On January 6, 2023, the FCC released a Notice of Proposed Rulemaking (the “Notice”) proposing to “modernize the Commission’s data breach rules,” and thereby launching a formal effort to gather information from the industry on the issue of data breach reporting. The Notice, adopted on December 28, 2022, seeks to strengthen its rules with the goal of better protecting consumers from potential harm caused by data breaches involving customer proprietary network information, or CPNI. In its news release, the Commission states that it will look to better align its rules with recent developments in federal and state data breach laws covering other sectors. In the Notice itself, this proposed alignment includes expansion of the definition of a breach, changes to customer notification, and changes to reporting to the Commission and law enforcement.
The proposed rules are purported to address more modern data security concerns and would expand the definition of “breach” in reaction to the increase in sophistication and scale of data leaks. Under the current rule, which was adopted to combat pretexting, a breach occurs “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” The Notice proposes expanding that definition to “include inadvertent access, use, or disclosures of customer information.” Additionally, the Commission is specifically seeking comment on whether it should adopt a harm-based trigger for breach notifications, noting that many states currently contain such standards. The Commission also asks for comment on the implications of requiring reporting of accidental breaches, and whether a “good faith” exemption should be implemented for unauthorized acquisition by employees or agents of carriers.
Currently, the FCC requires telecommunications carriers and Voice over Internet Protocol providers (collectively “carriers”) to notify customers and federal law enforcement of data breaches involving CPNI. Under the current rules, carriers are required to notify the Federal Bureau of Investigation (“FBI”) and the U.S. Secret Service. Carriers are prohibited from notifying customers until seven business days after notifying federal law enforcement. The Commission proposes eliminating the delay in customer notice, and instead requiring that notice be made to impacted individuals without unreasonable delay after discovery of a breach and notification to law enforcement. Delay in notification would be permitted under the new rule, at the request of federal agencies or law enforcement. And while there are not currently content requirements for customer notice, the Commission is contemplating the requirement of some minimum categories of information. These include:
- The date of the breach
- A description of the customer information that was used, disclosed, or accessed
- Information on how customers, including customers with disabilities, can contact the carrier to inquire about the breach
- Information about how to contact the Commission, FTC, and any state regulatory agencies relevant to the customer and the service
- If the breach creates a risk of identity theft, information about national credit reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring, credit reporting, or credit freezes the carrier is offering to affected customers
- What other steps customers should take to mitigate their risk based on the specific categories of information exposed in the breach
The Notice does not include a proposal for method of customer notice but does ask for comment on whether such a requirement should be included in the final rule.
In addition to notifying the FBI and the U.S. Secret Service, the Notice includes a proposal for requiring carriers to notify the Commission of data breaches. Reporting to the Commission and law enforcement would not be within seven days of the reasonable determination of a breach, as required under the current rule, but instead be “as soon as practicable” after discovering a breach. Reporting to the Commission and law enforcement would occur through a centralized portal, however, the Commission is interested in comment on how it can reduce the burden of reporting on carriers given the recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). And though the Commission seeks comment on keeping its existing content requirements for reporting, it further asks whether the information required under CIRCIA should be required for reporting to the Commission – again with the goal of minimizing potentially duplicative reporting requirements.
Finally, the Commission requests comment on whether a threshold trigger should be implemented on the number of customers affected to require a breach report to the Commission and/or law enforcement. Though the Commission notes that smaller breaches may not require federal law enforcement attention, voluntary reporting for small breaches could hinder the Commission’s ability to investigate the full scope of methods and motives associated with CPNI breaches.
Interested parties have 30 days to submit comments on the Notice following its publication in the Federal Register, and 60 days to submit reply comments. Companies interested in submitting a comment to the FCC should reach out to one of the attorneys listed below or to the Alston & Bird attorney with whom they maintain a relationship.