On December 21, 2023, the FCC released the Report and Order (“R&O”) updating the Commission’s data breach notification rules aimed at ensuring that telecommunications carriers and interconnected VoIP providers, along with telecommunications relay service (“TRS”) providers adequately safeguard sensitive customer information. The R&O was adopted at the December Open Commission meeting.
In the adopted item, the FCC has clarified that the new rules require OMB approval and will not be effective until after OMB completes its review and the Wireline Competition Bureau releases a Public Notice announcing the effective date. Until such a Notice is released, the current, unmodified rules will remain in effect. The FCC concludes this will provide ample time for compliance and therefore rejects CCA’s request for a 12-month implementation timeline. (¶¶ 144-145).
The R&O adopts the following modifications to the data breach notification rules:
- Expanded Scope of Protected Consumer Information – The FCC expands the scope of consumer information that requires notification. Under the current rules, carriers are only required to notify consumers of a breach regarding Customer Proprietary Network Information (“CPNI”). In the Draft R&O, the FCC requires notification of breaches that involve any unauthorized disclosure of personally Identifiable Information (“PII”), defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” PII includes CPNI but also includes other sensitive personal information, such as social security numbers or financial records, that are reasonably likely to pose a risk of consumer harm if disclosed.
- Expanded Definition of Breach – The FCC expands the definition of “breach” to include inadvertent access, use, or disclosure of covered data. Specifically, “breach” is defined as “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed covered data.” The FCC expects that the broadened definition will encourage telecommunications carriers to adopt stronger data security practices, and will help federal agencies identify and address systemic network vulnerabilities.
- Good Faith Exception – The FCC excludes from the definition of “breach” a good-faith acquisition of covered data by an employee or agent of a carrier where such information is not used improperly or further disclosed. Carriers are relieved of the requirement to notify consumers that their PII has been disclosed if the disclosure falls into this exception.
- Notification to the Commission and Other Federal Law Enforcement – The FCC expands the list of agencies that must be notified of breaches to include the Commission itself, in addition to the Secret Service and FBI (collectively the “Federal Agencies”). The FCC also adopts the following
- Trigger: Carriers are required to notify the Federal Agencies for breaches that affect 500 or more customers, or for which the carrier cannot determine how many customers are affected. Carriers are also required to provide notification in instances where the carrier has conclusively determined that a breach affects fewer than 500 customers unless the carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.
- Contents: The content of the notice remains the same for the Federal Agencies.
- Timing: As under the current rules, notice of a breach must be filed with the Federal Agencies as soon as practicable, but no later than seven business days after reasonable determination of a breach.
- NEW Annual Report: For breaches that affected fewer than 500 customers, and where the carrier could reasonably determine that no harm to customers was likely to occur, the FCC adopts an annual reporting requirement of February 1, for carriers to submit a consolidated summary of such breaches that occurred over the course of the previous calendar year.
- Submission: the FCC will work with the other Federal Agencies to create one portal for submission to all three Federal Agencies.
- Customer Notification – the FCC adopts the following customer notification requirements:
- Harm-Based Trigger – The FCC adopts a harm-based trigger for notification of breaches to customers. If a carrier has evidence of actual harm to customers, the harm-based analysis is conclusive and notification is required. In instances where there is no evidence of actual harm, telecommunications carriers should consider a set of factors to determine whether harm is likely to occur. The FCC defines “harm” as including, but not limited to: financial harm, physical harm, identity theft, theft of services, potential for blackmail or spam, the disclosure of private facts, reputational or dignitary harm, mental pain and emotional distress, the disclosure of contact information for victims of abuse, and other similar types of dangers. To determine whether harm occurred, carriers should consider the following factors, recognizing that no single factor on its own is sufficient to make a determination regarding harm to customers:
- The sensitivity of the information (including in totality) which was breached.
- The nature and duration of the breach
- Encryption
- Mitigations
- Intentionality
- Notification Timeframe: Carriers are required to notify customers of covered data breaches without unreasonable delay after notification to the Federal Agencies. Law enforcement will be permitted to request an initial delay of up to 30 days in specific circumstances where one is warranted. Absent such a request for an extension, customer notification should occur no later than 30 days after reasonable determination of a breach.
- Notification Content: The FCC declines to adopt specific categories of information to be included, but they do expect that the notification should contain sufficient information to make a reasonable customer aware that a breach occurred on a certain date, or within a certain estimated timeframe, and that such a breach affected or may have affected that customer’s data. The FCC recommends, but does not require, the following information be contained in the notice:
- The estimated date of the breach
- A description of the customer information that was used, disclosed, or accessed
- Information on how customers, including customers with disabilities, can contact the carrier to inquire about the breach
- Information about how to contact the Commission, FTC, and any state regulatory agencies relevant to the customer and the service
- If the breach creates a risk of identity theft, information about national credit reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring, credit reporting, or credit freezes the carrier is offering to affected customers
- What other steps customers should take to mitigate their risk based on specific categories of information exposed in the breach
- Method of Notification: the FCC does not specify the method of customer notification, and allows carriers to determine how to best notify customers of the data breach incident.
- Harm-Based Trigger – The FCC adopts a harm-based trigger for notification of breaches to customers. If a carrier has evidence of actual harm to customers, the harm-based analysis is conclusive and notification is required. In instances where there is no evidence of actual harm, telecommunications carriers should consider a set of factors to determine whether harm is likely to occur. The FCC defines “harm” as including, but not limited to: financial harm, physical harm, identity theft, theft of services, potential for blackmail or spam, the disclosure of private facts, reputational or dignitary harm, mental pain and emotional distress, the disclosure of contact information for victims of abuse, and other similar types of dangers. To determine whether harm occurred, carriers should consider the following factors, recognizing that no single factor on its own is sufficient to make a determination regarding harm to customers:
- Extends the Data Breach Rules to TRS Providers: the FCC applies the breach notification and reporting obligations outlined above to TRS providers.
- Effective Date: The Order shall be effective thirty (30) days after publication in the Federal Register, except for certain amendments that may require approval by the Office of Management and Budget. Such provisions will not be effective until completion of OMB review. The Wireline Competition Bureau is directed to publish a Notice in the Federal Register upon completion of OMB review announcing the effective date.
Please Contact Us if you have any questions.