On December 13, 2023, the FCC adopted revisions to its rules related to CPNI and related Data Breach Reporting Requirements. This issue was previously discussed on this site in the ICORE Blog issue dated February 3, 2023. In this latest Order, the Commission revises its rules related to the definition of a breach, notifying the Commission and other authorities of a breach, customer notification, and the application of the revised rules to Telecommunications Relay Service (TRS) providers. The following is a high-level summary of the Order:
* The Order expands the definition of a breach to cover not just CPNI but to also include other personally identifiable information (PII). PII is “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or can be linked to a specific individual”. CPNI is a subset of PII and both constitute covered data. PII is further defined to include for example (1) first name or first initial, and last name, in combination with any government-issued identification numbers; (2) username or email address in combination with a password or security question; or (3) unique biometric, genetic, or medical data.
* The Order expands the definition of “breach” to include inadvertent access, use, or disclosure of covered data. Further, a breach is any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed covered data. Excluded from the definition of a breach are cases involving a good faith acquisition of covered data by an employee or agent of a carrier where the information is not used improperly or further disclosed.
* The revised rules require that the Commission be notified of a breach in addition to the current requirement to notify the Secret Service and the FBI. For breaches that affect 500 or more customers or in cases where the number of affected customers cannot be determined, carriers are required to file individual, per breach notifications as soon as practicable, but no later than seven business days after reasonable determination of a breach. These same requirements apply to cases where the carrier has determined that the breach affects fewer than 500 customers unless the carrier can reasonably determine that no harm to customers is likely to occur. In cases where a carrier can reasonably determine that a breach affects fewer than 500 customers and is not likely to harm customers, an individual notification is not required. In these cases, carriers are required to file an annual summary of such breaches.
* Regarding customer notification of a breach, the Order eliminates the requirement that carriers notify customers of a breach in cases where a carrier can reasonably determine that no harm to customers is likely to occur. The Order also eliminates the current seven day waiting period before notifying customers of a breach and instead requires carriers to notify customers of a breach of covered data without unreasonable delay after notification to federal authorities and in no case more than 30 days following the determination that a breach has occurred unless a delay is requested by law enforcement.
* The Order also adopts equivalent requirement as above for TRS providers.
As mentioned above, the foregoing information represents a high level summary of the December 13, 2023, Order. If any of our readers have specific questions or concerns regarding this issue, please contact Chris Ulmer at culmer@icorellc.com or at 610-928-3903.
