On December 21, 2023 the Federal Communications Commission (FCC) issued updates to its Data Breach Notification Rule, which applies to telecommunications carriers, as well as to voice over internet protocol (VoIP) and telecommunications relay service (TRS) providers. The updated Data Breach Notification Rule marks the most significant changes to the Rule since its adoption 16 years ago and modernizes the FCC requirements by bringing them more closely in line with other breach reporting obligations. The updated Rule will be in effect 30 days after its publication in the Federal Register (which has not yet occurred as of the date of this alert). The revised recordkeeping and reporting requirements are still subject to Office of Management and Budget approval before going into effect.
Key points
- Expanded categories of data: The updated Rule expands the categories of data that would trigger reporting obligations. FCC notification requirements had previously been confined to breaches involving Customer Proprietary Network Information (CPNI), which is defined by Section 222 of the Communications Act of 1934 as âquantity, technical configuration, type, destination, location, and amount of use of a telecommunications serviceâ as well as information contained in a customerâs bills. The new rule expands the requirement to all personally identifiable information (PII), meaning âinformation that can be used to distinguish or trace an individualâs identity, either alone or when combined with other information that is linked or linkable to a specific individual.â This aligns the FCC requirements with data privacy and protection laws, which employ broader definitions of covered personal information than CPNI.
- Revised definition of âbreachâ: The new Rule broadens the definition of a covered breach to include âinadvertent disclosureâ as opposed to the existing definition that only covers situations where âa person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosedâ covered data (emphasis added). As a counterbalance, the new Rule creates a safe harbor by excluding the good-faith acquisition of PII by an employee or agent if the PII is not improperly used or disclosed further. Again, these changes seek consistency with prevailing breach notification requirements, which donât generally distinguish between intentional and unintentional disclosures, and which often exempt good-faith access by employees.
- Elimination of waiting period for customer notification: The FCCâs updated rules abandon the 2007 Ruleâs mandatory seven-day waiting period for notifying customers or disclosing a breach publicly.
- Harm-trigger: The new Rule adopts a risk of harm-trigger, absent from the existing Data Breach Notification Rule. Under this provision, a carrier does not need to notify customers if it can reasonably determine that no harm to customers is reasonably likely to occur.
- Safe harbor: The new Rule includes a safe harbor if the accessed data is encrypted and the carrier has definitive evidence that the encryption key was not stolen.
- Reporting to the FCC: The updated Data Breach Notification Rule introduces a new requirement for carriers to notify the FCC itself, with previous iterations only requiring notification to federal law enforcement agencies.
Next Steps
A bloc of senators has already warned the FCC that they may seek to invalidate the new Data Breach Notification Rule pursuant to the Congressional Review Act. In 2016, the FCC had issued a similar update to its Data Breach Notification Rule, and it was later invalidated by Congress under the Congressional Review Act. If the future is anything like the past, businesses may anticipate legal challenges to the new Rule.
The new Rule comes in the wake of Executive Order 14028 and an era of intensive regulatory activity around cybersecurity, especially for providers of critical infrastructure. Perhaps most notably, the Cybersecurity and Infrastructure Security Agency (CISA) will implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) over the coming years, imposing new breach notification obligations on critical infrastructure operators. Although the FCC expressly declined to harmonize the notification provisions of the new Rule with CIRCIA, noting that CISA’s Notice of Proposed Rulemaking implementing CIRCIA’s final notification requirements is not due until March 15, 2024, the FCC left open the possibility that changes to the new Rule may be needed once CIRCIA is fully implemented. Covered businesses should therefore continue to monitor and assess their breach reporting obligations, as this is a rapidly developing area of the law.
We will continue to monitor emerging cyber laws and regulations. To subscribe, visit out our recent posts on ConnectOnTech.