Hello

Thank you for visiting my site

Contact me here

FCC Releases NPRM Proposing Changes To CPNI Data Breach Notification Rules

FCC Releases NPRM Proposing Changes To CPNI Data Breach Notification Rules

Tony Veach
CPNI, Cybersecurity, Data Breach

January 6, 2023 – The Federal Communications Commission (FCC or Commission) has released a Notice Of Proposed Rulemaking (NPRM) which recommends revising the existing customer proprietary network information (CPNI) data breach notification rules.[1] Comments are due on or before 30 days after the NPRM is published in the Federal Register. Reply comments are due 60 days after publication.

CPNI Background

The Communications Act and the FCC’s rules require telecommunications carriers to ensure that CPNI is adequately protected from unauthorized disclosure.[2] CPNI is defined as (1) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (2) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier. In past rulings, the FCC “has explained that CPNI includes (but is not limited to) information such as the phone numbers called by a consumer; the frequency, duration, and timing of such calls; the location of a mobile device when it is in active mode (i.e., able to signal its location to nearby network facilities); and any services purchased by the consumer, such as call waiting.”[3]

Among other things, under existing FCC CPNI rules, carriers are required to notify customers and federal law enforcement of certain breaches of CPNI in their possession.[4]

The NPRM – “Strengthening” The CPNI Breach Notification Requirements

As everyone knows, data breaches have become an everyday occurrence. The proposed rule changes in the NPRM are an attempt by the FCC “to update and strengthen” the FCC’s CPNI data breach rules “to provide greater protections to the public.” The NPRM proposes the following key revisions to the FCC’s CPNI breach notification rules:

  • Expansion of the definition of “breach” to include inadvertent disclosures of customer information and adoption of a harm-based trigger for breach notifications.

  • Requiring carriers to notify the FCC, in addition to the Secret Service and FBI, as soon as practicable after discovery of a CPNI breach.

  • Elimination of the mandatory waiting period before notifying customers, and instead requiring carriers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach unless requested differently by law enforcement.

  • Revising the FCC TRS data breach reporting rule consistent with the revisions proposed for the CPNI breach reporting rule.

Defining “Breach” To Include Inadvertent Disclosures

The FCC proposes to expand the definition of “breach” to include inadvertent access, use, or disclosures of customer information.[5]

OLD RULE: 64.2011(e) – Definitions. As used in this section, a “breach” has occurred when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.

PROPOSED NEW RULE: 64.2011(e) – Definitions. As used in this section, a “breach” has occurred when a person, without authorization or exceeding authorization, has gained access to, used, or disclosed CPNI.[6]

There are a number of reasons for why the FCC wants a broader definition of breach: the inadvertent exposure of customer information can result in the loss and misuse of sensitive information, and trigger a need to inform the affected individuals; determining whether a breach was intentional may not always be immediately apparent, which may lead to legal ambiguity and under-reporting; requiring notification of accidental breaches can help the FCC and law enforcement prepare for an investigation if the breach turns out to be malicious; and requiring notification of accidental breaches will encourage carriers to adopt stronger data protection policies.[7] The FCC has requested comment on the following issues related to revising the definition of a breach:

  • Do commenters agree with the FCC’s analysis of why the breach definition should be revised? Are there other policy factors the FCC should consider in determining whether to require disclosure for unintentional breaches?

  • What are the benefits and burdens associated with this proposal?

  • How should state data breach laws, which overwhelmingly do not include an intent limitation, and other federal data breach laws influence the policy adopted by the FCC?

  • What is the impact of requiring reporting of accidental breaches on the number of reported breaches? Do commenters foresee a significant increase in the number of reported breaches? If so, how would our proposal affect reporting costs for telecommunications carriers and is that burden outweighed by the benefits to customers, who may need to take actions to protect their personal and financial information whether or not the breach was intentional? Would removing the intentionality limit potentially risk over-notification of data breaches to customers? What would the impacts of over-notification be? Would the potential benefits outweigh any potential harm?

  • Should the FCC retain the intent limitation in certain contexts? If so, what contexts and why?

  • Should the FCC’s rules include a provision exempting from the definition of breach a good-faith acquisition of covered data by an employee or agent of the company where such information is not used improperly or further disclosed?

