Three Key Provisions in the FCC’s New Rule Proposal for Data Breach Reporting

A January Notice on Proposed Rulemaking published by the Federal Communications Commission aims to enhance and expand data breach reporting requirements for telecommunications carriers operating in the U.S.

The proposed rule specifically targets data breaches “implicating customer proprietary network information (CPNI), including breaches impacting Telecommunications Relay Service (TRS) providers,” according to an FCC explainer.

The FCC defines CPNI as any “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” CPNI also entails “information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier,” according to the FCC.

The Commission has also ruled that CPNI “includes (but is not limited to) information such as the phone numbers called by a consumer; the frequency, duration, and timing of such calls; the location of a mobile device when it is in active mode (i.e., able to signal its location to nearby network facilities); and any services purchased by the consumer, such as call waiting.”

This rule also intends to cover TRS providers, or operators that enable “persons with hearing or speech disabilities to place and receive telephone calls,” as defined by the FCC. The broader purpose of this rule proposal is to better align FCC regulations with “recent developments in federal and state data breach laws covering other sectors,” according to a January FCC press release.

In a prepared statement, FCC Chairwoman Jessica Rosenworcel said, “the law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.”

Rosenworcel also said “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

Three key provisions specified by this rule are the expanded definition of breaches to include inadvertent disclosures, mandating that breach reports be sent concurrently to the FCC (in addition to existing FBI and Secret Service reporting requirements), and notifying customers of CPNI breaches “without unreasonable delay.”

In the first case, the FCC seeks to expand the definition of “breach” to include “inadvertent access, use, or disclosures of customer information,” according to the proposed rule. Under the FCC’s current definition, breaches are limited to incidents where “a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.”

Driving this reform is the FCC’s recognition that the “inadvertent exposure of customer information can result in the loss and misuse of sensitive information by scammers and phishers, and trigger a need to inform the affected individuals so that they can take appropriate steps to protect themselves and their information.”

The second key takeaway of this rule proposal is the Commission’s aim to obtain breach oversight powers similar to those wielded by the department of Health and Human Services and the Federal Trade Commission, when the latter agencies encounter issues relevant to HIPPA and Health Breach Notification Rule regulations.

Thirdly, the FCC has proposed “eliminating the current seven business day mandatory waiting period for notifying customers of a breach,” in an effort to “increase the speed at which customers may receive the important information contained in a notice, except in those specific circumstances when law enforcement officials specifically request otherwise.”

If codified into law, this proposed rule change could lead to significant reorganization of covered carriers’ organizations, compliance and otherwise. Firms may also need to invest in enhanced cybersecurity technologies and other protective measures to prevent breaches, rapidly detect them, and streamline their regulatory reporting processes.

Overall, the immediate impact of such a law will lead to increased compliance and cybersecurity spend, while amplifying carriers’ regulatory risk exposures. However, these enhanced breach-reporting rules could also enhance firms’ cost-savings in the long run if improved security standards effectively reduce the quantity and severity of data breaches.

Resecurity welcomes the Commission’s progressive breach disclosure reforms. Excepting customer notifications that may conflict with more pressing law enforcement investigations, these rule changes will empower consumers with timelier information about breach incidents that threaten to expose their personal data to bad actors.

As a result, these reforms will give at-risk telecom subscribers a longer runaway to safeguard their digital and financial assets from potential cyberattacks, account takeovers, and other forms of cyber-enabled fraud. Final ‘reply’ comments on the FCC’s rule proposal are due on March 24, 2023.