Key Point: The FCC revised its breach notification rules for telecommunication providers to broaden the instances when notifications are required, but even with limited exceptions to the new requirements, the final rule further complicates the existing maze of federal reporting requirements.
Legislative Background and Enforcement Authorization
Section 222 of the Communications Act of 1934 (“Communications Act” or “Act”)[1] as amended, requires telecommunications carriers to protect the confidentiality of customer information. More specifically, § 222(a) requires carriers to protect the confidentiality of proprietary information of their customers, which the Act refers to as Customer Proprietary Network Information (“CPNI”). 47 U.S.C. § 222(a).
The Communications Act defines CPNI as “(a) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (b) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.” 47 U.S.C. § 222(h)(1).
The Federal Communications Commission (“FCC” or “Commission”) adopted its original rules to implement section 222 and protect CPNI in 1998. The FCC updated its rules in 2007 to require carriers to notify law enforcement and customers of security breaches involving CPNI, where a breach was defined as a person, without authorization or exceeding authorization, intentionally gains access to, uses, or discloses CPNI. While the FCC revised these rules in 2016, Congress nullified those revisions in 2017 pursuant to the Congressional Review Act.
Changes to the FCC’s Breach Notification Requirements
The FCC published a notice of proposed rulemaking (NPRM) in December 2022. In a 3-2 vote on December 13, 2023, the Commission adopted many of the NPRM’s provisions, to include:
- Expanding the breach notification rules to cover personally identifiable information (“PII”), along with the pre-existing coverage of CPNI;
- Broadening the definition of a “breach” to include inadvertent access, use or disclosure of customer information (except in limited circumstances);
- Adding a requirement for regulated entities to notify the FCC of a breach within 7 business days after determining a data breach occurred;
- Maintaining the pre-existing requirements to notify the FBI and U.S. Secret Service;
- Removing the mandatory waiting period before notifying customers of data breaches;
- Requiring regulated entities to notify customers of data breaches without unreasonable delay, and no later than 30 days after a determination of a breach; and
- Allowing regulated entities to forego the customer notification requirement in cases where the regulated entity can prove it reasonably determined that no harm is reasonably likely to occur due to the breach.
Additionally, invoking its authority under §§ 222 and 225 of the Communications Act, the FCC applied similar requirements to Telecommunications Relay Service (TRS)[2] providers to ensure that TRS users receive privacy protections akin to those provided for telecommunications users.
Agency notification requirements, exceptions for “small breaches,” and customer notification
Historically, the FCC had distinguished between PII and CPNI. In the final rule, the FCC states that CPNI is a subset of PII, and that the FCC will apply the commonly understood meaning of PII – “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
Under the final rule, a regulated entity must notify the FCC, the FBI, and the Secret Service within seven business days after the entity has reasonably determined that a breach of PII (which would include CPNI) affecting 500 or more customers has occurred. However, for small breaches, the FCC chose to adopt a “harm-based notification trigger.” This means that for breaches affecting fewer than 500 customers, notification to the FCC, FBI and Secret Service is not required if the regulated entity reasonably determines that:
- no harm to customers is reasonably likely to occur, or
- where the breach solely involves encrypted data and there is definitive evidence that the encryption key was not also accessed, used, or disclosed.
To avoid any confusion, this harm-based trigger is not applicable to large breaches – if more than 500 customers are affected, the regulated entity must notify the FCC, FBI, and Secret Service regardless of the risk of harm to customers.
To assist covered service providers with evaluating harm to customers, the FCC lists the following factors to consider: financial harm, physical harm, identity theft, theft of services, potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse and other similar types of dangers. Other factors to consider include: the sensitivity of the information disclosed, the nature and duration of the breach, mitigation (how quickly the breach was discovered, and actions taken to mitigate the breach) and intentionality. The FCC is not completely ignoring small breaches. For breach situations where fewer than 500 customers were affected, and where the regulated entity has reasonably determined that no harm to customers was reasonably likely to occur from the breach, the regulated entity must provide a
consolidated summary of breaches that occurred over the course of the previous calendar year to the FCC, FBI, and the Secret Service.
Irrespective of the need to notify government agencies of a breach, the final rules require telecommunications carriers and TRS to notify customers of breaches involving their PII or CPNI. Customer notifications must be made without unreasonable delay and no later than 30 days after a reasonable determination of a breach, unless the company reasonably determines that no harm to customers is reasonably likely, or where the breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not accessed, used, or disclosed.
The table below summarizes the various notification permutations for agencies and customers:
The final rules have negligible effect on interagency harmony for companies that must comply with disclosure requirements from multiple agencies or in multiple jurisdictions
In the NPRM, the FCC requested public comments as to whether telecommunications carriers should report, at a minimum, the information required under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Because the Cybersecurity and Infrastructure Security Agency has not published its own draft regulations under CIRCIA, the FCC declined to take further action based on pending CIRCIA requirements. Instead, the FCC will continue to monitor whether additional changes in the interest of harmonization might be required later.
The patchwork of state disclosure laws and regulations, combined with the multitude of federal reporting requirements for critical infrastructure operators already show that regulatory harmonization – a goal for the Office of the National Cybersecurity Director – is a necessity.
The Commission reaffirmed in their explanatory comments that the final rules are not intended “to supersede any statute, regulation, order, or interpretation in any state, except to the extent that such statute regulation, order, or interpretation is inconsistent with [its] provisions.” Hence, the Commission explicitly rejected requests to preempt all state CPNI obligations and concluded that states should also be allowed to create rules to protect CPNI [of the states’ residents] provided the states’ rules do not conflict with federal law, such as the breach notification laws enacted in every state. Based on the FCC’s position, telecommunication carriers and TRS providers must continue to evaluate the breach disclosure notification laws of every state where its affected customers reside.
In addition to the breach disclosure laws, the Commission acknowledged that many state and federal data breach frameworks have evolved since the FCC disclosure rules were last modified. Particularly, with California, Virginia, and Colorado enacting comprehensive consumer privacy laws. At the federal level, several agencies have adopted sector-specific breach notification laws, and the Securities and Exchange Commission (SEC) recently adopted rules that require publicly traded companies to disclose material cybersecurity incidents, regardless of the companies’ industry sector. Unfortunately, there are a several differences in the deadlines and exemptions between the FCC and SEC rules that a publicly traded company regulated by the FCC needs to follow.
As discussed in our prior analysis of the SEC’s rule, a publicly traded company must notify the SEC within 4 calendar days after determining that a cybersecurity incident is material. There is no quantitative threshold (e.g., 500+ customers) that goes into that determination. If a data breach has consequences for public safety or national security, a publicly traded company can only delay notifying the SEC if the U.S. Attorney General notifies the SEC that the incident poses a substantial risk to national security or public safety. There is a significant amount of daylight between the SEC’s criteria for delaying notification and the FCC’s final rule. Hence, a publicly traded telecommunication carrier could face a situation where a state law enforcement agency has directed the company to delay notifying customers, but the SEC still requires the company to notify investors of the cybersecurity incident.
[1] Encoded at 47 U.S.C. § 151 et seq.
[2] The Act defines Telecommunications Relay Services as “telephone transmission services that provide individuals who are deaf, hard of hearing, deaf-blind, or who has a speech disability,” with the ability to engage in communication by wire or radio with one or more individuals, in a manner that is functionally equivalent to the ability of a hearing individual who does not have a speech. 47 U.S.C. § 225(a)(3).
[View source.]
