FCC Proposes Updated Data Breach Rules

The FCC has initiated a proceeding to strengthen the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (“CPNI”).1

Specifically, the Commission proposed to expand the definition of “breach” to include inadvertent disclosures of customer information, and seeks comment on adopting a harm-based trigger for breach notifications. The FCC also proposed to require carriers to notify the Commission, in addition to the Secret Service and FBI, as soon as practicable after discovery of a breach, and to eliminate the current mandatory seven day waiting period and notify customers of CPNI breaches without unreasonable delay.

Comments were due on February 22, 2023, and several commenters, including NTCA, WISPA, and CCA encouraged the Commission to forego breach notifications to customers, the Commission and law enforcement, in instances where disclosures are inadvertent, or where carriers have made a reasonable determination that no financial harm to customers is reasonably likely to occur.2 NTCA further urged the Commission to limit carriers’ obligation to provide reports of breaches to instances where the carrier reasonably believes at least 1,000 customers’ CPNI was accessed or disclosed, as well as retention of the current timeline for reporting breaches, whereas CCA supported the Commission’s proposal that carriers notify customers without unreasonable delay.3

Reply Comments are due by March 24, 2023. If you are interested in filing Reply Comments or would like to discuss this issue further or need further guidance on data breach procedures, please contact Dee Herman at [email protected] or Shannon Forchheimer at [email protected].
[1] Data Breach Reporting Requirements, Notice of Proposed Rulemaking, WC Docket No. 22-21, FCC 22-102 (rel. Jan. 6, 2023).
[2] See NTCA – The Rural Broadband Association Comments, WC Docket No. 22-21 (Feb. 22, 2023); Competitive Carriers Association Comments, WC Docket No. 22-21 (Feb. 22, 2023); WISPA – Broadband Without Boundaries Comments, Docket No. 22-21 (Feb. 22, 2023).
[3] Id.