Harm-Based Notification Trigger  (No Harm = No Notification)

While FCC proposes to include inadvertent disclosures of CPNI in the definition of a breach, it is considering “whether to forego requiring notification to customers or law enforcement of a breach in those instances where a telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach.”[8] In other words, no harm = no notification of the breach.[9] Comment is requested on the following issues related to adopting a harm-based trigger for breach notifications:

  • What are the benefits and drawbacks of adopting a “harm-based” notification trigger? How would it impact consumers? Would it benefit consumers by avoiding confusion and “notice fatigue” with respect to breaches that are unlikely to cause harm?

  • Could a harm-based notification trigger save consumers the time, effort, and financial difficulty of changing their passwords, purchasing fraud alerts or credit monitoring, and freezing their credit in the wake of a breach that is not reasonably likely to result in harm? Alternatively, does a harm-based notification trigger risk that consumers would be unaware of important information regarding their CPNI?

  • How should state and other data breach laws influence the FCC’s analysis?

  • Would a harm-based trigger allow carriers to better focus their resources on data security and ameliorating the harms caused by data breaches? Or to the contrary, would a harm-based trigger require carriers to unnecessarily expend resources determining whether particular breaches are reasonably likely to cause harm instead of more efficiently providing notice?

  • How should telecommunications carriers and the FCC determine the likelihood of misuse or harm? Should the FCC identify a standard or set of factors that telecommunications carriers must consider to evaluate whether no harm to customers is reasonably likely? If so, what factors should carriers consider in making their evaluation? Do commenters agree that no single factor on its own (e.g., basic encryption) is sufficient to make a determination regarding harm to customers.

  • Should the FCC clarify the definition of “misuse” or “harm.” For example, should the FCC construe “harm” broadly to encompass not only financial, but also physical and emotional harm, including reputational damage, personal embarrassment, and loss of control over the exposure of intimate personal details? Should the FCC require telecommunications carriers to consider whether other information about the customers that may be available combined with CPNI could result in harm when determining whether notification is required? Should any harm-based trigger apply even where the data breached is encrypted? What are the potential enforcement and compliance implications associated with this approach? Should breaches without such “harm” be reported to the FCC even if not reported to customers?

  • Should any harm-based notification trigger should apply to both notifications to customers and notifications to law enforcement?

Potential Breach-Reporting Obligations For Proprietary Information Other Than CPNI (i.e., Social Security Numbers & Credit Card Info)

Telecommunications carriers often obtain and store other private information belonging to their customers, such as Social Security Numbers and financial records. In the NPRM, the FCC notes that it is considering a data breach reporting requirement for this type of information.[10] Accordingly, comment is sought on the following:

  • What is the FCC’s authority to establish breach-reporting obligations for proprietary information other than CPNI under Section 222, to the extent that this information is obtained by a telecommunications carrier in its activity as a common carrier?

  • What is the role of the FCC in protecting such information in light of the existing role of other agencies, including the FTC and Cybersecurity and Infrastructure Security Agency (CISA)?

  • If the FCC were to require telecommunications carriers to report breaches of proprietary information other than CPNI under Section 222(a), how broadly or narrowly should it define that category of information?

  • If the FCC were to extend its data breach rule to cover such information, how could it minimize duplicative reporting obligations from the FTC and CISA?

Notifying The FCC & Other Federal Law Enforcement Of Data Breaches

The FCC proposes to require telecommunications carriers to notify the Commission of breaches, in addition to the Secret Service and FBI, as soon as practicable.[11]

OLD RULE: 64.2011(b) – As soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach, the telecommunications carrier shall electronically notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni.

PROPOSED NEW RULE: 64.2011(b)(1) – As soon as practicable after reasonable determination of a breach, a telecommunications carrier shall electronically notify the Commission, the United States Secret Service (USSS), and the Federal Bureau of Investigation (FBI) through a central reporting facility maintained by the Commission and made available on its website.[12]

The FCC tentatively concludes that notification of breaches will provide Commission staff important information about data security vulnerabilities that Commission staff can help address and remediate. The FCC expects these notifications will “shed light on carriers’ ongoing compliance” with the FCC’s CPNI rules. The FCC is seeking comment on this proposed revision, its analysis and reasons for proposing the change, and the following questions:

  • What are the benefits and costs of requiring notification to the Commission in addition to notifying the Secret Service and the FBI?

