On December 21, 2023 the Federal Communications Commission (FCC) issued updates to its Data Breach Notification Rule, which applies to telecommunications carriers, as well as to voice over internet protocol (VoIP) and telecommunications relay service (TRS) providers. The updated Data Breach Notification Rule marks the most significant changes to the Rule since its adoption 16 years ago and modernizes the FCC requirements by bringing them more closely in line with other breach reporting obligations. The updated Rule will be in effect 30 days after its publication in the Federal Register (which has not yet occurred as of the date of this alert). The revised recordkeeping and reporting requirements are still subject to Office of Management and Budget approval before going into effect.

Key points

  • Expanded categories of data: The updated Rule expands the categories of data that would trigger reporting obligations. FCC notification requirements had previously been confined to breaches involving Customer Proprietary Network Information (CPNI), which is defined by Section 222 of the Communications Act of 1934 as “quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service” as well as information contained in a customer’s bills. The new rule expands the requirement to all personally identifiable information (PII), meaning “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” This aligns the FCC requirements with data privacy and protection laws, which employ broader definitions of covered personal information than CPNI.
  • Revised definition of “breach”: The new Rule broadens the definition of a covered breach to include “inadvertent disclosure” as opposed to the existing definition that only covers situations where “a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed” covered data (emphasis added). As a counterbalance, the new Rule creates a safe harbor by excluding the good-faith acquisition of PII by an employee or agent if the PII is not improperly used or disclosed further. Again, these changes seek consistency with prevailing breach notification requirements, which don’t generally distinguish between intentional and unintentional disclosures, and which often exempt good-faith access by employees.
  • Elimination of waiting period for customer notification: The FCC’s updated rules abandon the 2007 Rule’s mandatory seven-day waiting period for notifying customers or disclosing a breach publicly.
  • Harm-trigger: The new Rule adopts a risk of harm-trigger, absent from the existing Data Breach Notification Rule. Under this provision, a carrier does not need to notify customers if it can reasonably determine that no harm to customers is reasonably likely to occur.
  • Safe harbor: The new Rule includes a safe harbor if the accessed data is encrypted and the carrier has definitive evidence that the encryption key was not stolen.
  • Reporting to the FCC: The updated Data Breach Notification Rule introduces a new requirement for carriers to notify the FCC itself, with previous iterations only requiring notification to federal law enforcement agencies.

Next Steps

A bloc of senators has already warned the FCC that they may seek to invalidate the new Data Breach Notification Rule pursuant to the Congressional Review Act. In 2016, the FCC had issued a similar update to its Data Breach Notification Rule, and it was later invalidated by Congress under the Congressional Review Act.  If the future is anything like the past, businesses may anticipate legal challenges to the new Rule.

The new Rule comes in the wake of Executive Order 14028 and an era of intensive regulatory activity around cybersecurity, especially for providers of critical infrastructure. Perhaps most notably, the Cybersecurity and Infrastructure Security Agency (CISA) will implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) over the coming years, imposing new breach notification obligations on critical infrastructure operators. Although the FCC expressly declined to harmonize the notification provisions of the new Rule with CIRCIA, noting that CISA’s Notice of Proposed Rulemaking implementing CIRCIA’s final notification requirements is not due until March 15, 2024, the FCC left open the possibility that changes to the new Rule may be needed once CIRCIA is fully implemented. Covered businesses should therefore continue to monitor and assess their breach reporting obligations, as this is a rapidly developing area of the law.

We will continue to monitor emerging cyber laws and regulations. To subscribe, visit out our recent posts on ConnectOnTech.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Elizabeth Roper is a partner in Baker McKenzie's North America Litigation and Global Dispute Resolution Practice. She is based in the New York office. Prior to joining the firm, Liz served in the Manhattan District Attorney's Office as Bureau Chief of the Cybercrime and Identity Theft Bureau (CITB). In this role, Liz directed the investigation and prosecution of all types of cybercrime impacting Manhattan, including sophisticated cyber-enabled financial crime such as identity theft, payment card fraud, and money laundering; network intrusions, hacking, ransomware, and "middleman" attacks; intellectual property theft; "dark web" trafficking of contraband; and the theft and illicit use of cryptocurrencies.

Author

Cyrus Vance Jr. is a partner in Baker McKenzie's North America Litigation and Government Enforcement Practice as well as the Firm's Global Compliance and Investigations Practice. He is based in New York and serves as Global Chair of the Cybersecurity Practice.