The FCC has significantly expanded telecommunications carriers’ data breach notification and reporting obligations. Telecommunications carriers, including Voice over Internet Protocol (VoIP) services, and telecommunications relay service (TRS) providers, must now report breaches involving certain categories of personally identifiable information (PII), in addition to customer proprietary network information (CPNI). Providers must notify the FCC, in addition to the FBI and Secret Service, if a breach occurs and must perform a harm-based analysis to determine if customer notices are required.
The FCC expanded its data breach notification rules to cover certain categories of PII, which is defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
Covered PII includes: (1) first name or first initial, and last name, in combination with any government-issued identification or document that identifies a specific individual (such as social security or driver’s license number), or other identification number used for authentication (such as a bank account or medical ID number); (2) user name or email address, combined with a password or security question and answer, or any other authentication method that permits access to customers’ accounts; or (3) unique biometric, genetic, or medical data (such as fingerprint, voiceprint analysis, or retina scan). Moreover, dissociated data would also constitute PII if the means to link (for example, a key or passcode) any one of the foregoing data elements is accessed, or any combination of the foregoing data elements would enable a person to commit identify theft or fraud against the individual to whom the data applies. Covered PII excludes publicly available information.
The FCC also expanded the definition of “breach” to include inadvertent access, use, or disclosure of customer information. Providers will now be required to notify the FCC and federal law enforcement of intentional and unintentional breaches, unless customer information is acquired “in good faith by an employee or agent” of the carrier and the “information is not used improperly or further disclosed.”
Notification of Data Breaches to Federal Agencies
Providers must inform the FCC, FBI, and Secret Service of all breaches, regardless of the number of customers affected and/or whether there is a reasonable risk of harm to customers.
Per Breach Notice. A provider must file a per breach notice with the FCC as soon as practicable, but no later than 7 business days following reasonable determination, that a breach (a) affects 500 or more customers, or the provider cannot determine how many customers have been affected; or (b) affects fewer than 500 customers, but the provider cannot reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. The breach notice reporting facility, or a successor URL designated by the Wireline Competition Bureau, can be accessed via http://www.fcc.gov/eb/cpni.
-
- The content of the breach notice must include:
- Provider’s address and contact information
- Description of the breach
- The method of compromise
- Date range of the incident
- Approximate number of customers affected
- Estimate of financial loss to the provider and customers (if any)
- Types of data breached
Annual Notice. Providers must submit annually, by February 1, a summary of all breaches over the prior year that affected fewer than 500 customers, and where the provider could reasonably determine that no harm to customers was reasonably likely to occur as a result of the breach. The first annual report will be due February 1 after approval by the Office of Management and Budget of the annual reporting requirement, and will cover all breaches between the effective date of the requirement and the remainder of the calendar year.
Notification of Data Breaches to Customers
The FCC adopted a harm-based trigger for breach notifications to customers and established a rebuttable presumption of harm, requiring providers to notify customers of a breach in situations where the provider is unable to reasonably determine that harm is reasonably unlikely to occur. Harm is defined to include, but is not limited to: financial harm; physical harm; identity theft; theft of services; potential for extortion; disclosure of private facts; contact information of victims of abuse; and other similar types of dangers.
The FCC provided the following considerations for evaluating the likelihood of harm: sensitivity of the information breached; the nature and duration of the breach; how quickly the breach is discovered and if any potential harm was mitigated; and whether the individual or entity intentionally obtained access to covered data or the breach was accidental.
Notification must be made to customers “without reasonable delay” after notification to the FCC, FBI, and Secret Service. The FCC eliminated the previous mandatory waiting period for carriers to notify customers. Law enforcement can request an initial delay of customer notice of up to 30 days if special circumstances warrant. Otherwise, customer notification must be made no later than 30 days after reasonable determination of a covered breach. The FCC recommends that certain information be included in customer notices, including the estimated date of the breach; customer information used, disclosed, or accessed; how customers, including those with disabilities, can contact the provider about the breach; how customers can contact the FCC, FTC, and state regulatory agencies; information about credit reporting agencies and steps to ward against identify theft; and other mitigation steps.
Customer notifications are not required if a breach involves encrypted data and a provider has evidence that the encryption key was not compromised. If it appears the encryption was circumvented, the provider should conduct the harm-based analysis as if the data was never encrypted.
The Wireline Competition Bureau will announce the effective date of the expanded data breach requirements after approval by the Office of Management and Budget.
