In late December 2023, the Federal Communications Commission (“FCC”) published a Report and Order (“Order”) expanding the scope of the data breach notification rules (“Rules”) applicable to telecommunications carriers and interconnected VoIP (“iVoIP”) providers. The Order makes several notable changes to the prior rules, including broadening the definitions of a reportable “breach” and “covered data,” requiring covered entities to notify the FCC in addition to federal law enforcement of breaches, and modifying certain customer notification requirements. The Rules are expected to become effective sometime in 2024, after they are reviewed by the Office of Management and Budget and the FCC’s Wireline Competition Bureau (“Bureau”) announces the effective dates by subsequent public notice.
Changes to Definitions
The Order materially expands the definitions of “breach” and “covered data.” It defines “breach” to include any access to, use, or disclosure of “covered data” that is not authorized or that exceeds authorization. The Order states that this definition covers not only malicious activity, but also inadvertent unauthorized access to, use, or disclosure of covered data. However, this expansion is paired with an important limitation. A “breach” does not include good faith acquisition of covered data by an employee or agent of a carrier or service provider, as long as the information is not further disclosed or improperly used. This is consistent with most U.S. state data breach notification laws, which have a similar good faith exceptions.
The definition of “covered data” for purposes of a “breach” also is intentionally broad and includes various categories of personally identifiable information (“PII”) received from or about a customer, or in connection with the customer relationship. While the Rules previously covered only “Customer Proprietary Network Information” (“CPNI”), the Order states that the Rules now also apply to a broader set of PII, defined as “information that can be used to distinguish or trace an individual’s identity either alone or when combined with other information that is linked or reasonably linkable to a specific individual.”
The Order specifies that the following information qualifies as PII: (1) a first name or first initial, and last name, in combination with any government-issued identification numbers (or information issued on a government document used to verify identify of an individual) or other unique identification number used for authentication purposes; (2) username and email address in combination with a password or security answer, or any other authentication method for accessing an account; and (3) unique biometric, genetic, or medical data.
The Order provides examples of these PII elements, citing to state law definitions of personal information, including, but not limited to, social security numbers, driver’s license numbers, financial account numbers, student identification numbers, medical identification numbers, private authentication keys, certain data that would permit access to a financial account, fingerprints, DNA profiles, and medical records. The Order also states that dissociated data that could be linked with other data to reveal PII would be considered PII if the dissociated data and the means to link the dissociated data were accessed. Finally, the Order states that PII could include any one of the discrete data elements listed, or any combination thereof, if those data elements could be used to commit identity theft or fraud against an individual. The Order exempts from its definition of PII publicly available information lawfully made available to the general public from government records or widely distributed media. The Order states that its definition of covered data is intended to harmonize the Order with U.S. state data breach notification laws.
Broader Agency Notification Requirements
Previously, the Rules required notifying only the Federal Bureau of Investigation (“FBI”) and the U.S. Secret Service (“USSS”) of a breach. Under the Order, telecommunications carriers, iVoIP providers, and telecommunications relay service (“TRS”) providers will be required to also notify the FCC of a breach pursuant to specified affected-customer and risk-of-harm thresholds. First, regardless of potential harm arising from a breach, covered entities must file individual, per-breach notifications for any breaches affecting 500 or more customers (or an indeterminable number of customers). Notice must be provided within seven business days after reasonable determination of a breach. Second, for breaches affecting fewer than 500 customers, the timing of notification depends on the risk of harm. Notification must be provided within the same seven-business-day timeframe unless the covered entity can reasonably determine that no harm to customers is reasonably likely. If they do make that determination, covered entities only have to report breaches affecting fewer than 500 customers in an annual summary report delivered by February 1 of the following calendar year. To avoid duplication, covered entities can still submit breach reports at cpnireporting.gov, and the FCC will also link to the reporting portal at http://www.fcc.gov/eb/cpni or a successor URL established by the Bureau. The Rules also require maintaining and retaining for two years a record of any discovered breach and notifications made to agencies and customers.
The required content for agency notifications is virtually unchanged. However, the Order removes a field that previously asked covered entities whether there was an “extraordinarily urgent need” to notify affected customers before seven business days have passed, because that seven-day “waiting period” has now been eliminated. Covered entities must still, at a minimum, report their address and contact information, a description of the breach incident, the method of compromise, the date range of the incident, the approximate number of customers affected, an estimate of the financial loss to the carrier and customers, and the types of data breached. Given that TRS providers may have access to particularly sensitive customer information, such as call audio and transcripts, the Order further specifies that TRS providers must include a description of the customer information that was affected, including whether the content of conversations were compromised.
Changes to Customer Notification Requirements
For breach notifications to customers, the Order adopts a “harm-based trigger,” which creates a rebuttable presumption of harm that covered entities must overcome to avoid notifications. Essentially, covered entities do not need to notify customers if they can reasonably determine that the breach is unlikely to cause harm to customers or where the breach only involved encrypted data and the covered entities have “definitive evidence” that the encryption key was not also accessed, used, or disclosed.
The Order directs covered entities to consider the following factors when assessing the likelihood of harm to customers: (1) the sensitivity of the information breached; (2) the nature and duration of the breach; (3) whether the information was encrypted; (4) what mitigation measures the covered entity took; and (5) whether the breach was intentional. The Order identifies a range of harms that could require notification, including financial or physical harm, identity theft, theft of services, potential for blackmail or spam, and other similar types of dangers. In addition, the Order notes that where call content hosted by a TRS provider has been compromised, the provider cannot overcome the presumption of harm and must notify customers due to the particular sensitivity of such data.
The Order also amends customer notification timelines and provides guidance on the content of required customer notifications. Specifically, the Order requires covered entities to notify customers without unreasonable delay after notifying federal agencies and in no case later than thirty days after reasonable determination of a breach, eliminating the Rules’ previous seven-day waiting period before customers could be notified. While the Order is not prescriptive regarding the content of a customer notice or the method of delivery, notices must at a minimum convey when a breach occurred and that the breach may have affected the customer’s data. However, the Order does adopt as recommendations specific categories of information that may be included in a notice: (1) the estimated date of the breach; (2) a description of the customer information affected; (3) information about how customers can contact the carrier about the breach; (4) information about how to contact the FCC, Federal Trade Commission, and any relevant state regulatory agencies; (5) information about how to guard against identity theft if relevant; and (6) any other steps customers should take to mitigate risk from the breach. For TRS providers, the FCC recommends that the notice also include whether the breach compromised contents of conversations.
This Order follows recent activity from the FCC’s Privacy and Data Protection Task Force, including the announcement last month of a partnership between the FCC and state attorneys general on data privacy enforcement.