- The Federal Communications Commission (FCC) proposes redefining "breach" to include inadvertent disclosures of customer proprietary network information.
- The Notice of Proposed Rulemaking (NPRM) also proposes to update the requirements on when to notify law enforcement and customers of customer proprietary network information (CPNI) breaches.
- Comments are due February 22.
The Federal Communications Commission (FCC) has proposed to update its data breach reporting requirements to address increasing security breaches in the telecommunications industry. In December 2022, the FCC released a Notice of Proposed Rulemaking (NPRM) launching a proceeding to improve the process for notifying customers and federal law enforcement of breaches that may have exposed customer proprietary network information (CPNI). In the NPRM, the FCC proposed several revisions to its data breach rules (which have not been updated since 2007) and seeks comment on those proposals.
Comments are due on February 22, 2023; reply comments are due on March 24, 2023.
Background
The FCC requires telecommunications carriers and VoIP providers to protect the privacy and security of information about their customers to which the providers have access as a result of their customer relationships. Carriers may only use, disclose or permit access to CPNI received as a result of providing telecommunications or VoIP services: (1) as required by law; (2) with customer approval; or (3) in its "provision of the telecommunications service from which such information is derived, or services necessary to or used in the provision of such telecommunications service." The Communications Act defines CPNI as "(A) information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier." CPNI can include information such as phone numbers called by a consumer; the frequency, duration and timing of calls; the location of a mobile device when it is in active mode; and services purchased by the consumer.
The FCC first adopted rules restricting the use and disclosure of CPNI in 1998 and amended those rules in 2007 to, among other things, apply the rules to interconnected VoIP providers and require carriers to notify federal law enforcement (U.S. Secret Service and the FBI) and customers of security breaches involving CPNI. Currently, the rules define a "breach" as occurring when a person without authorization intentionally gains access to, uses or discloses CPNI. Carriers must notify law enforcement of a breach no later than seven business days after determining a breach occurred, and may notify customers/publicly disclose the breach after seven business days following notification to law enforcement. Under the current rules, a carrier may immediately notify customers/publicly disclose the breach only after it has consulted with relevant law enforcement and only if it believes there is an urgent need to notify customers to avoid irreparable harm.
Revisions to the Rules
Since 2007, data breaches of CPNI have increased in scale
and frequency. Although the FCC adopted an order in 2016 to revise
its breach notification rules, Congress acted to nullify those
revisions under the Congressional Review Act in 2017. In the NPRM,
the FCC seeks comments on proposed updates to its breach
notifications rules, including refining "breach,"
requiring carriers to notify the FCC in addition to law
enforcement, adjusting the timeframe for customer notifications,
updating breach reporting requirements for Telecommunications Relay
Services (TRS) and the impact of Congress' disapproval of the
FCC's proposed 2016 revisions to the rules.
New Definition of "Breach"
The FCC proposed to expand the definition of
"breach" to include inadvertent access, use or
disclosures of customer information. Currently, breach is defined
as "when a person, without authorization or exceeding
authorization, has intentionally gained access to, used, or
disclosed CPNI." The FCC recognizes that inadvertent
exposure of customer information can result in the loss and misuse
of sensitive information by scammers just as much as
intentional exposure of information. Additionally, it may
not always be immediately apparent to carriers whether a breach was
intentional. The FCC asks whether it should retain the intent
limitation in certain contexts, if so, what contexts, and asks
whether requiring reporting of accidental breaches will result in a
significant increase in the number of reported breaches.
The Commission also asks whether it should remove the requirement to notify customers or law enforcement of a breach in certain instances where a carrier can reasonably determine that the breach is not likely to result in harm to customers. The current rule does not require harm to trigger a carrier's responsibility to report the breach, and the FCC seeks comment on the potential benefits and drawbacks of adopting a "harm-based" notification trigger. The FCC also seeks comment on how carriers and the FCC should determine the likelihood of harm, and what factors should be considered when evaluating whether harm is likely to occur. The FCC proposes that if a carrier cannot determine harm, the obligation to notify will remain.
Notifying the FCC and Law Enforcement
The FCC proposed requiring telecommunications carriers and
VoIP providers to notify the FCC of breaches, in addition to the
Secret Service and FBI. The FCC explains that breach notifications
will provide FCC staff with important information about data breach
vulnerabilities and will shed light on carriers' compliance
with the rules. The FCC proposed creating a centralized portal for
carriers to report breaches. The FCC also seeks comment on how it
can minimize data breach reporting burdens for carriers. The
Commission proposed applying existing requirements for breach
notifications to law enforcement to breaches reported to the FCC.
Currently, breach notifications must include information relevant
to the breach, such as carrier contact information, a description
of the breach, the method of compromise, the date range of the
incident, approximate number of affected customers, an estimate of
financial loss to the carriers and customers, types of data
breached and the addresses of affected customers.
The FCC proposed requiring that its notifications be made contemporaneously with reports to law enforcement-which now must be made no later than seven business days after a reasonable determination of a breach. The FCC seeks comment on this proposal and asks whether it should set a threshold for the number of customers affected to require a breach report. Under the current rule, all breaches must be reported, regardless of the number of customers affected.
Notifying Customers
The FCC proposed eliminating the mandatory seven-day
waiting period before notifying customers and instead proposed
requiring carriers notify customers of CPNI breaches "without
unreasonable delay" after discovering a breach (unless
requested by law enforcement). The existing rule prohibits carriers
from notifying customers or publicly disclosing the breach until at
least seven business days after notifying law enforcement. When it
adopted the current rule, the FCC believed that publicly disclosing
a breach could impede law enforcement's ability to investigate
the breach, but now believes that approach does not reflect the
urgent need to notify victims about breaches. The FCC seeks comment
on the "without unreasonable delay" standard, and asks if
it should provide guidance on what is considered
"reasonable" or should it instead take a different
approach and adopt a fixed number of days for notification.
TRS Breach Reporting
In 2013, the FCC adopted CPNI rules that apply to all
forms of Telecommunications Relay Services (TRS), as well as to
point-to-point video calls handled over the video relay services
(VRS) network. In the NPRM, the FCC proposed to amend its rules for
TRS services in the same manner as its proposed changes to the
rules for telecommunications and interconnected VoIP services. In
short, the FCC proposed to: (1) expand the definition of
"breach" to include inadvertent disclosures of
customer information; (2) require TRS providers to notify the FCC
(in addition to the Secret Service and FBI) as soon as practicable
after discovering a breach; and (3) eliminate the mandatory waiting
period to notify customers, instead requiring that TRS providers
notify customers of CPNI breaches without unreasonable delay
(unless law enforcement requests a delay).
Impact of Congressional Disapproval of the FCC's
Proposed Revisions in 2016
Finally, the FCC notes that it tried to revise the CPNI
breach notification rules in 2016 as part of a larger proceeding
addressing privacy requirements for broadband internet access
service providers (ISPs). However, Congress quashed those revisions
under the Congressional Review Act in 2017. In the NPRM, the FCC
seeks comment on the effect and scope of Congress' disapproval
of the rule revisions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.