FCC seeks to impose new carrier data breach notification rules

The Impact

This proceeding reinforces that the FCC under Chairwoman Jessica Rosenworcel is focused on regulating cybersecurity issues and considers its authority in this area to be expansive. While telecommunications carriers and VoIP providers are already subject to CPNI disclosure rules, the proposed rule would expand the types of incidents that carriers must report and add new notification requirements. These new requirements would add complexity to incident response, as the FCC requirements would be layered on top of other cyber incident reporting requirements under various federal and state frameworks. Interested parties in the telecom and technology sector should consider submitting comments on the FCC’s proposal.

Summary

The NPRM:

• Proposes to expand the Commission’s “breach” definition to include inadvertent access, use, or disclosures of customer information;
• Seeks comment on whether to adopt a harm-based trigger for breach notifications, allowing carriers to forego notification where no harm to customers is reasonably likely to occur as a result of the breach;
• Proposes to require carriers to notify the Commission, Secret Service, and FBI “as soon as practicable” after discovery of a breach and to notify all agencies contemporaneously;
• Suggests creation of a customized portal for reporting breaches to the FCC and other federal law enforcement agencies;
• Asks whether it would be appropriate to set a threshold for the number of customers affected to require a breach report to the FCC, Secret Service, and/or FBI;
• Proposes to eliminate the mandatory waiting period before notifying customers and instead require carriers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach (unless requested by law enforcement);
• Seeks comment on whether to adopt minimum requirements for the content of customer breach notices and method of notification;
• Proposes to make changes to its Telecommunications Relay Service (TRS) data breach reporting rule consistent with those proposed for the CPNI breach reporting rule;
• Seeks comment on the effect and scope of the congressional disapproval of the FCC’s 2016 Report & Order on privacy requirements for broadband internet access service providers (ISPs). While the NPRM states that the FCC does not plan to reissue the same rules, the FCC is interested in the nexus between that event and its proposals in the NPRM; and
• Asks how these proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility.

Conclusion

Hogan Lovells’ experienced team of Communications and Cybersecurity attorneys are tracking developments in this space and happy to brief clients on this proposal, assist in preparing advocacy materials, and develop compliance strategies if new rules are adopted.