On January 6, 2022, the FCC released a Notice of Proposed Rulemaking (“NPRM”) seeking comment on proposals to modernize the FCC’s data breach rules with regard to CPNI.
The FCC’s current CPNI Breach Notification Rules (47 C.F.R. § 64.2011) require carriers to notify the FBI and Secret Service (collectively “law enforcement”) when a person, without authorization or exceeding authorization, intentionally gains access to, uses, or discloses customer proprietary network information (“CPNI”). Notification to law enforcement is required to be made within 7 days after reasonable determination of the breach, and it is filed through an FCC maintained reporting link (http://www.fcc.gov/eb/cpni). Notifications to consumers cannot be made until at least 7 full business days have passed after notification has been made to law enforcement, provided law enforcement does not request additional time.
The NPRM proposes three main changes to the CPNI breach rules: (1) broadening the definition of “breach” to include inadvertent disclosures of CPNI; (2) requiring that carriers notify the FCC of a breach in addition to law enforcement; and (3) shortening the time between notifying law enforcement and consumers. Specifically, the NPRM seeks comment on the following proposed modifications:
- The Definition of “Breach”:
- The current definition of “breach” only applies to unauthorized, intentional access, use, or disclosure of CPNI. The NPRM proposes to expand the FCC’s definition of “breach” to include inadvertent access, use, or disclosure of customer information.
- The FCC tentatively concludes that an expanded definition is necessary because even accidental disclosures of CPNI can cause harm to consumers, it will allow investigation to determine if the information falls prey to malicious actors, and it will ensure future breaches can be avoided. The NPRM seeks comment on this proposal, the analysis, and the impact on reporting.
- The NPRM also seeks comment on whether to adopt a harm-based notification trigger, under which providers would not be required to notify customers or law enforcement of a breach in those instances where a telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. The NPRM seeks comment on this proposal, how to define key terms, what impact the trigger would have on customers or providers, and which notifications it should apply to.
- Notifying the Government of Data Breaches:
- The NPRM proposes to require telecommunications carriers to notify the FCC, in addition to the existing requirement to notify the Secret Service and FBI, of breaches as soon as practicable. Notifications would be submitted through a FCC maintained, centralized portal that would notify all three agencies, similar to the existing portal the FCC maintains. The notification content would remain the same. Providers would be required to notify the agencies as soon as practicable after discovery, as opposed to the current timeline, which requires notification no later than seven business days after reasonable determination of the breach.
- The NPRM seeks comment on this proposal and on whether to adopt a reporting threshold trigger that is based upon the number of customers that are affected by the breach.
- Notifying Customers of Data Breaches:
- The NPRM proposes to require telecommunications carriers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach and notification to law enforcement, unless law enforcement requests a delay.
- Currently, carriers are not permitted to notify customers until at least 7 full business days have passed after notifying law enforcement, but the FCC finds this approach is out of step with current best practices and existing data breach notification laws. The NPRM seeks comment on this proposal, whether to require providers to include minimum categories of information in the customer notification (including the date, information at issue, contact information for the carrier and federal agencies, and information on mitigating risk as appropriate), and whether to mandate the form of the notification to customers (e.g. physical mail, email, or telephone).
- TRS Breach Reporting: The NPRM proposes to amend the TRS rules to afford TRS users the same protections as those afforded to users of telecommunications and interconnected VoIP services.
- Other Considerations: The NPRM seeks comment on whether Section 222 of the Communications Act grants the FCC authority to adopt the proposed rules and whether it can extend them to interconnected VoIP providers; the impact of Congress’s 2017 nullification of the Commission’s 2016 revisions to the CPNI rules; and digital equity considerations.
Comments will be due 30 days after publication in the Federal Register.
Reply comments will be due 60 days after publication in the Federal Register.
Please Contact Us if you have any questions.