Prompted by a rapid increase in frequency, sophistication, and scale of data leaks and data breach legislation in recent years, the Federal Communications Commission (FCC) unanimously voted to kick off a proceeding aimed at adopting new proposals to update data breach response obligations involving Customer Proprietary Network Information (CPNI). These proposals aim to ensure timely notification to affected customers, the FCC, and federal law enforcement agencies and require effective measures to mitigate and prevent harm.
CPNI is a subset of personal information with regard to telecommunications carriers’ customers and the FCC has maintained rules about safeguarding the confidentiality of CPNI data for many years. Examples of CPNI are rate plan, minutes used, type of services subscribed to, type of device, location information, call detail records, and other proprietary information about a customer’s telecommunications services accounts.
If adopted, the most notable change in the FCC’s approach would be the agency’s definition of “breach.” The FCC’s existing rules impose obligations “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI,” whether or not the CPNI is encrypted. The new proposal seeks to expand those obligations to accidental or unintentional disclosures of CPNI. The FCC also proposed again (after Congress nullified its similar revisions in a 2016 Report and Order that addressed primarily broadband provider data privacy measures) to establish a harm-based trigger for breach notifications. This standard – requiring notification except “where a telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach” – resembles many existing state breach notification laws. The FCC believes that these two changes would strike a balance between “confront[ing] systemic network vulnerabilities” beyond intentional attacks by malicious actors and “allow[ing] carriers to better focus their resources on data security and ameliorating the harms caused by data breaches.”
In addition to notifying the Secret Service and FBI as soon as possible after the discovery of a breach under the FCC’s existing rules, these proposals also would require covered entities to notify FCC and affected customers at the same time. Through this mandatory data collection, the FCC expects to identify “security vulnerabilities,” “inadequate data security practices and employee training,” as well as “carriers’ ongoing compliance with [FCC] rules.” To ease the industry burden, the FCC proposes to create and maintain a centralized portal that shares a report automatically with the FCC and other federal law enforcement agencies.
The timing of notification to affected customers would also change – from a mandatory 7-business-day waiting period to “without unreasonable delay after . . . notification to law enforcement, unless law enforcement requests a delay.” The FCC believes that its current mandatory waiting period is out-of-step with other federal, state, and sector-specific legal requirements addressing the need to notify victims about breaches of their personal information. Elimination of the mandatory waiting period was viewed as providing customers with key information quickly, thus enabling customers to take prompt steps to reduce misuse of their personal information, and overall better serving the public interest.
These proposed rules would still have to go through a public comment period and a vote by the full Commission, and they could be subject to change prior to their adoption. To that end, the FCC invited public comments on many other aspects of potential changes to its existing CPNI breach rules. For example, it asks for the benefits and drawbacks of adopting minimum requirements for the content of customer breach notices, specifying a threshold trigger for notifications only if the breach affects a certain number of customers, and imposing different requirements for different types of entities that process CPNI (i.e., telecommunications carriers, interconnected Voice-over-Internet-Protocol service providers, and Telecommunications Relay Services providers).
This action signifies another step by the FCC toward addressing increased challenges with data privacy and security issues within its jurisdiction. Some readers may recall that the FCC in the past year probed a dozen mobile carriers on their data privacy practices and fined the four largest U.S. carriers for data collection practices involving their customers’ real-time location data. Although the FCC’s 2016 push to update and expand its data breach rules to include broadband internet access services did not take effect, recent developments – from breaches at multiple leading telecommunications carriers affecting millions of customers’ records to both federal- and state-level legislatures passing laws to protect consumer data – all demonstrate that the time is ripe for the FCC to re-examine its own data breach rules and update them as warranted.
As of the publication of this post, the comment deadlines are yet to be determined because the Federal Register has not published this Notice of Proposed Rulemaking. Once publication occurs, public comments will become due in 30 days and reply comments will be due in 60 days. We encourage interested parties to participate in this proceeding and help shape the revisions the FCC intends to make to its CPNI data breach rules.