  • How much of an incremental burden is associated with notifying the Commission of data breaches as compared to the existing data breach notification requirement for the Secret Service and FBI? Are there any other government entities to which the FCC should require data breach reporting, such as the FTC? What would be the benefits and burdens of doing so?

Method Of Notifying The FCC, Secret Service, & FBI Of CPNI Data Breaches – Centralized Online Portal

In order to “streamline the notification process and improve federal coordination,” the FCC proposes that it create and maintain a centralized portal for reporting breaches to the Commission and other federal law enforcement agencies.[13] Comment is requested on this proposal and the following related questions:

  • Will this streamline the notification process and improve federal coordination?

  • Are there alternative mechanisms for breach reporting to the Commission and other federal law enforcement that should be considered instead, such as leveraging the existing central reporting facility?

  • Are there existing notification resources that the FCC can leverage? For example, could the FCC leverage the CISA Incident Reporting System to minimize burdens on carriers?

Cyber Incident Reporting for Critical Infrastructure Act of 2022 – Minimizing Data Breach Reporting Burdens For Telecommunications Carriers

Comment is sought on how to minimize data breach reporting burdens for telecommunications carriers in light of the recently-passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). When fully-implemented, CIRCIA will require critical infrastructure covered entities, such as U.S. communications network providers, to notify the Cybersecurity and Infrastructure Security Agency (CISA) of cyber security incidents “except where covered entities ‘by law, regulation, or contract’ are already required to report ‘substantially similar information to another Federal agency within a substantially similar timeframe,’ in which case the other agency will report the incident to CISA.”[14] To the extent that a breach of CPNI is a result of a cyber incident, the FCC requests comment on whether there are any modifications to the FCC’s proposed rules that would minimize potential duplicate reporting of such breaches.

Contents Of CPNI Data Breach Notifications To The FCC, Secret Service, & FBI

The FCC proposes that the breach information that must be reported to federal law enforcement agencies under current rules also be required for CPNI breach notifications sent to the Commission.[15] Generally, the following information is required for those notifications:

  • carrier contact information;

  • a description of the breach incident;

  • the method of compromise;

  • the date range of the incident,

  • approximate number of customers affected;

  • an estimate of financial loss to the carriers and customers, if any;

  • types of data breached; and

  • the addresses of affected customers.

Comment is sought on the following questions related to requiring CPNI breach notifications sent to the Commission to have the same information that is required for notifications to federal law enforcement agencies under current rules:

  • Is the information currently submitted through the FBI/Secret Service reporting facility largely sufficient? Should this same information be reported under the proposed revised rule?

  • Are there any additional or alternative categories of information that should be included in these disclosures? For example, should the FCC require telecommunications carriers to report, at a minimum, the information required under CIRCIA with the aim of minimizing potentially duplicate reporting requirements?

  • Should the FCC curtail or streamline any of the existing content requirements? For example, should the FCC eliminate the requirement that carriers report the addresses of affected individuals to law enforcement and the Commission, to minimize the personal information reported to the Commission and law enforcement?

Timeframe For Notifying The Commission & Other Federal Law Enforcement Of A CPNI Data Breach

The FCC proposes requiring telecommunications carriers to notify the Commission of a reportable CPNI data breach contemporaneously with notification to other law enforcement agencies as soon as practicable after discovery of the breach.[16]

OLD RULE: 64.2011(b) – As soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach, the telecommunications carrier shall electronically notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni.

PROPOSED NEW RULE: 64.2011(b)(1) – As soon as practicable after reasonable determination of a breach, a telecommunications carrier shall electronically notify the Commission, the United States Secret Service (USSS), and the Federal Bureau of Investigation (FBI) through a central reporting facility maintained by the Commission and made available on its website.[17]

Comment is sought on the appropriate timeframe for notifying the Commission and other federal law enforcement of a breach, as well as the following questions:

  • Is “as soon as practicable after discovery of a breach” an appropriate timeframe for notifying law enforcement after reasonable determination of a CPNI breach? Or, should the FCC maintain the current “no later than seven business days” standard?

  • Is there an alternative timeframe that should be adopted for reporting CPNI breaches to the Commission and other federal law enforcement such as 24 hours or 72 hours? Should the FCC consider adopting a graduated timeframe?

