At the end of 2023, the Federal Communications Commission (“FCC” or “the Commission”) adopted updates to its existing 16-year-old data breach notification rules (“prior rules”) designed to ensure that sensitive customer information is adequately protected by providers of telecommunications, interconnected Voice over Internet Protocol (“VoIP”), and telecommunications relay services (“TRS”) (such providers, collectively, “carriers”).[i] The FCC released the final order on December 21, 2023. The updates to the rules add to the increasing regulation of data protection and security by federal agencies.
The FCC’s prior rules, which were originally adopted in 1998 and updated in 2007, required carriers to notify law enforcement and customers of breaches involving Customer Proprietary Network Information (“CPNI”), which the FCC has interpreted to include “information such as the phone numbers called by a consumer, the frequency, duration, and timing of such calls; the location of a mobile device when it is in active mode (i.e., able to signal its location to nearby network facilities); and any services purchased by the consumer, such as call waiting.”[ii] Under the prior rules, a breach occurred “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.”[iii] Specifically, the prior rules were designed to stop the practice of “pretexting,” or pretending to be a customer or other authorized person in order to obtain access to that customer’s call detail or communications records.[iv] The FCC further updated the rules to include TRS providers in 2013 to protect TRS user information.[v]
These updated rules culminate a lengthy regulatory process in which the FCC adopted a Notice of Proposed Rulemaking (“NPRM”) in December 2022 to seek comment on updates to the rules.[vi]
Updates to the Rules
- Expanding the scope of protected consumer information
Previously, carriers were only required to provide notice of breaches of consumer data that qualified as “CPNI” under the FCC’s definition. The new rules, however, expand the scope of protected consumer information to include forms of personally identifiable information (“PII”), including all information that is traceable to an individual’s identity, either alone or combined with other information.[vii] As a result, carriers will be required to provide notice any time a consumer’s PII is breached. The FCC further defines the scope of PII to include: 1) first name or initial and last name, combined with any government-issued identification numbers or similar information used for authentication purposes; 2) user name or email address in combination with a password or security question/answer, or any authentication method for account access; or 3) unique biometric, genetic, or medical data.[viii] The scope also includes dissociated data that would constitute PII if the “means to link the dissociated data were accessed in connection with access to the dissociated data, and any one of the discrete data elements listed above or any combination of the discrete data elements listed above is PII if the data element or combination of data elements would enable a person to commit identity theft or fraud against the individual to whom the data element or elements pertain.”[ix] The updated rules, in line with state laws, adopt an exception for publicly available information lawfully available to the public through government records or widely-distributed media.[x]
- Expanding the definition of “breach”
The updated rules expand the Commission’s definition of “breach” to include the inadvertent access, use, or disclosure of protected data. While the Commission’s prior definition of breach targeted intentional access of CPNI by an unauthorized person, the updated definition of “breach” is “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed covered data.”[xi] In response to industry concerns that the expansion could lead to “notice fatigue” for consumers, deplete industry and government resources, or increase reporting burdens, the rules set out exceptions for good-faith acquisitions of customer data by employees or agents of the carrier when the information is not improperly used.[xii]
- Notifying federal agencies of data breaches
Per the updated rules, telecommunications carriers must notify the FCC, the Secret Service, and the Federal Bureau of Investigation (“FBI”) of a breach via the central reporting facility.[xiii] This is a change from the prior rules, which only required notification to the Secret Service and FBI.[xiv] The law enforcement requirement is meant to enable the agencies to investigate the breach of sensitive customer information.[xv] Coordination of the reporting service between agencies will occur in conjunction with the Wireline Competition Bureau at the FCC, and reporting will occur through the existing central reporting facility to avoid additional notification burdens on impacted organizations.[xvi]
The timeline for providing notice to federal agencies has not changed, but the new rules did update thresholds for when notification much occur. Specifically, breach notification must occur as soon as practicable, but not later than seven business days after reasonable determination of a breach.[xvii] The new rules also include a threshold for federal agency notifications. Breaches affecting 500 or more customers, or breaches impacting fewer than 500 customers that are reasonably likely to cause harm to the customer, require individual, per-breach notifications to the federal agencies.[xviii] For breaches affecting fewer than 500 customers that the carrier can reasonably determine are not likely to harm the customers, the carrier should instead report the breach in an annual summary of the breaches filed in the central reporting facility in lieu of a notification.[xix] The annual consolidated summary from the previous calendar year must be submitted via the central reporting facility no later than February 1 each year.[xx] The final order instructs the Wireline Competition Bureau to take steps to reduce the burden on carriers of reporting these smaller breaches by developing requirements to streamline the information necessary in the report.[xxi]
The Commission chose not to significantly modify the requirements for notification content to federal agencies.[xxii] The notification shall include, at minimum, (1) the carrier’s address and contact information; (2) a description of the breach incident; (3) the method of compromise; (4) the date range of the incident; (5) the approximate number of customers affected; (6) an estimate of financial loss to the carrier and customers, if any; and (7) the types of data breached.[xxiii]
- Notifying the customer of data breaches
