Operator? I’d like to Report a Data Breach—The FCC’s Updated Data Breach Rule

Charles Glover
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

After waiting 16 years for a call, the FCC is finally back on the line. Last month the FCC updated their 16-year-old data breach notification rule. The updated rule makes drastic changes to the previous FCC notification requirements. However, many will already be familiar with the new requirements as they merge those found in state data breach notification laws in to the FCC context. Regulators may have felt wired to make these change in light of the new SEC rules, about which we have also previously written, that went into effect last month. Regardless of their motives, the FCC determined that the line had been ringing to for too long and it was time to pick up where they had left off 16 years ago.

As with the previous rule, the update applies to providers of telecommunications, interconnected Voice over IP, and telecommunications relay services. Updates to the rule include:

  • The elimination of the mandatory waiting period prior to notification.
  • Breaches must be reported to the commission and law enforcement within 7 days.
  • Breaches that impact less than 500 individuals and where there is no reasonable likelihood of harm to individuals may be reported annually.
  • Impacted individuals must be notified without unreasonable delay after notification to the commission and law enforcement, but no later than 30 days after the determination of a breach.
  • Individual notification is not required if there is no reasonable likelihood of harm or if the data was encrypted and the encryption key was not impacted.
  • Expanded definition of triggering information to include all personally identifiable information, including social security numbers and financial information.
  • Expanded definition of breach to include inadvertent access, use, or disclosure, but the definition includes a good faith exception similar to those found in various state data breach notification laws.

Putting it into Practice: Providers must not let this call go to voicemail. It is time stay dialed in, review the updated regulations carefully, and update policies and procedures to ensure compliance. This is one call you don’t want to miss.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide