FCC Begins Proceeding to Update Reporting of Customer Data Breeches

By: Andy Regitsky

It has been fifteen years since the FCC adopted a rule requiring telecommunications carriers and interconnected Voice over Internet Protocol (VoIP) providers to notify customers and federal law enforcement of breaches of customer proprietary network information (CPNI) in their possession. Since that time, it is indisputable that data breaches have increased in both frequency and severity in all industries across the nation.

CPNI is defined in the Telecommunications Act as (A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier. Provider rules for the handling of CPNI are contained in Section 222 of the Act.

Section 222(a) requires carriers to protect the confidentiality of proprietary information relating to their customers. Section 222(c)(1) provides that a carrier may only use, disclose, or permit access to CPNI that it has received by virtue of its provision of a telecommunications service: (1) as required by law; (2) with the customer’s approval; or (3) in its provision of the telecommunications service from which such information is derived, or services necessary to or used in the provision of such telecommunications service.

To attempt to control the increase in breeches of customer data, the FCC released a Notice of Proposed Rulemaking (Notice) on January 6, 2023, seeking to update the Section 222 rules. Industry comments are due 30 days after the Notice appears in the Federal Register. In the Notice, the agency seeks to ensure that affected customers, the Commission itself, and other federal law enforcement agencies receive the information they need in a timely manner so they can mitigate and prevent harm due to the breach and take action to deter future breaches.

The Commission begins by widening the definition of a “breech.” Currently a breech is “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” This definition is limited, however, as it does not cover inadvertent breeches further it is sometimes difficult to tell if the breech was intentional. Therefore, the Commission proposes to expand the definition of “breach” to include inadvertent access, use, or disclosures of customer information.

Next, the FCC proposes to require telecommunications carriers to notify it of breaches, in addition to the Secret Service and FBI, as soon as practicable, and seeks comment on this proposal. The proposal is consistent with other federal sector-specific laws, which require prompt notification to the relevant subject-matter agency. It proposes to create and maintain a centralized portal for reporting breaches to the Commission and other federal law enforcement agencies. Moreover, telecommunication carriers would be required to report breeches to the Commission at the same time those breeches are reported to the secret service and the FBI.

The FCC proposes rules for notifying customers their data has been breached. First, it would require telecommunications carriers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach and notification to law enforcement, unless such law enforcement requests a delay. It seeks comments on whether the same notification deadline should be applied to all carriers. Are there unique concerns or compliance barriers for small carriers that make prompt response unfeasible, such as resource availability or reliance on third-party cybersecurity services for breach detection?

The FCC seeks comments on whether it should require customer breach notifications to include specific minimum categories of information. Specifically, carriers would have to provide: (1) the date of the breach; (2) a description of the customer information that was used, disclosed, or accessed; (3) information on how customers, including customers with disabilities, can contact the carrier to inquire about the breach; (4) information about how to contact the Commission, FTC, and any state regulatory agencies relevant to the customer and the service; (5) if the breach creates a risk of identity theft, information about national credit reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring, credit reporting, or credit freezes the carrier is offering to affected customers; and (6) what other steps customers should take to mitigate their risk based on the specific categories of information exposed in the breach.

Finally, the Commission observes that that many state regulations specify the form that notifications to customers may take, whether by physical mail, email, or telephone. It seeks comments on whether it should adopt a similar requirement and, if so, on what form notifications to consumers should take. Is there a method or methods of notification that would make the most sense or be most beneficial to consumers?