Divided FCC Mandates New Customer Data Breech Rules

On December 13, 2004, in Docket 22-21 a split FCC voted 3-2 to update and broaden its 16-year-old data breach notification rules to ensure “that providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) adequately safeguard sensitive customer information.” The Report and Order (Order) was opposed by the two Republican commissioners who claim the new rules violate the Congressional Review Act (CRA).

The agency takes this action under section 222 of the Telecommunications Act which requires telecommunications carriers to protect the confidentiality of customer information that they receive or have access to by virtue of their provision of a telecommunications service. The initial data breech rules were adopted in 2007, however sixteen years later more customers are having their sensitive data stolen.

[I]n the decade and a half since the data breach rule was adopted, breaches of customer information have increased in scale and sophistication, extending far beyond the “pretexting” practices that originally motivated the Commission to act. Additionally,…both Congress and the states have since taken action to protect consumers from the dangers associated with breaches of personal information across sectors. (Draft Order at para. 13).

Therefore, the Order does the following:

  • Expands the scope of the Commission’s data breach notification rules to cover all personally identifiable information that carriers and TRS providers hold with respect to their customers.
  • Expands the definition of “breach” to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is inadvertently acquired by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.
  • Requires carriers and TRS providers to notify the Commission of breaches, in addition to the current obligation to notify the United States Secret Service and Federal Bureau of Investigation, via the existing central reporting facility.

For breaches affecting 500 or more customers, or for which there is a risk of customer harm because of the breach, require carriers and TRS providers to file individual, per-breach notifications as soon as practicable, but no later than seven business days after reasonable determination of a breach.

Requires carriers and TRS providers to file an annual summary of breaches affecting fewer than 500 customers for which the carrier or TRS provider can reasonably determine that no harm to customers is reasonably likely to occur.

Eliminates the requirement to notify customers of a breach in those instances where a carrier or TRS provider can reasonably determine that no harm to customers is reasonably likely to occur because of the breach.

Eliminates the mandatory waiting period for carriers and TRS providers to notify customers, and instead require carriers and TRS providers to notify customers of breaches of covered data without unreasonable delay after notification to the Commission and law enforcement agencies, and in no case more than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement.

While the text of the Order will become effective thirty days after it appears in the Federal Register, the new breech rules will become effective after a review by the Office of Management and Budget.

As noted above, the Order was opposed by the two Republican commissioners. Commissioner Brendan Carr noted that the President and Congress nullified the original data breech rules by passing a joint resolution of disapproval under the Congressional Review Act which not only prohibits an agency from readopting the relevant rule, but it also prohibits the agency from enacting a substantially similar rule in the future without specific legislative authorization from Congress. Unfortunately, Carr asserts, that is exactly what the Commission has done here.

The FCC’s only real defense is one that reads the CRA out of the United States Code altogether. The Order notes that the 2016 FCC decision adopted several rules—all of which were nullified by the 2017 CRA. But in the Order’s view, the CRA does not prohibit the FCC from putting any one of those rules (or even some combination of them) back in place here provided that the FCC does not put all of those 2016 rules back in place in this one decision. This creates an exception that swallows the CRA whole. Indeed, if the FCC’s theory were correct, then agencies could insulate any one of their rules from the CRA (no matter how strongly the House, the Senate, and the President felt about the rule) simply by packaging that one rule together with other rules in a single document. (Dissenting Statement of Brendan Carr.)

Like most recent FCC orders, this is likely to face judicial appeal. Congress, not the Commission, is best equipped to handle this issue, because while it impacts primarily Title II carriers now, it would also impact broadband providers and the entire Internet if Net Neutrality once again becomes the law.