In response to concerns that customers will be bombarded with continuous data breach notifications, the updated rules implement a new “harm-based notification trigger” that eliminates the breach notification requirement in cases where the carrier can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.”[xxiv] To assess the likelihood of harm, the rules provide a non-exhaustive list of harm assessment factors such as: sensitivity of information breached, nature and duration of the breach, encryption of information, breach mitigation activity, and intentionality of breach.[xxv] Other factors used to define “harm” to customers include, but are not limited to, “financial harm, physical harm, identity theft, theft of services, potential for blackmail or spam, the disclosure of private facts, reputational or dignitary harm, mental pain and emotional distress, the disclosure of contact information for victims of abuse, and other similar types of danger.”[xxvi] If a carrier is unable to reasonably determine whether harm is reasonably unlikely to occur, it must still notify the customer of a breach.[xxvii]
The rules also eliminate the mandatory seven-day waiting period for customer notification and instead require prompt customer notifications, with an exception where delayed disclosure is requested by law enforcement to avoid impacts on pending investigations.[xxviii] Under the new rules, customers must now be notified “without unreasonable delay” after notification to federal agencies; this should not exceed 30 days beyond the date of reasonable determination of a breach unless law enforcement requests as such.[xxix] There are no minimum categories of information required in the customer breach notification; rather, the rules provide recommendations for the types of information that carriers should include in the notice to consumers, such as estimated date of the breach and descriptions of the information used, disclosed, or accessed.[xxx]
The final order includes an encryption safe harbor that eliminates the customer breach notification requirement when the breach solely involves encrypted data and the carrier can confirm that the encryption key was not also used, accessed, or disclosed.[xxxi] This exception acknowledges that the risk of harm to customers is greatly reduced when data is encrypted and the encryption key is not also compromised.[xxxii]
The new rules also apply to providers of telecommunications relay services (“TRS”). TRS providers will be subject to the same requirements as other carriers, including the expanded definition of “breach,” notification to the Commission, the Secret Service, and FBI of breaches, and the harm-based trigger for customer notification.[xxxiii]
Pushback on the Rules
The rules were adopted in a 3-2 vote with the Democratic Commissioners in support and the Republican Commissioners opposed, with FCC Commissioner Brendan Carr arguing in his dissent that the rules create a “sweeping theory” that oversteps the boundaries of administrative rulemaking.[xxxiv] The new rules are already generating political pushback from outside the Commission, with parties raising a number of potential legal and policy issues related to the rules.
Chief among these is the effect of a 2017 congressional repeal of a broader 2016 FCC order to impose privacy obligations on broadband providers, which included expanded breach notification requirements similar to the updated rules, pursuant to the Congressional Review Act (“CRA”). Commissioners Carr and Nathan Simington each cited that CRA repeal in their dissents as precluding the FCC from adopting the new rules. The CRA requires agencies to report the adoption of new rules to Congress and allows Congress to override such rules by passing a joint resolution of disapproval, a special procedure that effectively overturns the agency rulemaking.[xxxv] If Congress uses this process to overturn a rule, the relevant agency is specifically prohibited from issuing a subsequent rule that is substantially the same as the one that was previously nullified.[xxxvi] Congress exercised this authority in 2017 to overturn the FCC’s 2016 Privacy Order that enacted breach notification rules for telecommunications carriers and broadband internet access service providers and required breach notification to the Commission, the Secret Service, and the FBI, largely basing its disapproval on assertions that the rule would duplicate the Federal Trade Commission (“FTC”)’s privacy authority in terms of broadband internet service providers.
Critics of the new rules argue that the CRA precludes the FCC from adopting the new data breach rules as a result of Congress’s earlier rejection of the FCC’s attempt to adopt rules opponents say were substantially similar to the ones at issue here. Commissioner Simington, in his dissent, noted that the new rules represent a “major step” to restoring the 2016 broadband privacy rules, which he contends were already based on “dubious legal theory.”[xxxvii]
The Commission anticipated this critique in its order adopting the new rules, asserting that the CRA “does not prohibit the Commission from revising its breach notification rules in ways that are similar to, or even the same as, some of the revisions that were adopted in the 2016 Privacy Order, unless the revisions adopted are the same, in substance, as the 2016 Privacy Order as a whole.”[xxxviii] The final order further argues that the requirements adopted are “materially less prescriptive” than the requirements adopted in 2016.[xxxix] Republican Senators including Sen. Ted Cruz (R-TX), Sen. John Thune (R-SD), Sen. Mitch McConnell (R-KY), and Sen. Marsha Blackburn (R-TN), disagree with this interpretation. The lawmakers sent FCC Chairwoman Jessica Rosenworcel a letter urging withdrawal of the new data breach rules, positing that the rules violated the CRA by enacting in a piecemeal manner substantially similar rules to the 2016 breach notification that were nullified by Congress in 2017, and that the FCC cannot avoid obligations under the CRA by reviving just a portion of the previously nullified rules that were “legally suspect” in 2016.[xl] Similarly, Commissioner Carr—in his dissent—contended that the FCC’s piecemeal approach to the rulemaking “creates an exception that swallows the CRA whole.”[xli]
Commissioners Carr and Simington, as well as other critics through comments and ex parte filings with the Commission, have also raised several other potential issues with the rule, including: the Commission’s limitation of authority per statute to only regulate CPNI, not PII; operational and compliance burdens generated by the new rules; and consistency of the rules with state data breach notification laws. These areas could open the Commission to further legal scrutiny regarding the adopted rules.
