AVL Blog - Communications Law & Technology

View Original

FCC Considering New CPNI Data Breach Notification Rules

UPDATE: FCC Releases NPRM Proposing Changes To CPNI Data Breach Notification Rules

January 6, 2023 – The Federal Communications Commission (FCC or Commission) has released a Notice Of Proposed Rulemaking (NPRM) which recommends revising the existing customer proprietary network information (CPNI) data breach notification rules. Comments are due on or before 30 days after the NPRM is published in the Federal Register. Reply comments are due 60 days after publication.


January 12, 2022 – Federal Communications Commission (FCC) Chair Jessica Rosenworcel has circulated a Notice of Proposed Rulemaking (NPRM) that proposes changes to the FCC’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).[1]

The NPRM was announced via an FCC News Release, but the text of the document has not been released. It has been circulated internally to the other FCC commissioners.

According to the News Release, the proposed rule revisions are intended to “better align the FCC’s rules with recent developments in federal and state data breach laws covering other sectors.” The NPRM proposes the following revisions to current FCC rules on telecommunications carriers’ CPNI breach notification requirements:

  • Eliminating the current seven business day mandatory waiting period for notifying
    customers of a breach;

  • Expanding customer protections by requiring notification of inadvertent breaches; and

  • Requiring carriers to notify the FCC of all reportable breaches in addition to the FBI and U.S. Secret Service.

In general, the FCC’s CPNI rules apply to telecommunications carriers, including interconnected VoIP providers and resellers of telecommunications services. The Communications Act and the FCC’s rules requires these telecommunications carriers to ensure that CPNI is adequately protected from unauthorized disclosure. CPNI is defined as (1) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (2) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.[2]

The FCC’s Current CPNI Breach Notification Requirements

The FCC’s CPNI rules are located in 47 CFR Subpart U - Customer Proprietary Network Information. The FCC’s CPNI breach notification requirements are contained in Section 64.2011.

Section 64.2011(a) of the FCC’s rules requires a telecommunications carrier to notify law enforcement of a breach of its customers’ CPNI. Section 64.2011(e) of the FCC’s rules states that “a ‘breach’ has occurred when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.”

Section 64.2011(b) requires that as soon as practicable, and in no event later than seven business days, after reasonable determination of a breach, a telecommunications carrier shall electronically notify the United States Secret Service and the Federal Bureau of Investigation through a central reporting facility (maintained by the FCC).

Pursuant to Section 64.2011(b)(1) a telecommunications carrier must not notify customers or disclose the breach to the public until seven full business days have passed after notification to the Secret Service and FBI. After this waiting period has passed, and has not been extended, affected customers must be notified of the breach.

However, a telecommunications carrier may notify customers or disclose the breach publicly sooner if “the carrier believes that there is an extraordinarily urgent need to notify any class of affected customers.” But, the carrier must first explain this in its electronic notification and then consult with the relevant investigating agency before proceeding to immediately notify its affected customers. Further, the carrier shall cooperate with the relevant investigating agency’s request to minimize any adverse effects of such customer notification.

Pursuant to Section 64.2011(b)(3), the seven-day waiting period can be extended if the relevant investigating agency determines that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security. The investigating agency may direct the carrier not to so disclose or notify for an initial period of up to 30 days, and this can be extended as reasonably necessary in the judgment of the agency. If the waiting period is extended, the investigating agency will notify the carrier when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. All of this correspondence must be in writing and filed in the electronic reporting site.

Possible Proposed Changes To CPNI Breach Notification Requirements

As mentioned, the NPRM reportedly proposes the following revisions to current FCC rules on telecommunications carriers’ CPNI breach notification requirements:

  • Eliminating the current seven business day mandatory waiting period for notifying
    customers of a breach;

  • Expanding customer protections by requiring notification of inadvertent breaches; and

  • Requiring carriers to notify the FCC of all reportable breaches in addition to the FBI and U.S. Secret Service.

Without seeing the text of the NPRM, there is no way to know exactly how the rules would be revised. However, there are a few potential ways the proposed changes could be made, like these:

Eliminating The Current Seven Business Day Mandatory Waiting Period For Notifying
Customers Of A Breach
: one potential way this could revise the FCC’s current rules is by eliminating Section 64.2011(b)(1) and (2) in there entirety. Section 64.2011(b) also would probably be revised to require a telecommunications carrier to electronically notify affected customers, at the same time it notifies the Secret Service and FBI. The recordkeeping requirement in Section 64.2011(d) also would be updated.

Expanding Customer Protections By Requiring Notification Of Inadvertent Breaches: this would probably revise the definition of a breach in Section 64.2011(e) by adding something like this – a breach has occurred when a person, without authorization or exceeding authorization, has intentionally or inadvertently gained access to, used, or disclosed CPNI.

Requiring Carriers To Notify The FCC Of All Reportable Breaches In Addition To The FBI And U.S. Secret Service: this could probably work similar to the first proposal. Section 64.2011(b) would probably be revised to require a telecommunications carrier to electronically notify the FCC, at the same time it notifies affected customers, the Secret Service, and FBI. Since the current rules require a carrier to file a breach notification electronically using a site maintained by the FCC, one might ask whether the FCC is on notice right now anyway. Presumably, the FCC is maintaining the reporting site, but not monitoring it.

**********


[1] Chairwoman Rosenworcel Circulates New Data Breach Reporting Requirements, Proposal is a Response to Recent Security Breaches in the Telecommunications Industry, FCC News Release (Jan. 14, 2022), https://docs.fcc.gov/public/attachments/DOC-379162A1.pdf.

[2] The term “customer proprietary network information” in the FCC’s rules has the same meaning given to such term in section 222(h)(1) of the Communications Act of 1934. 47 C.F.R. § § 64.2003(g); 47 U.S.C. § 222(h)(1). In general, “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.” 47 U.S.C. § 222(a).