At its December meeting, the Federal Communications Commission approved a Report and Order modifying its data protection rules.
TAKEAWAYS
- The order expands the scope of protected data to include personally identifiable information.
- The order modifies the definition of “breach” to include inadvertent access, use or disclosure of customer information, except in specific circumstances.
- The mandatory waiting period before notifying customers of data breaches has been eliminated.
The Federal Communications Commission (FCC) first adopted rules in 1998 restricting the use and disclosure of customer proprietary network information (CPNI), which refers to data collected by telecommunications carriers about their customers’ usage patterns, including call information, and service and billing details. The rules were updated in 2007 to, among other things, apply to interconnected VoIP providers and require that federal law enforcement (United States Secret Service and the FBI) and customers be notified of data breaches involving CPNI. In 2013, the rules were further amended to cover telecommunications relay service providers. The FCC revised the rules again in 2016 to require providers to notify customers, the FCC, FBI and Secret Service of data breaches unless the provider reasonably determined that no harm to customers was “reasonably likely to occur.” However, in 2017, Congress nullified the FCC’s 2016 Order by invoking the seldom used Congressional Review Act (CRA), which is a tool Congress can use to overturn certain federal regulatory actions.
In December 2022, the FCC released a Notice of Proposed Rulemaking (2022 NPRM), as we discussed here, launching a proceeding to improve the process for notifying customers and federal law enforcement of breaches that may have exposed CPNI. In the 2022 NPRM, the FCC sought comments on proposed updates, including refining “breach,” requiring covered service providers to notify the FCC in addition to law enforcement of data breaches, adjusting the timeframe for customer notification, updating breach reporting requirements for telecommunications relay service (TRS) and addressing the impact of Congress’ CRA action. On December 21, 2023, the Commission released the Report and Order (2023 Order). The 2023 Order shall be effective 30 days after publication in the Federal Register, except for changes to the recordkeeping and reporting rules, which require approval by the Office of Management and Budget. The FCC Wireline Competition Bureau will publish a notice in the Federal Register announcing completion of such review and the relevant effective date.
Revisions to the Rules
In the 2023 Order, the Commission adopted several of the 2022 NPRM proposals, including: (1) expanding the scope of the breach notification rules to cover not just CPNI, but personally identifiable information (PII); (2) expanding the definition of “breach” to include inadvertent access, use or disclosure of customer information (except in limited circumstances) and implementing a “good-faith” exception; (3) requiring covered service providers to notify the FCC, in addition to the Secret Service and FBI, of a breach; (4) eliminating the requirement to notify customers of a breach if the covered service provider can reasonably determine that no harm is reasonably likely to occur as a result of the breach; (5) eliminating the mandatory waiting period before notifying customers of data breaches; and (6) adopting equivalent requirements for TRS providers.
New Definition of “Breach” to Cover PII
In the 2023 Order, the FCC explained that covered service providers possess proprietary customer information other than CPNI, and that any unauthorized disclosure of such information warrants customer notification. The Commission described PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” For purposes of the breach notification rules the FCC defined PII as: (1) first name or first initial, and last name, in combination with any government-issued ID number or information issued on a government document used to verify the identity of a specific individual, or other unique ID number used for authentication purposes; (2) user name or e-mail address, in combination with a password or security question and answer, or any other authentication method or information necessary to permit access to an account; or (3) unique biometric, genetic or medical data. Additionally, any “dissociated data” that, if linked with any one (or a combination of) the discrete elements listed above would be considered PII if the data could be used to commit identity theft or fraud against the person to whom the information pertains.
Inadvertent Access, Use or Disclosure of CPNI and “Good-Faith” Exception
The 2023 Order expands the definition of “breach” to include inadvertent access, use or disclosure of covered data. Recognizing that any exposure of customer data can risk harming consumers regardless of whether the exposure was intentional or not, the FCC defines “breach” as any instance in which a person, without authorization or exceeding authorization, has gained access to, used or disclosed covered data. Citing record-breaking numbers of data breaches in 2021, the FCC explained that notification of both intentional and unintentional breaches to the FCC and federal law enforcement will aid investigations, help prevent new breaches or further harm to consumers and encourage covered service providers to adopt stronger data security practices. The Commission noted that the revisions to the disclosure requirements “are consistent with most state and federal data breach notification regimes.”
