On April 1, 2016 the Federal Communications Commission (“FCC”) released its Notice of Proposed Rulemaking (“NPRM”) concerning privacy regulation of internet broadband service providers (“ISPs”). The NPRM proposes, among other things, an expansive and vexing definition of “breach.” If not modified, the definition would require notices to customers, the FCC and the FBI of even trivial internal employee access to customer information.
The NPRM defines a “breach” as “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed customer proprietary information.” In its discussion of this definition, the FCC notes that it is designed to capture even unintentional access to customer information. The proposed “breach” definition also does not include any “employee acting in good faith” exception as most state laws do. An “employee acting in good faith” exception typically excludes from the definition of breach the good faith acquisition of personal information by an employee or agent of the business if the personal information is not used or subject to further unauthorized disclosure.
As proposed, the definition of “breach” would trigger ISP notification obligations if an unauthorized employee accidentally accessed even one customer’s email address that the employee was not permitted to view. This would be true even if the employee did nothing at all with the accessed information. Such an outcome would likely lead to numerous customer and FCC notifications even when no consumer harm has occurred. Repetitive notifications of non-harmful breaches could in fact harm consumers, leading them to treat all breach notifications as “junk” communications and thus to ignore or be complacent about a notification of a genuinely dangerous breach.
Fortunately, these are only proposed rules. The FCC has requested comments by May 27 on all issues raised by the proposals in the NPRM, including its definition of “breach.” The FCC has specifically asked whether it should adopt an “employee acting in good faith” exception. Thus, there is a window of opportunity for interested parties to offer badly needed guidance to the FCC so it can shape sensible rules to protect ISP customer personal information.