Despite the criticism, the data breach rules have been approved by the Commission and companies should prepare for compliance with its regulations. The report and order will be effective 30 days after publication in the Federal Register, pending approval from the Office of Management and Budget, which must approve all new or expanded agency information collections, such as the updated data breach reporting rules.[xlii]
Our Telecommunications, Media, and Technology group and cybersecurity team have significant experience in assisting companies in preparing for cyber incidents running tabletop scenarios, developing risk matrices and advising on cyber governance and risk management as well as assisting with incident response and breach reporting. If you have any questions, please contact a member of the Akin TMT or cybersecurity, privacy, and data protection teams.
[i] FCC, FCC Adopts Updated Data Breach Notification Rules to Protect Consumers (Dec. 13, 2023), available at https://docs.fcc.gov/public/attachments/DOC-399090A1.pdf.
[ii] FCC, In the Matter of Data Breach Reporting Requirements: Notice of Proposed Rulemaking (Jan. 6, 2023), available at https://www.fcc.gov/document/fcc-proposes-updated-data-breach-reporting-requirements, at para. 2.
[iii] 47 CFR § 64.2011(e).
[iv] FCC, In the Matter of Data Breach Reporting Requirements: Notice of Proposed Rulemaking (Jan. 6, 2023), available at https://www.fcc.gov/document/fcc-proposes-updated-data-breach-reporting-requirements, at para. 8.
[v] FCC, Report and Order in the Matter of Data Breach Reporting Requirements, WC Docket No. 22-21 (Dec. 21, 2023) available at https://docs.fcc.gov/public/attachments/FCC-23-111A1.pdf, at 5, para. 9.
[vi] Id. at 7, para. 13.
[vii] Id. at 10, para. 17.
[viii] Id. at 10, para. 18.
[ix] Id. at 11, para. 18.
[x] Id. at 11, para. 19.
[xi] Id. at 12, para. 21.
[xii] Id. at 14-15, para. 24; at 16, para. 26.
[xiii] Id. at 18, para. 28.
[xiv] 47 CFR § 64.2011(b)(2).
[xv] FCC, Report and Order in the Matter of Data Breach Reporting Requirements, at 18, para. 28.
[xvi] Id. at 19, para. 29.
[xvii] Id. at 20, para. 31.
[xviii] Id. at 20, para. 31.
[xix] Id. at 20, para. 31.
[xx] Id. at 24, para. 39.
[xxi] Id. at 24, para. 39.
[xxii] Id. at 25, para. 42.
[xxiii] See § 64.2011(a)(1) of final rules; id. at 25, para. 42.
[xxiv] FCC, Report and Order in the Matter of Data Breach Reporting Requirements at 30-31, para. 52.
[xxv] Id. at 34-35, para. 57.
[xxvi] Id. at 32-33, para. 55.
[xxvii] Id. at 32, para. 54.
[xxviii] Id. at 36, para. 59.
[xxix] Id. at 36, para. 59.
[xxx] Id. at 37, para. 62; id. at 38, para. 63.
[xxxi] Id. at 35, para. 58.
[xxxii] Id. at 35, para. 58.
[xxxiii] Id. at 39, para. 66.
[xxxiv] “Dissenting Statement of Commissioner Brendan Carr,” https://docs.fcc.gov/public/attachments/DOC-399090A3.pdf (December 13, 2023).
[xxxv] Congressional Research Service, “The Congressional Review Act (CRA): A Brief Overview,” (February 27, 2023), available at https://crsreports.congress.gov/product/pdf/IF/IF10023.
[xxxvi] 5 U.S.C. § 801(b)(2).
[xxxvii] “Dissenting Statement of Commissioner Nathan Simington,” https://docs.fcc.gov/public/attachments/DOC-399090A5.pdf (December 13, 2023).
[xxxviii] FCC, Report and Order in the Matter of Data Breach Reporting Requirements at 67, para. 135.
[xxxix] Id. at 70, para. 142.
[xl] Letter to Chairwoman Rosenworcel, https://www.law360.com/articles/1777194/attachments/0 (December 12, 2023).
[xli] “Dissenting Statement of Commissioner Brendan Carr,” https://docs.fcc.gov/public/attachments/DOC-399090A3.pdf (December 13, 2023).
[xlii] FCC, Report and Order in the Matter of Data Breach Reporting Requirements at 72, para. 144.