Clarifying “Reasonably Determined” That A Breach Has Occurred

The FCC asks whether it should clarify when a carrier should be treated as having “reasonably determined” that a breach has occurred.[18] Comment is sought on this and the following questions: Should a carrier be held to have “reasonably determined” a breach has occurred when it has information indicating that it is more likely than not that there was a breach; Should the FCC publish guidance on what constitutes a reasonable determination; and Should the FCC adopt a more definite standard?

Threshold Trigger – How Many Customers Must Be Affected Before A Breach Is Reportable?

Under existing CPNI breach notification rules, telecommunications carriers must notify federal law enforcement of all reportable breaches, regardless of the number of customers affected. The FCC requests comment on whether it is appropriate to set a threshold for the number of customers affected to require a breach report to the Commission, Secret Service, and/or FBI.[19] Comment is sought on the following questions:

  • Should the FCC adopt a threshold for reporting to federal law enforcement? If so, should the threshold be the same for the Commission as for federal law enforcement? If not, how should the threshold differ?
    What would be an appropriate threshold for reporting? What reporting threshold would meet the needs of law enforcement and provide adequate safeguards? What are the benefits and drawbacks of setting a threshold, particularly for small carriers?

  • If a threshold trigger is adopted, should the FCC require carriers to maintain a record of smaller breaches that fall below the threshold and report such small breaches to the Commission in a report at the end of the year? What are the benefits and drawbacks to such an approach?

  • Rather than a numerical threshold, should the FC instead consider requiring carriers to report only intentional breaches to law enforcement, but to report all breaches, whether intentional or inadvertent, to the Commission?

Notifying Customers Of Data Breaches Without Unreasonable Delay (Unless Law Enforcement Says Otherwise)

The FCC proposes requiring telecommunications carriers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach and notification to law enforcement, unless law enforcement requests a delay.[20]

OLD RULE: 64.2011(b)(1) – Notwithstanding any state law to the contrary, the carrier shall not notify customers or disclose the breach to the public until 7 full business days have passed after notification to the USSS and the FBI except as provided in paragraphs (b)(2) and (b)(3) of this section.

PROPOSED NEW RULE: 64.2011(c) – Customer Notification. A telecommunications carrier shall notify affected customers of covered breaches of CPNI without unreasonable delay after discovery of the breach after notification to the Commission and law enforcement as described in paragraph (b) of this section.

PROPOSED NEW RULE: 64.2011(b)(2) – If a law enforcement or national security agency notifies the carrier that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, such agency may direct the carrier not to so disclose or notify for an initial period of up to 30 days. Such period may be extended by the agency as reasonably necessary in the judgment of the agency. If such direction is given, the agency shall notify the carrier when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. The agency shall provide in writing its initial direction to the carrier, any subsequent extension, and any notification that notice will no longer impede or compromise a criminal investigation or national security.[21]

Contents Of CPNI Breach Notifications Sent To Affected Customers

The FCC seeks comment on whether it should require customer breach notifications to include specific minimum categories of information.[22] Existing FCC CPNI breach notification rules do not specify the contents of notifications to customers, only when and to whom breach notifications must be made. The FCC proposes requiring telecommunications carriers to include, at a minimum, the following information in security breach notices to customers:

  1. the date of the breach;

  2. a description of the customer information that was used, disclosed, or accessed;

  3. information on how customers, including customers with disabilities, can contact the carrier to inquire about the breach;

  4. information about how to contact the Commission, FTC, and any state regulatory agencies relevant to the customer and the service;

  5. if the breach creates a risk of identity theft, information about national credit reporting agencies and the steps customers can take to guard against identity theft, including any credit monitoring, credit reporting, or credit freezes the carrier is offering to affected customers; and

  6. what other steps customers should take to mitigate their risk based on the specific categories of information exposed in the breach.[23]

Method Of Notifying Customers Of A CPNI Breach – Mail, Email, Telephone Call?

The FCC requests comment on whether it should require a specific form of customer notifications, and what that form should be – mail, email, or by telephone.[24] The FCC asks for comments in response to the following: Is there a method or methods of notification that would make the most sense or be most beneficial to consumers; and What are the benefits and burdens of imposing such a requirement?