Acknowledging concerns that expanding the “breach” definition could lead to “notice fatigue” for consumers, the FCC implemented a “good faith” exception, which applies to acquisition of customer data by an employee or agent of a covered service provider where that information was not used improperly or further disclosed. The FCC believes this exception will prevent confusion or alarming consumers in low-risk situations.
Notifying the FCC and Federal Law Enforcement
The 2023 Order adopts the requirement for covered service providers to notify the FCC of a data breach in addition to notifying the Secret Service and FBI. In order to address concerns that the new notification requirement not create a separate reporting obligation, the FCC’s Wireline Competition Bureau will coordinate with the Secret Service to adapt the existing breach reporting facility to simultaneously notify the FCC and law enforcement.
Threshold Trigger
The 2023 Order also adopts a threshold trigger for breach notifications, requiring the reporting of all breaches regardless of the number of customers affected or whether there is a reasonable risk of harm to customers. For breaches affecting 500 or more customers (or if it cannot be determined how many customers are affected), covered service providers must file “individual, per-breach notifications as soon as practicable,” but no later than seven business days after reasonable determination of a breach. The same is required when it is determined that a breach affects fewer than 500 customers unless the covered service provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach. However, if it can be reasonably determined that a breach has affected fewer than 500 customers and is not reasonably likely to harm those customers, there is not a reporting obligation, except that covered service providers must file an annual summary of such breaches via the central reporting facility. This reporting threshold applies to federal agency notifications, not customer notifications. Covered service providers are still required to notify federal agencies within seven business days of breaches that post a risk of customer harm, regardless of how many customers may be affected.
Annual Reporting
No later than February 1 of each year, covered service providers must submit via the central reporting facility a consolidated summary of breaches that occurred during the previous calendar year “which affected fewer than 500 customers, and where the Carrier could reasonably determine that no harm to customers was reasonably likely to occur as a result of the breach.”
Notification Contents
The FCC did not modify existing requirements regarding the content of data breach notifications, which must include, at a minimum, information relevant to the breach, including: “carrier address and contact information; a description of the breach incident; the method of compromise; the date range of the incident; the approximate number of customers affected; an estimate of financial loss to the carrier and customers, if any; and the types of data breached.” A further notification is required if the initial notification was materially incomplete or incorrect, or additional information is acquired after submission of its initial breach notification report.
Notifying Customers
The 2023 Order adopted a “harm-based notification trigger,” meaning that notification is not required if the covered service provider reasonably determines that no harm to customers is reasonably likely to occur or where the breach solely involves encrypted data and there is definitive evidence that the encryption key was not also accessed, used or disclosed. The FCC explained that a harm-based notification trigger is “consistent with the majority of state laws,” but the Commission declined to adopt a harm-based trigger for breaches affecting 500 or more customers.
To assist covered service providers with evaluating harm to customers, the FCC identified the following set of factors to consider: financial harm, physical harm, identity theft, theft of services, potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse and other similar types of dangers. Other factors to consider include: the sensitivity of the information disclosed, the nature and duration of the breach, mitigation (how quickly the breach was discovered and actions taken to mitigate the breach) and intentionality.
Eliminate Mandatory Waiting Period for Customer Notification
The 2023 Order requires covered service providers to notify customers of data breaches without unreasonable delay after notice to federal agencies and eliminates the mandatory seven-day waiting period. The FCC found that the waiting period is not compatible with current approaches regarding notifying victims about data breaches and noted that the “30-day maximum amount of time is consistent with many existing state laws.” The new rule requires customer notice no later than 30 days after reasonable determination of a breach. However, recognizing the importance of law enforcement’s ability to investigate a data breach, the FCC will allow law enforcement to request an initial delay of up to 30 days before customer notice in specific circumstances where one is warranted.
The 2023 Order does not specify how customers should be contacted or the content of customer notices but recommends the following information be included: “(1) the estimated date of the breach; (2) a description of the customer information that was used, disclosed, or accessed; (3) information on how customers, including customers with disabilities, can contact the carrier to inquire about the breach; (4) information about how to contact the Commission, FTC, and any state regulatory agencies relevant to the customer and the service; (5) if the breach creates a risk of identity theft, information about national credit reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring, credit reporting, or credit freezes the carrier is offering to affected customers; and (6) what other steps customers should take to mitigate their risk based on the specific categories of information exposed in the breach."
[View source.]
