FCC’s Updated Breach Notification Rules – Key Changes and Implications for VOIP, TRS and Other Providers of Telecommunications Services
Yesterday, the Federal Communications Commission (FCC) voted to adopt the updated breach notification rules for telecommunications, interconnected Voice over Internet Protocol (VoIP) service providers (carriers), and telecommunications relay service (TRS) providers. This significant development, highlighted in the draft Report and Order, aims to address the evolving landscape of data breaches and enhance the protection of sensitive customer information.
Background: The Need for Enhanced Protection
In the 16 years since the FCC initially adopted data breach notification rules, the frequency and severity of data breaches have drastically increased. Recognizing the need for improved safeguards, the adopted Report and Order (to be released in the coming days) seeks to modify the existing rules to ensure that carriers and TRS providers adequately protect customer data and equip customers with tools to protect themselves in case of a breach.
Key Changes:
- Expanded PII Scope:
All personally identifiable information (PII) held by carriers and TRS providers concerning their customers will be covered, including, according to Chairwoman Rosenworcel, social security numbers or financial data or other sensitive information.
The Order cites OMB Circular A-130, “Managing Information as a Strategic Resource,” in defining PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”
- Broadened Breach Definition:
The definition of “breach” will now include inadvertent access, use, or disclosure of customer information, except in certain scenarios of good-faith data acquisition by an employee or agent without further disclosure or improper use.
- Revised FCC Reporting Requirements:
- Carriers and TRS providers will be required to notify the FCC of breaches, in addition to existing obligations to notify the U.S. Secret Service and Federal Bureau of Investigation.
- Elimination of a reporting requirement in cases where a carrier or TRS provider reasonably determines that no harm to customers is reasonably likely to occur, or where the breach only involves encrypted data, and the carrier has definitive evidence that the encryption key was not compromised.
- Immediate individual notifications for breaches affecting 500 or more customers or posing a risk of customer harm (to be made as soon as practicable and no later than 7 days after a reasonable determination of a breach).
- Annual summaries, instead of individual ongoing reports, for breaches affecting fewer than 500 customers and where harm is unlikely.
- Customer Notification:
- Elimination of the requirement to notify customers if no harm is likely to occur, thus reducing the burden on carriers.
- Notification to customers without an unreasonable delay (within 30 days of the breach) and without a mandatory waiting period, following notification to the FCC and law enforcement. The old rules required a mandatory waiting period of 7 days.
- TRS-Specific Changes:
- Inclusion of call content in the definition of covered data for TRS providers.
Criticism
The new rules were voted upon along the party lines and faced harsh criticism by the Republican FCC Commissioners Carr and Simington who issued dissenting statements citing concerns that the extension of the CPNI rules to an “expansive set of personally identifiable information” would exceed the Commission’s authority, especially in light of the “clear constraints that the House, the Senate, and the President imposed on the [FCC] through the 2017 Congressional Review Act” on a similar FCC rule in the past.
Last week, the three major carriers and several industry groups opposed the draft rules, contending that the FCC lacks the authority to extend data breach regulations beyond usage data, call information, and other proprietary customer data. For example, USTelecom is concerned that the new rules would “require notification of breaches of information, such as names and addresses, that is readily and publicly available in various vast (and legitimate) databases of public information.”
What’s Next:
The final order is expected to be published in the coming days, marking a significant step towards modernizing data breach notification rules. As the industry evolves, compliance with these regulations is crucial to ensuring the privacy and security of customer information.
The new Report and Order is a part of the FCC’s latest efforts toward bolstering data privacy and consumer protection, exemplified by the establishment of the Privacy and Data Protection Task Force, as we advised earlier.
We recommend staying informed about the developments and preparing your organization for the updated rules. For any specific inquiries or assistance in navigating these changes, feel free to contact us.
CONTACT US NOW if you have questions about data privacy obligations under federal laws and FCC rules
Jonathan S. Marashlian – Tel: 703-714-1313 / E-mail: jsm@CommLawGroup.com
Michael Donahue — Tel: 703-714-1319 / E-mail: mpd@CommLawGroup.com
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@CommLawGroup.com
Diana Bikbaeva – Tel: 703-663-6757 / E-mail: dab@CommLawGroup.com