After a decade and a half under the current data breach notification rules for telecommunications carriers and telecommunications relay services (TRS) providers, the FCC recently unveiled plans to update and expand them.
On November 22, 2023, the FCC issued a Report and Order that it intends to consider at its December 13th meeting that would involve an update to the current data breach notification rules. While the new rules would reduce the burden on carriers and TRS providers by relieving them of the requirement to notify customers of breaches under some circumstances, they also broaden the scope of the rules in important ways.
Expanded definition of “breach.” The proposed rules would expand the definition of breach to include “inadvertent access, use, or disclosure of customer information.” This is in stark contrast to the current definition of “breach” in 47 CFR § 64.2011(e) – “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed customer proprietary network information.” The FCC noted the potential risk posed by any exposure of consumer data – even unintentional ones – as the same types of harm could be incurred by the customer if the unauthorized access to their information was intentional or inadvertent. The proposed rules include an exception where customer information is inadvertently acquired by an employee or agent of a carrier or TRS provider and the information “is not used improperly or further disclosed.” Nevertheless, moving from a requirement of “intentionally gained access” to “inadvertent access” is a significant expansion on what would be considered a “breach” moving forward. The FCC did not, however, further expand the definition of “breach” to include security events that could reasonably lead to the exposure of CPNI (although the Commission expressly reserved rights to amend the definition in the future).
Expanded scope of information triggering notification requirement. The expanded rules would also broaden the scope of the notification obligations to cover all personally identifiable information (PII) – not just customer proprietary network information (CPNI) that carriers hold by virtue of their provision of telecommunications services. Under the new rules, disclosure of or access to any information “that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information” would trigger notification requirements. This expansion seemingly overlaps with the notification obligations under state data breach notification laws and would likely result in a significant increase in reported breaches by telecommunications carriers and TRS providers. The expansive definition of PII, in fact, goes beyond most state data breach notification laws, as the FCC explicitly states that an individual’s name, address and phone number would be considered PII under the new definition, requiring notification to the FCC, law enforcement, and customers, which is not generally considered PII under any state data breach notification law.
Timeline to report breach to customers. The proposed rules would also eliminate the mandatory seven day waiting period before carriers and TRS providers can notify customers of the breach, as the FCC does not want to delay customer notification so that the customers can promptly take any preventative steps (such as freeze their credit). Carriers and TRS providers would be required to notify customers of breaches “without unreasonable delay” after notifying the Commission and law enforcement agencies – a period not to exceed 30 days. This baseline requirement applies unless they reasonably determine that no harm to consumers is reasonably likely to occur as a result of the breach. This “risk of harm” standard is similar to the standard outlined in the GLBA’s Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) and various state data breach notification laws.
Notice to the FCC. The proposed rules would add the FCC to the list of agencies that carriers and TRS providers must notify after a breach, a list that currently includes only the FBI and the U.S. Secret Service. Crucially, notification to the FCC (and FBI and USSS) is not subject to the same “risk of harm” threshold as the new individual notification rules referenced above. The bifurcation of notification requirements and application of the “risk of harm” threshold is similar to the Interagency Guidelines, where financial institutions must notify customers if misuse of “sensitive customer information” has occurred or is reasonably possible, but this “misuse” standard is not applicable to regulator notification.
Timeline to report breach to FCC/FBI/USSS. For breaches affecting 500 or more customers, or for smaller breaches where harm is reasonably likely to occur as a result of the breach, carriers and TRS providers would still be required to report all such breaches to federal law enforcement agencies and the FCC as soon as practicable, but no later than seven days after reasonable determination of a breach. For breaches affecting fewer than 500 customers where the carrier can reasonably determine that harm to customers is not likely, carriers may file an annual summary of such breaches (on February 1 of each year). These requirements are similar to how covered entities report HIPAA breaches to the Department of Health and Human Services, Office for Civil Rights.
Content of notification to FCC/FBI/USSS. While the content of required notifications remains largely the same, the FCC’s report does include a new requirement that TRS providers include “a description of the customer information that was used, disclosed, or accessed,” including “whether data on the contents of conversations, such as call transcripts, are compromised.” Actual audio or transcripts, however, should not be included.
The Report and Order will be considered by the FCC at its December 13th meeting. If officially adopted, the new rules would become effective 30 days after publication in the Federal Register.