Proposed Changes to CPNI Breach Notification Requirements of Telecom Carriers Announced by FCC Chair
On Wednesday, January 12, the Federal Communications Commission (FCC) published a press release proposing changes to existing regulations concerning the notification responsibilities of telecommunications carriers following a breach of customer proprietary network information (CPNI). Chairwoman Jessica Rosenworcel has circulated a Notice of Proposed Rulemaking (NPRM) to her fellow Commissioners and will seek comments from the public once the NPRM is released.
Under current regulations, telecommunications providers must notify the FBI and U.S. Secret service “as soon as practicable,” but no later than 7 business days following a breach of CPNI. Further, providers must not alert affected customers of the breach until 7 business days after the FBI and Secret Service have been notified unless there is an “immediate risk of irreparable harm” to the customers. FCC discussion of the final rule states that “[t]he dictates of public safety and emergency response” justify the delay in notifying customers. Current rules stipulate that only intentional breaches must be disclosed pursuant to these regulations.
The FCC states on its official website that CPNI is “some of the most sensitive personal information that carriers and providers have about their customers.” CPNI includes any phone numbers dialed by the customer, as well as the frequency, timing, and duration of those calls. CPNI also includes any services purchased by the customer from the provider, like call waiting or voicemail. Essentially, anything that appears on the phone bill is CPNI.
Chairwoman Rosenworcel proposes the following changes:
- Eliminating the 7 business day waiting period for notifying affected customers of a breach;
- Requiring providers to notify law enforcement and customers even following inadvertent breaches — breaches that are not the result of intentional access by an unauthorized third party); and
- Requiring providers to notify the FCC of all reportable breaches in addition to the FBI and Secret Service.
According to the Chairwoman, these proposals will better protect consumers from the “increasing frequency and severity of security breaches.” She suggests that the current rules are outdated and fail to accommodate “the evolving nature of data breaches and the real-time threat they pose to affected consumers.” Additionally, promptly notifying law enforcement of all breaches will allow them to “mitigate and prevent harm due to the breach and take action to reduce the likelihood of further events.”
Once the NPRM is released to the public, the FCC will seek comments on whether the FCC should mandate “customer breach notices to include specific categories of information to help ensure they contain actionable information useful to the consumer.”
If your company is interested in submitting comments or otherwise keeping track of developments in this matter, you may reach out to Linda McReynolds at (703) 714-1318 or email@example.com. The comment period opens upon publication of the NPRM and lasts for 30 days unless the NPRM indicates otherwise.
Further, notwithstanding the proposed changes, telecommunications carriers and Voice over Internet Protocol (VoIP) providers are required to certify their compliance with existing CPNI rules each year. The FCC has not yet announced the 2022 deadline, but it has fallen on or around March 1 in previous years.
If your company would like assistance in reviewing your CPNI policies and procedures for compliance with existing law ahead of this deadline, you may also contact Linda McReynolds at (703) 714-1318 or firstname.lastname@example.org.