FCC Proposes New Rules for CPNI Data Breach Reporting
The Federal Communications Commission ("FCC" or "Commission") has released its long-awaited Notice of Proposed Rulemaking ("NPRM") proposing to revise data breach reporting requirements for telecommunications carriers and providers of interconnected voice over internet protocol ("VoIP") service involving unauthorized access to, use or disclosure of customer proprietary network information ("CPNI"). The FCC proposal would make substantial changes to the existing CPNI data breach notification requirements, including those to:
- Expand the definition of a covered "breach" to include inadvertent CPNI breaches;
- Require notification to the FCC, in addition to federal law enforcement;
- Require notification to the FCC and federal law enforcement "as soon as practicable," replacing the current requirement to notify within seven business days of discovery;
- Remove the existing seven-business-day waiting period for notifying customers or disclosing the breach following law enforcement notification; and
- Adopt minimum requirements for the contents of customer notifications.
The NPRM also seeks public input on several other key issues related to breach reporting, including: whether the proposed changes to the CPNI breach reporting rules also should be applied to the breach reporting rules for telecommunications relay services (TRSs) and video relay services (VRSs); whether the FCC has authority to promulgate breach reporting rules for other types of information held by telecommunications carriers and VoIP providers—including Social Security numbers and financial account information; and how the FCC might align its breach reporting rules to parallel state and federal reporting requirements, including the forthcoming cyber incident reporting requirements for critical infrastructure from the Cybersecurity and Infrastructure Security Agency (CISA) (we discuss the forthcoming CISA rules here).
The FCC published the NPRM on January 6, 2023, with comments due February 22, 2023, and reply comments due March 24, 2023.
Current FCC Breach Notification Rules
The FCC's current breach notification rules for CPNI were promulgated in 2007 to address the problem of "pretexting" (a form of social engineering) by bad actors seeking to gain access to CPNI held by telecom companies. The current rules require telecom carriers and VoIP providers to notify law enforcement of an intentional breach of CPNI no later than seven business days after a reasonable determination that the breach occurred by sending electronic notification through a central reporting facility to the U.S. Secret Service (USSS) and the Federal Bureau of Investigation (FBI). Telecom companies are not currently required to report inadvertent disclosures of CPNI, although ambiguity about what constitutes an inadvertent breach has persisted.
The current rules also require carriers and VoIP providers to notify affected customers. However, carriers and VoIP providers may not notify customers or otherwise disclose the breach publicly for at least seven business days following notification to the FBI and USSS, subject to certain exceptions.[1] Notice to the FCC is not currently required.
Proposed Changes
Definition of "Breach"
The FCC proposes to remove the word "intentionally" from the current definition of breach, thereby expanding the definition to cover inadvertent access, use, or disclosures of customer information. Currently, the breach definition only covers intentional breaches, specifically those occurring when "a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI" (emphasis added)[2] The FCC points to potential ambiguity and underreporting of breaches, given that the "intention" underlying a breach may be unclear at the start of an incident such that any breach would have to be reported. The FCC also recognizes that the inadvertent disclosure of customer information can potentially harm customers; for example, information accidentally exposed could be obtained by bad actors and used for phishing attacks. The FCC also believes that including accidental breaches in the rule should encourage carriers and VoIP providers to adopt stronger security safeguards and help the FCC identify and address systemic vulnerabilities and better protect customers.
The FCC seeks comment on the following topics related to the proposed inclusion of inadvertent breaches in the breach reporting rule:
- The impact of requiring reporting of "accidental" breaches on the number of reported breaches;
- The potential benefits and burdens associated with the proposed definition change, such as improving cybersecurity safeguards;
- Other policy factors the FCC should consider in determining whether to require disclosure for unintentional breachers; and
- The balance between the additional reporting cost burden on telecommunications carriers and VoIP providers and the benefit to customers of receiving notifications of a greater universe of data breaches.
Harm-Based Notification Trigger
The current rule requires telecommunication carriers and VoIP providers to report CPNI breaches regardless of whether any harm to customers has occurred or is likely to occur. The FCC is considering whether to implement a rule that would allow telecommunications carriers and VoIP providers to forgo notification when the carrier or VoIP provider reasonably determines that no customer harm has occurred or is likely to occur. This may be helpful in reducing "notice fatigue" if the breach definition is expanded to include all accidental breaches and the number of breach notifications significantly increases. Accordingly, the NPRM asks for input on the following:
- Whether a harm-based notification trigger should apply to notifications to customers and notifications to law enforcement;
- The potential benefits and drawbacks of the rule on telecommunications carriers, VoIP providers and customers;
- Whether the Commission should impose standardized factors to consider when determining if customer harm is "reasonably likely"; and
- Whether "harm" should be construed broadly to encompass not only financial harm but other non-financial harms such as reputational and physical harm.
