by Beth Burgin Waller and Patrick J. Austin
The updated data breach notification rules broaden the definition of what is considered a breach and expand the scope of who must be notified when a data breach occurs.
The Federal Communications Commission (FCC or Commission) voted to adopt new and expanded data breach notification requirements that apply to telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). The updated rules now include personally identifiable information (PII), as opposed to just customer proprietary network information (CPNI). This means carriers must provide notice when a consumer’s PII is breached.
The new data breach notification rules will go into effect approximately 30 days after publication in the Federal Register. Below is an overview of the new rules.
New Scope of Information That Could Trigger Breach Notice Obligations
The new rules state that disclosure of, or access to, any information “that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information” is enough to trigger breach notification requirements.
In addition, the new rules state that a customer’s “name, address, and phone number” are now considered PII that could trigger a notification requirement.
New Harm-Based Notification Trigger
Due to concerns that customers will be inundated by a wave of data breach notifications, the FCC’s updated rules implement a new “harm-based notification trigger” that eliminates the breach notification requirement in cases where the carrier can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.”
Harm assessment factors identified by the Commission include:
- Sensitivity of the information breached
- Nature and duration of the breach
- Whether the information was encrypted
- Any breach mitigation activities
- Whether the breach was intentional
Other factors that can be used to define “harm” to customers in the context of a data breach include, but are not limited to, the following:
- Financial harm
- Physical harm
- Identity theft
- Theft of services
- Potential for blackmail or spam
- Disclosure of private facts
- Reputational or dignitary harm
- Mental pain and emotional distress
- Disclosure of contact information for victims of abuse
- Other similar types of danger
If a carrier cannot reasonably determine whether harm is reasonably unlikely to occur, it is still required to notify a customer of the data breach.
Broader Definition of “Breach”
Under the prior rules, a breach occurred “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed customer proprietary network information.” The new rules broaden the definition of what is considered a data breach to include “inadvertent access, use, or disclosure of customer information.”
The Commission added an exception for customer information that is inadvertently acquired by an employee or agent of a carrier or TRS provider and the information “is not used improperly or further disclosed.”
Nevertheless, moving from a requirement of “intentionally gained access” to “inadvertent access” is a significant shift that is likely to increase the number of reportable “breach” events going forward.
It is worth noting that the FCC expressly reserved rights to amend the definition of “breach” in the future.
7-Day Data Breach Notification Requirement
Carriers and TRS providers must now notify the FCC, FBI, and U.S. Secret Service within seven days in the event a data breach impacts more than 500 customers, or if there is a risk of customer harm due to the breach.
The breach notice to federal agencies must include, at minimum, the following information:
- Carrier’s address and contact information
- Description of the breach incident
- Method of the compromise
- Date range of the incident
- Number of customers affected
- Estimate of financial loss to the carrier and customers, if any
- Types of data breached
Mandatory Waiting Period Removed
The FCC removed the mandatory waiting period for providing notice to customers in the wake of a data breach. Instead, carriers and TRS providers must provide notice to customer without “unreasonable delay” after notice to the FCC, FBI, and U.S. Secret Service. However, notice must not be longer than 30 days after a reasonable determination of a breach, unless a delay is requested by law enforcement.
Limited Safe Harbor for Encrypted Data
Customers do not need to be notified of a data breach where it can be “reasonably determined that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed.”
This language resembles the safe harbor provision for encrypted data in the Federal Trade Commission’s amended Standards for Safeguarding Customer Information.[1] However, the language in the FCC rule is more restrictive since it requires companies to have “definitive evidence” that the encryption key was not “accessed, used, or disclosed” to trigger the safe harbor provision.
Different Reporting Obligations for “Small” Data Breaches
A data breach that impacts less than 500 customers and breaches where the carrier or TRS provider can reasonably determine there is likely no harm to customers, can be reported in an annual breach summary due on February 1st of each year.
Possible Conflicts with the Congressional Review Act
The FCC’s 3-2 vote in favor of adopting the updated data breach notification rules was not without controversy. Before voting, members of the Commission debated whether the new rules run afoul of the Congressional Review Act (CRA). For context, in 2017, Congress used the CRA to prohibit the FCC from adopting data breach notification rules that are substantially similar to the newly adopted 2023 rules.
Concerns also were raised before the vote that adopting the updated data breach notification rules would vastly exceed the Commission’s authority by regulating data that Congress did not direct the FCC to regulate.
Specifically, Congress directed the Commission to regulate customer proprietary network information (CPNI). The statute defines CPNI as “information derived from the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service.”
The new data breach notification rules would expand the range of the FCC’s regulatory reach to “personally identifiable information,” which goes well beyond just CPNI. Whether the Commission’s new rules will be subject to a legal challenge or Congressional review remains an open question.
List of Federal Data Breach Reporting Requirements Grows
Despite the criticisms levied at the FCC, the Commission’s new data breach notification rules were approved and become effective 30 days after publication in the Federal Register, pending approval from the Office of Management and Budget.
The FCC’s revamped data breach notification rules are another addition to ever-expanding list of federal data breach reporting requirements. The rules come on the heels of the SEC’s new cybersecurity incident notification rule and the Federal Trade Commission’s amended Safeguards Rule requiring non-banking financial institutions to report data security breaches.
Preparing for New Breach Reporting Obligations
Businesses need to be proactive and take steps to bolster their compliance posture:
- Conduct a gap analysis of your organization’s information security program and compliance with different cybersecurity and data breach notification rules
- Encrypt customer information in transit and at rest (or use alternative compensation controls where encryption is infeasible)
- Regularly test your organization’s security program via tabletop exercises, penetration testing, and vulnerability assessments
- Develop protocols for oversight of third-party service providers, including periodic assessments of service provider security practices
Beth Burgin Waller is a Principal and Patrick J. Austin is Of Counsel at Woods Rogers Vandeventer Black PLC.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).