Proposed Revisions To TRS Breach Reporting

The FCC proposes to revise the CPNI rules applicable to all forms of Telecommunications Relay Services (TRS), as well as to point-to-point video calls handled over the video relay services (VRS) network in the same fashion as those proposed for telecommunications carriers.[25] In general, the FCC proposes: (1) to expand the Commission’s definition of “breach” to include inadvertent disclosures of customer information; (2) to require TRS providers to notify the Commission, in addition to the Secret Service and FBI, as soon as practicable after discovery of a breach; and (3) to eliminate the mandatory waiting period to notify customers, instead requiring TRS providers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach unless law enforcement requests a delay.

The FCC also seeks comment on the following additional issues as they relate to TRS providers: (1) whether the FCC should adopt a harm-based trigger for breach notifications; (2) whether the FCC should adopt minimum requirements for the content of customer breach notices; and (3) whether the FCC’s rules should address breaches of sensitive personal information.

Impact Of The Congressional Disapproval Of The 2016 Privacy Order

The FCC is seeking public comment on the effect of the Congressional disapproval of the 2016 Privacy Order under the Congressional Review Act.[26] After the FCC reclassified broadband as a telecommunications service, it adopted comprehensive privacy rules that applied to telecommunications carriers. However, Congress nullified those rules using the Congressional Review Act. The FCC is not attempting to reissue those rules, but is requesting public comment “on the effect and scope of the Congressional disapproval of the 2016 Privacy Order for purposes of adopting rules that apply to telecommunications carriers.”[27]

**********

[1] Data Breach Reporting Requirements, WC Docket No. 22-21, Notice Of Proposed Rulemaking, FCC 22-102 (rel. Jan. 6, 2023) (NPRM), https://docs.fcc.gov/public/attachments/FCC-22-102A1.pdf. The NPRM was placed on circulation in January 2022. Chairwoman Rosenworcel Circulates New Data Breach Reporting Requirements, Proposal is a Response to Recent Security Breaches in the Telecommunications Industry, FCC News Release (Jan. 14, 2022), https://docs.fcc.gov/public/attachments/DOC-379162A1.pdf.

[2] See 47 U.S.C. § 222; 47 C.F.R. §§ 64.2001 – 64.2011. In general, “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.” 47 U.S.C. § 222(a).

[3] See NPRM at footnote 9.

[4] 47 C.F.R. § 64.2011. CPNI rules also require carriers to: (1) obtain customers’ approval to use, disclose, or permit access to their CPNI for marketing or other purposes; (2) notify customers of their right to restrict the use of their CPNI; and (3) take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. 47 CFR §§ 64.2007, 64.2008, and 64.2010(a).

[5] NPRM at ¶ 12.

[6] NPRM at Appendix A, Proposed Rules.

[7] Id.

[8] NPRM at ¶ 15.

[9] This is not the case under the current rule. But the current rule requires the access, use, or disclosure to be intentional.

[10] NPRM at ¶ 22.

[11] NPRM at ¶ 23.

[12] NPRM at Appendix A, Proposed Rules.

[13] NPRM at ¶ 25.

[14] NPRM at ¶ 26.

[15] NPRM at ¶ 27.

[16] NPRM at ¶ 28.

[17] NPRM at Appendix A, Proposed Rules.

[18] NPRM at ¶ 28.

[19] NPRM at ¶ 29.

[20] NPRM at ¶ 31.

[21] NPRM at Appendix A, Proposed Rules.

[22] NPRM at ¶ 38.

[23] NPRM at ¶ 40.

[24] NPRM at ¶ 41.

[25] NPRM at ¶ 42.

[26] NPRM at ¶¶ 51-52.

[27] NPRM at ¶ 2.

Tony Veach
CPNI, Cybersecurity, Data Breach
, , , ,
Tony Veach

Tony Veach practices communications law in Kansas and Washington D.C. He holds an undergraduate degree from the University of Kansas, a law degree from St. Thomas University School of Law, and a Legal Masters in Law & Technology from Catholic University, Columbus School of Law. Prior to becoming an attorney, Tony served over six years as a communications specialist in the United States Army, operating advanced military voice and data communications systems, along with confidential encryption methods, both in the U.S. and overseas conflict zones. He began his career in the communications industry while in high school by working in the engineering department of a rural Kansas ILEC .

Website
Kansas Broadband News Update

Kansas Broadband News Update
News Update - December 2022

News Update - December 2022

Related Posts