The FCC also observes that telecommunications carriers and VoIP providers possess sensitive non-CPNI that should be protected from breach, such as Social Security Numbers and financial records. The Commission seeks comment on its authority to establish breach notification requirements for this non-CPNI information to the extent such information is obtained in an entity's activity as "in its activity as a common carrier."
Notification to the Commission and Federal Law Enforcement
The FCC proposes to require telecommunications carriers and VoIP providers to notify the FCC in addition to the USSS and FBI of all breach incidents "as soon as practicable after discovery of a breach." (Currently, notification is only required to federal law enforcement, not the FCC, but other federal sector-specific laws require notification to the relevant federal agency, such as notification to the Department of Health and Human Services under HIPAA.) The FCC posits that such a requirement would enable prompt investigation of data security vulnerabilities and carriers' and VoIP providers' compliance with FCC rules that would allow the FCC to take actionable preventative measures. To streamline notifications and federal coordination, the FCC proposes a centralized reporting portal.
On the topic of notification to the FCC, the Commission seeks comment on the following:
- Whether a data breach should impact a certain number of customers to require a breach report to the FCC, USSS, and FBI;
- How much of an incremental burden is associated with notifying the FCC in addition to the current notification requirement for the Secret Service and FBI;
- How to minimize data breach reporting burdens for telecommunications carriers and VoIP providers;
- What other (if any) government entities (such as the Federal Trade Commission) should receive breach notification reporting; and
- What alternative reporting mechanisms (such as the CISA Incident Reporting System) could be leveraged to minimize burdens on carriers and VoIP providers.
Notification to Customers
The FCC proposes requiring carriers and VoIP providers to notify customers of CPNI breaches "without unreasonable delay" after discovering a breach incident unless law enforcement requests a delay. This proposal would eliminate the current requirement that carriers and VoIP providers wait to notify customers or disclose the breach publicly for seven business days after reporting the incident to law enforcement. The FCC notes that the existing waiting period is "out of step" with the urgency needed to better serve public interest. Regarding this change, the FCC seeks comment on the following:
- Whether a "without reasonable delay" requirement would allow carriers and VoIP providers enough time to determine the scope and impact of a breach;
- Whether the FCC should offer guidance around what timeframe constitutes "reasonable";
- What "minimum categories of information" should be included in required notices;
- Whether or not the same notification deadlines should apply to all carriers and VoIP providers (considering size and breadth of data security practice); and
- What form of notification should be used to notify customers and what information should be required in such notices.
Impact of the Congressional Disapproval of the FCC's 2016 Privacy Order
In 2017 Congress used the Congressional Review Act process to nullify the Commission's 2016 Privacy Order that revised the CPNI rules to include privacy requirements for internet service providers (not just telecommunications companies and VoIP providers) and which covered personal information beyond CPNI. The Commission seeks comment now on scope and effect of Congress's repeal of the 2016 Privacy Order and notes that it is "not seeking comment on 'reissu[ing] [CPNI rules]…in substantially the same form,' or on issuing 'a new rule that is substantially the same as,' the rule disapproved by Congress."
Digital Equity Considerations
The FCC invites comment on any equity-related considerations associated with the proposed rules and issues presented in the NPRM. Specifically, the FCC seeks comment on whether the proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility. Although the FCC has initiated broader inquiries into how to promote equal access to broadband, it has not historically focused on digital equity issues in prior CPNI decisions or rulemaking proceedings. Whether or how these issues will be integrated into any final rules coming out of this proceeding is unclear.
Conclusion
DWT will continue to monitor developments with the FCC's proposed data breach regulations, including the new NPRM and will publish further analysis as rulemaking continues. Businesses that may be subject to the new FCC rules should consider reviewing the NPRM and preparing comments in advance of the late February deadline.
* At the time of this blog's publication, Lauren was awaiting admission to the DC Bar. She was admitted in May 2023.
[1] A carrier may notify customers immediately, following consultation with the applicable law enforcement agency, if it believes there is “an extraordinarily urgent need to notify any class of affected customers sooner.” 47 CFR § 54.2011(b)(1).
[2] While the FCC does not discuss the Computer Fraud and Abuse Act of 1986, 18 U.S.C. §§ 1030, et. seq. (CFAA), the CFAA uses language remarkably similar to the current CPNI rules and subjects to criminal and civil liability anyone who “intentionally accesses a computer without authorization or exceeds authorized access” and thereby obtains information. As such the CFAA prohibits traditional hacking done for a malicious purpose—for example, breaking into a computer system by using an illegally obtained password to steal data or encrypt files. The CFAA also covers “insider threats”—an employee who, for example, has access to a portion of a computer system but who accesses portions that they are not authorized to access (e.g., restricted systems containing business secrets). However, the proposed CPNI rules will now require reporting to law enforcement even inadvertent unintentional breaches. While that may be best for allowing law enforcement to decide who it will pursue criminally, the FCC should have considered the interplay of the CFAA and its own data breach rules.