different or additional reporting content requirements on carriers or providers but will make the FCC a contemporaneous recipient of such reports. 

The FCC declined to adopt a harm-based trigger for reporting obligations to the agencies; government notices must be made regardless of the number of customers affected or the carrier’s determination of the risk of harm to customers. For breaches affecting 500 or more customers (or if the number is undeterminable), carriers must notify the FCC and law enforcement agencies within seven business days. The per-breach, seven-day notice requirement also applies to breaches affecting less than 500 customers, unless the carrier can reasonably determine that customers are not likely to be harmed. Such “harmless” breaches affecting fewer than 500 customers must eventually be reported via an annual summary of breaches rather than via immediate notification. 

The new rules retain the existing seven-day reporting requirement to federal agencies; the Report and Order makes clear that this is intended to serve as an outer bound of the expected timeframe. The FCC expects that, depending on the severity of the breach, adhering to a “as soon as practical” notification may require alerting agencies earlier than seven days. In fact, the FCC states that failure to swiftly report (sooner than seven days) may be considered untimely and unreasonable. The new rules also codify reporting content requirements and require carriers to update initial breach notifications in the event of material updates or previous incorrect information. 

Notifying Customers

The FCC chose to adopt a harm-based trigger for reporting obligations to customers. Therefore, carriers and providers are not required to notify customers of a breach where the carrier “reasonably determines that no harm to customers is reasonably likely to occur as a result of the breach.” To prevent the risk of not informing customers, carriers are required to notify customer if they are unable to make a determination of harm. Unlike many state data breach laws with harm-based triggers, the FCC’s new rules guide carriers through how to think about a harm determination. The FCC intends to view “harm” broadly, including financial harms, physical harms, identity theft, spam, reputational harms, mental or emotional distress, and other “similar types of dangers.”  These harms need to be evaluated through the consideration of several factors, including the sensitivity of the information that was breached, the nature and duration of breach, whether the information was properly encrypted, how quickly the breach was mitigated, and any intentionality related to the breach. Unless this analysis concludes that ham is unlikely, notification to customers is required.

The new rules require carriers and providers to notify customers without reasonable delay, but after federal agencies have been notified, and no later than 30 days after a reasonable determination of a breach. Although carriers no longer need to abide by the previous mandatory waiting period before notifying customers, law enforcement will still be able to request a 30-day notification delay to customers under specific circumstances. The FCC does not establish minimum content requirements or methods of customer notification but does provide “recommendations” to categories of information that should be in a customer notification that are broadly similar to state breach notification requirements. 

TRS Breach Reporting 

Ten years ago, the FCC adopted specific privacy rules related to TRS providers finding that TRS is the functional equivalent to voice telephone services. These new rules incorporate many of the above changes but tailored some of the rules to adequately provide TRS users with the same level of privacy protections. One distinction is that the content of calls is now included in the definition of covered data, in addition to PII and CPNI because call contents including transcripts can include sensitive and private information. Similarly, the content of notifications requires more granularity given the nature of the calls and therefore, disclosures must include a description of the customer information that was breached. As a result, a breach of TRS providers is higher risk and would likely meet more disclosure triggers than would be the case for other customers. 

Key Takeaways

The new rules mark some significant changes in the privacy rights of telecom customers, while also signaling the FCC’s aim to continue taking a more proactive role in establishing privacy guardrails. While many of the rule updates merely bring the telecom industry on par with others, the FCC chose to adopt aggressive timelines and broad definitions that will challenge providers and require more frequent notice to government and consumers.

While requiring expanded notifications, the FCC also recognizes its own limitations, frequently emphasizing the role of federal law enforcement agencies in investigating breaches. Along the same lines, last week the FCC’s Privacy & Data Protection Task Force—announced earlier this year—signed a new memorandum of understanding with the attorneys general of Connecticut, Illinois, New York and Pennsylvania, allowing the FCC to coordinate efforts in investigating privacy, data protection, and cybersecurity issues. The FCC remains limited in its jurisdictional reach, but in the event of an investigation of a carrier for violating these rules, the FCC, through this new partnership, is in a much better position to cooperate and support state attorneys general, who often have more investigatory resources and more powerful consumer protection statutes.