On January 6, 2023, The FCC initiated a proceeding to strengthen its rules related to notifying customers and federal law enforcement agencies of breaches of customer proprietary network information (CPNI). Section 222 of the Communications Act of 1934, as amended, requires telecommunications carriers to protect the privacy and security of CPNI. The FCC first promulgated rules implementing Section 222 in 1998 adopting restrictions on the use and disclosure of CPNI and requiring that telecommunications carriers establish safeguards to prevent the unauthorized use or disclosure of CPNI. In 2007, the FCC amended its rules to require carriers to notify law enforcement and customers of security breaches involving CPNI. The 2007 amended rules defined a breach as an occurrence “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI”. The amended rules require a carrier to notify law enforcement of a breach of CPNI no later than seven business days after a reasonable determination of a breach by electronically notifying the United States Secret Service (Secret Service) and the FBI. The rules allow a carrier to notify the affected customers after an additional seven business days have passed but only if the Secret Service and the FBI have not requested that the carrier further delay customer notification. The rules do allow carriers to notify customer(s) immediately in certain cases but only after consultation with law enforcement agencies and only if the carrier believes that there is an urgent need to notify customers in order to avoid immediate and irreparable harm.
The January 6, 2023 Notice of Proposed Rulemaking (NPRM) seeks comment on many rule changes designed to strengthen its existing regulations related to CPNI. The NPRM includes the following proposed modifications to the CPNI rules:
* The NPRM proposes to change the definition of “breach” to include inadvertent access, use, or disclosures of CPNI. The FCC believes that accidental access, use and disclosure should also be reported.
* The NPRM introduces the issue of a “harm based trigger”. Comment is sought on not requiring notification to customers and law enforcement when a carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of a breach.
* The issue of notification to the FCC is addressed. The NPRM proposes that in addition to the Secret Service and the FBI, the FCC should also be notified of a breach of CPNI.
* In regard to the method of notification of a breach, it’s proposed that the FCC would create and operate a centralized reporting facility for the reporting of breaches to the Secret Service, FBI, and the FCC.
* The NPRM addresses and seeks comment on the required content of notifications related to a breach. Existing reporting requirements include carrier contact information, a description of the breach, the method and date range of the breach, the approximate number of customers effected and other relevant information. The FCC seeks comment on the sufficiency of the current content requirements.
* Comments are requested as to the appropriate time frames for the reporting of a breach. The current rules as detailed above require notification to occur within seven business days after a determination that a breach occurred. The concept of requiring notification to occur “as soon as practicable after discovery of a breach” is introduced and comment is requested on this approach. It’s also proposed that the FCC be notified at the same time as law enforcement as discussed above.
* The issue of a threshold trigger is introduced and comment is requested as to whether the requirement to report a breach be dependent on the number of customers affected. Current rules require the reporting of every breach regardless of the number of customers impacted.
* Regarding customer notification, the current rules are discussed above. In the NPRM, the FCC proposes that customers should be notified of a breach without unreasonable delay after discovery of a breach and notification to law enforcement unless law enforcement requests a delay. Comment is sought on this proposal. The NPRM also seeks comment on the required content and method of customer notifications.
* Regarding Telecommunications Relay Services, the NPRM proposes that the revised CPNI rules should apply equally to TRS and the existing TRS rules should be changed accordingly based on the outcome of this proceeding.
Comments in this proceeding are due on or before February 22, 2023. Reply comments are due on or before March 24, 2023.