The FCC Seeks to Update and Strengthen Rules Regarding Breach Notification
26 January 2023
The US Federal Communications Commission (“FCC“) has recently joined the emerging trend of imposing stricter rules and regulations when it comes to notification of breach incidents.
On January 12th, 2023, the FCC has started a process of Proposed Rulemaking that would begin the process of strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).
According to the FCC’s Chairwoman, while there are currently rules in place that address these issues, these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers. She further stated that customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information.
The main changes reflected in the proposed regulatory changes are:
- Reducing the timeframe requirement regarding notification on breach The current rules provide telecommunication providers with 7 days to provide a notice following a breach. The proposed timeframe would be “as soon as practical”. This seems to be in line with the recently enacted federal legislation – the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) which was signed on March 2022. This is also aligned with other agencies that have sought to reduce the timelines for notification, such as the Federal Deposit Insurance Corporation (FDIC) and the SEC.
- Expanding the definition and types of incidents that require notification. The FCC proposes to expand the definition of “breach” to include inadvertent access, use, or disclosures of customer information. This can drastically expand the scope of events that would be captured under this new regime.
- On the other hand, the rulemaking process also asks for comments on whether the notification should:
- take into account the option not to notify in cases where no harm is likely to be caused;
- take into account the number of affected customers as a threshold for notification obligations;
- The notice will be made to the FCC, FBI and the Secret Service.
The new rules would apply to US telecommunication carriers and VoIP providers.
We are happy to provide additional information and assistance on telecommunication matters on this and others matters.