FCC seeks to impose new carrier data breach notification rules

Mark Brennan, W. James Denvil, Katy J. Milner, Paul Otto, J. Ryan Thompson
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

The U.S. Federal Communications Commission (FCC or Commission) released a Notice of Proposed Rulemaking (NPRM) seeking to update and strengthen its rules requiring telecommunications carriers and interconnected Voice over Internet Protocol (VoIP) providers to notify customers and federal law enforcement of breaches of customer proprietary network information (CPNI) in the carriers’ possession.

The Impact

This proceeding reinforces that the FCC under Chairwoman Jessica Rosenworcel is focused on regulating cybersecurity issues and considers its authority in this area to be expansive. While telecommunications carriers and VoIP providers are already subject to CPNI disclosure rules, the proposed rule would expand the types of incidents that carriers must report and add new notification requirements. These new requirements would add complexity to incident response, as the FCC requirements would be layered on top of other cyber incident reporting requirements under various federal and state frameworks. Interested parties in the telecom and technology sector should consider submitting comments on the FCC’s proposal.

Summary

The NPRM:

  • Proposes to expand the Commission’s “breach” definition to include inadvertent access, use, or disclosures of customer information;
  • Seeks comment on whether to adopt a harm-based trigger for breach notifications, allowing carriers to forego notification where no harm to customers is reasonably likely to occur as a result of the breach;
  • Proposes to require carriers to notify the Commission, Secret Service, and FBI “as soon as practicable” after discovery of a breach and to notify all agencies contemporaneously;
  • Suggests creation of a customized portal for reporting breaches to the FCC and other federal law enforcement agencies;
  • Asks whether it would be appropriate to set a threshold for the number of customers affected to require a breach report to the FCC, Secret Service, and/or FBI;
  • Proposes to eliminate the mandatory waiting period before notifying customers and instead require carriers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach (unless requested by law enforcement);
  • Seeks comment on whether to adopt minimum requirements for the content of customer breach notices and method of notification;
  • Proposes to make changes to its Telecommunications Relay Service (TRS) data breach reporting rule consistent with those proposed for the CPNI breach reporting rule;
  • Seeks comment on the effect and scope of the congressional disapproval of the FCC’s 2016 Report & Order on privacy requirements for broadband internet access service providers (ISPs). While the NPRM states that the FCC does not plan to reissue the same rules, the FCC is interested in the nexus between that event and its proposals in the NPRM; and
  • Asks how these proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide