FCC Proposes Bothersome Breach Definition in Privacy NPRM

BCLP
Contact

On April 1, 2016 the Federal Communications Commission (FCC) released its Notice of Proposed Rulemaking (NPRM) concerning privacy regulation of internet broadband service providers (“ISPs”). The NPRM proposes, among other things, an expansive and vexing definition of breach. If not modified, the definition would require notices to customers, the FCC and the FBI of even trivial internal employee access to customer information.

The NPRM defines a “breach” as “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.” In its discussion of this definition, the FCC notes that it is designed to capture even unintentional access to customer information. The proposed “breach” definition also does not include any “employee acting in good faith” exception as most state laws do. An “employee acting in good faith” exception typically excludes from the definition of breach the good faith acquisition of personal information by an employee or agent of the business if the personal information is not used or subject to further unauthorized disclosure.

As proposed, the definition of “breach” would trigger ISP notification obligations if an unauthorized employee accidentally accessed even one customer’s email address that the employee was not permitted to view. This would be true even if the employee did nothing at all with the accessed information. Such an outcome would likely lead to numerous customer and FCC notifications even when no consumer harm has occurred. Repetitive notifications of non-harmful breaches could in fact harm consumers, leading them to treat all breach notifications as “junk” communications and thus to ignore or be complacent about a notification of a genuinely dangerous breach.

Fortunately, these are only proposed rules. The FCC has requested comments by May 27 on all issues raised by the proposals in the NPRM, including its definition of “breach.” The FCC has specifically asked whether it should adopt an “employee acting in good faith” exception. Thus, there is a window of opportunity for interested parties to offer badly needed guidance to the FCC so it can shape sensible rules to protect ISP customer personal information.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide