The Federal Communications Commission has released a Notice of Proposed Rulemaking (NPRM) seeking to modernize the data breach reporting requirements for customer proprietary network information (CPNI), which apply to all telecommunications carriers and interconnected VoIP providers. The NPRM seeks comment on proposals to expand and enhance application of the reporting requirements to address increases in the frequency and severity of data breaches and the evolution of state data breach notification laws since the FCC’s notification requirements were first adopted in 2007.
The reporting requirements apply to breaches of CPNI; that is, specific subscriber data acquired by telecommunications and VoIP providers through their provision of voice service. Examples of CPNI include called phone numbers; the frequency, duration, and timing of calls; location information; cost and billing information; and service features.
The proposed changes include:
The NPRM also seeks comment on whether: (1) to include a harm-based trigger, which would eliminate notification to subscribers or law enforcement if a provider can reasonably determine that no harm to subscribers is reasonably likely to occur; (2) the breach notification to subscribers should require specific minimum categories of information, such as details on the breach, CPNI and other personal information involved and steps taken to remedy the breach and protect the affected subscriber; and (3) to set a threshold on the number of subscribers affected to require notification to the FCC and law enforcement.
Comments are due February 22, 2023 and Reply Comments are due March 24, 2023.
If you have questions about this NPRM, or privacy, data security or cybersecurity requirements in general, please contact an attorney in our Privacy, Data Protection, and Cybersecurity practice group.