For the first time since 2007, the Federal Communications Commission (“FCC”) has proposed updating its breach notification rules for telecommunications carriers. On January 6, 2023—after nearly a year of internal deliberation—the FCC issued a Notice of Proposed Rulemaking (“NPRM”) that would update data breach requirements by eliminating the current customer notification waiting period and updating the breach notification to expand to unintentional breaches.
Updated (1/20/23): The FCC’s NPRM will be published in the Federal Register on January 23. The comment round closes on February 22 and reply comments are due on March 24. Contact us to see how ZwillGen’s team can help you prepare and file comments.
Background
The FCC first issued a rule addressing breach notification requirements for telecommunication carriers more than fifteen years ago. The rule (47 C.F.R. § 64.2011) details when a telecommunications carrier or an interconnected Voice over Internet Protocol (“VoIP”) provider is required to report the breach of customer proprietary network information (“CPNI”), and to whom. The current rule contains several requirements that are unique to telecom breach notifications.
First, the FCC limits the definition of a breach to intentional acts. The current rule defines a breach as “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” Therefore, accidental breaches and disclosures of information do not trigger the reporting requirements.
Second, the FCC requires reporting to law enforcement, rather than to the Commission. When a telecommunications carrier experiences a breach of CPNI, they are required to report the incident to the FBI and the US Secret Service, within 7 days of a “reasonable determination” that a breach has occurred.
Third, there is a required waiting period before reporting the breach to customers. The FCC requires carriers to wait seven days from when they notified law enforcement before notifying their customers.
The NPRM
The NPRM proposes major changes to the FCC’s breach notification rules that would, in many ways, mirror other federal and state breach laws.
First, the FCC proposes to expand the definition of a breach so that is no longer limited to intentional acts. The new definition would include “inadvertent access, use, or disclosures of customer information.” The NPRM suggests that this expanded definition would address the impact that inadvertent leaks have on customers and encourage reporting by providers who may not immediately be aware of whether a breach is intentional or not. The NPRM seeks comment on whether the FCC’s rules should include a harm-based approach that would not require reporting if the carrier believed customer harm was not reasonably likely. A majority of state data breach laws include a risk of harm analysis that, for example, eliminate notification requirements where the exposed data is securely encrypted. Whether or not to include a harm requirement is likely to be among the most hotly debated issues in the comment round.
Second, the new rule would require notification of breaches to the FCC itself, in addition to the existing requirement to notify law enforcement. This would be in line with other sector-specific breach notification requirements, but would almost certainly increase the risk to providers of FCC enforcement related to breaches. The NPRM proposes to continue using a centralized portal for breach notifications that would submit notices to the FCC along with law enforcement. The NPRM also seeks comment on whether and how FCC breach notifications can be integrated with other forthcoming notification regimes, such as the Cybersecurity and Infrastructure Security Agency’s future critical infrastructure reporting tools.
Third, the new rule proposes a more expeditious reporting timeline. It would require reporting to law enforcement (and the FCC) “as soon as practicable after discovery of a breach” rather than the current standard of no later than seven days after “reasonable determination” of a breach. The NPRM seeks comment on this timeline—including whether to shorten the timeframe in line with other recent proposals —and whether to publish guidelines for how carriers must come to a “reasonable determination” that a breach has occurred.
Fourth, the NPRM proposes abolishing the current waiting period for customer notification. Instead of a seven-day waiting period, it would require customer notification “without unreasonable delay” after the breach is discovered and law enforcement is notified. In proposing to eliminate this waiting period, the FCC explains that the current rule was driven by a concern that immediate notification would impede law enforcement investigation, but tentatively concludes that this concern is “out-of-step with current approaches.” The NPRM seeks comment on whether the “without unreasonable delay” proposal should include an outside limit (such as, “no later than 60 days”) and whether providers should simultaneously notify law enforcement and customers.
And fifth, the NPRM seeks comment on whether to set out specific requirements for the contents and method of customer breach notifications. The current rules leave carriers with broad discretion on the contents and method of breach notifications, but many state laws and other sector-specific rules prescribe exact forms for consumer notices. As drafted, the proposed revisions to the rules do not contemplate new requirements on contents and method, but that may change after the public comment period.
ZwillGen’s experienced team of cybersecurity attorneys can assist clients in preparing comments in this proceeding and implement compliance strategies if these new rules are adopted.