On January 23, 2023, the Federal Communications Commission released a proposed rule that would change data breach laws. While the FCC has long regulated Consumer Proprietary Network Information (CPNI) at the direction of Congress in Section 222 of the Communications Act of 1996, the Commission now seeks to expand its role and increase pressure on telecommunication companies to protect consumer data. FCC Chairwoman Jessica Rosenworcel released a statement that enforced the importance of securing valuable personal data and strengthening the 27-year-old consumer data breach laws.
Here are the key takeaways:
- Expansion of the Commission’s definition of “breach” to include inadvertent disclosures of customer information.
- Seeking to adopt a harm-based trigger for breach notifications.
- Requiring carriers to notify the Commission, in addition to the Secret Service and FBI, as soon as practicable after discovery of a breach.
- Eliminating the mandatory waiting period before notifying customers.
The FCC is overreaching its power with this new proposed rule. Although the FCC is attempting to protect the consumer, there are questions on whether they have the authority to be so involved. Not only will the Commission be notified, they will also investigate and give guidance to telecom companies.
One key item in this proposed rule would expand the definition of a breach to include inadvertent disclosures. Currently, the definition of a breach is “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” The Commission seeks to expand that definition to any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed CPNI.
The expansion of the definition is in response to industry actions. Since its initial ruling on consumer proprietary network information breach, not all breaches of consumer data have been a result of criminal intent. Lax or inadequate data security practices within organizations have resulted in breaches of consumer data. Therefore, expanding the definition to inadvertent exposures allows the Commission to address vulnerabilities and remediate them.
Additionally, the purpose of expanding the definition is to allow the Commission to take appropriate action. By expanding the definition of a breach to include advertent or unintentional breaches, the Commission can now oversee industry practices and shortcomings. The FCC would, first, investigate how the breach occurred and advise carriers on how to best prevent further exposure of consumer data. Second, the Commission would investigate further if malicious intent or actors were involved in the breach.
Harm-Based Trigger Notifications
The FCC also seeks comment on a proposed harm-based notification trigger that would no longer automatically notify consumers of a data breach if telecommunication companies could reasonably determine no harm to consumers would occur. The Commission has proposed a broad definition of harm. The goal is to save consumers from “notice fatigue”. The Commission recognized that it is distressing to be alerted to any information breach. It is time-consuming to freeze accounts and change passwords, and it is costly to purchase credit monitoring services. So, if it is determined no risk would come upon a consumer, there would be no notification to them. However, there is a question of whether this benefit would be outweighed by the risk of consumers being unaware of important information being breached.
There are, however, some grey areas within this newly proposed harm-based trigger notification system. There is no set of criteria telecom companies are required to meet to determine the likelihood or degree of harm. Although, the FCC does seek comment to determine whether it would be more responsible for the Commission to outline this set of factors for companies to be in proper compliance.
Currently, companies are required to notify the FBI and Secret Service of all breaches within seven days. The new rule would replace the timeframe with “as soon as possible”. No concrete timeframe has yet been proposed but is up for comment. As long as there is no unreasonable delay when reporting data breaches, it is within the companies’ judgment when best to notify the agencies.
In addition to reporting to the FBI and the Secret Service, this proposed rule extends notification to the Commission. The FCC aims to gather enough information to provide “important information about data security vulnerabilities” in addition to gathering data to shed some light on companies’ ongoing compliance.
They seek input on the incremental burden associated with notification compared to current standards. Furthermore, they inquire if any other government entities should also be notified such as the FTC. To aid in burden hours, the Commission also proposes a new method of notification: a central reporting portal to minimize the burden of reporting, avoid confusion about obligations and streamline the reporting process. The Commission would create and operate this centralized reporting portal for reporting breaches to the Commission, Secret Service, and FBI in the hopes of streamlining the notification process and improving federal coordination.
Although it might be impractical because an existing portal holds data reporting data breaches to the FBI and Secret Service which the Commission has access to. Existing technology might be utilized in pursuit of efficiency without the cost of a new resource. Comments are being sought to determine what is the best mechanism to streamline reporting responsibilities.
The current breach rule prohibits informing consumers about information breaches until seven days after notifying the FBI and Secret Service. This is solely to not interfere with or impend the ability of law enforcement to conduct their investigation. The commission acknowledges this is inconsistent with the public interest and the best practice to inform consumers of data breaches due to its urgency of security. The proposed rule would eliminate the required seven-day waiting period to address concerns over current practices. The FCC proposed to inform consumers without reasonable delay unless specifically requested otherwise by law enforcement.
The exact benefits and drawbacks of this approach are still unknown. It might be reasonable to set a standard time period to notify consumers. Again, the terminology involved is vague and broad.
Why it matters?
The Federal Communications Commission has utilized indefinite language throughout its proposed rule. Using terms like “as soon as possible”, “without reasonable delay”, and not providing clear criteria when determining harm gives organizations discretion to interpret them to their benefit. This could lead to two possible outcomes. One, companies can use that leverage to determine the best course of action in a case-by-case scenario. They can also use that leverage to best allocate time and resources to securing the breach. Or two, vague terminology can be an excuse to avoid taking action when appropriate which can cause much risk to consumers.
In attempts to protect consumers, the FCC has begun to reach for more power. Based upon Congress voting down a 2016 FCC rule via the Congressional Review Act, questions remain on the extent of the Commission’s authority. At the time, former Chairman Ajit Pai even commented on its “overreach”. Now the Commission is aware of the grey areas of its authority set by Congress. Fortunately, the Commission acknowledges the novelty of these issues involved and asks for further input to weigh the benefits and risks.