FCC Proposes Updated Data Breach Notification Requirements

The Federal Communications Commission has released a Notice of Proposed Rulemaking (NPRM) seeking to modernize the data breach reporting requirements for customer proprietary network information (CPNI), which apply to all telecommunications carriers and interconnected VoIP providers. The NPRM seeks comment on proposals to expand and enhance application of the reporting requirements to address increases in the frequency and severity of data breaches and the evolution of state data breach notification laws since the FCC’s notification requirements were first adopted in 2007.

The reporting requirements apply to breaches of CPNI; that is, specific subscriber data acquired by telecommunications and VoIP providers through their provision of voice service. Examples of CPNI include called phone numbers; the frequency, duration, and timing of calls; location information; cost and billing information; and service features.

The proposed changes include:

    • Expanding the definition of “breach” to include accidental or inadvertent access, use, or disclosure. The current rules define “breach” as intentional access, use or disclosure of CPNI. Additionally, the NPRM seeks comment on whether the meaning of “breach” should be expanded to include situations where a provider or third party discovers conduct that could have reasonably led to exposure of CPNI, prior to confirming that an exposure has actually occurred.

    • Requiring breach notification to the FCC in addition to the FBI and U.S. Secret Service.

    • Changing the requirement to report breaches of CPNI to federal law enforcement (and the FCC) from within seven business days to “as soon as practicable” after discovery of the breach.

    • Requiring providers to notify subscribers of CPNI breaches without “unreasonable delay” after discovery of a breach and the initial notification to law enforcement — unless law enforcement requests a delay up to thirty days if such notification would interfere with a criminal investigation or national security. The existing rule prohibits notification of subscribers or the public until at least seven business days after notification to law enforcement.

    • Extending any CPNI rule changes to the Telecommunications Relay Service breach reporting rules.

The NPRM also seeks comment on whether: (1) to include a harm-based trigger, which would eliminate notification to subscribers or law enforcement if a provider can reasonably determine that no harm to subscribers is reasonably likely to occur; (2) the breach notification to subscribers should require specific minimum categories of information, such as details on the breach, CPNI and other personal information involved and steps taken to remedy the breach and protect the affected subscriber; and (3) to set a threshold on the number of subscribers affected to require notification to the FCC and law enforcement.

Comments are due February 22, 2023 and Reply Comments are due March 24, 2023.

If you have questions about this NPRM, or privacy, data security or cybersecurity requirements in general, please contact an attorney in our Privacy, Data Protection, and Cybersecurity practice group.