Introduction to FCC’s Expanded Rules
The Federal Communications Commission (FCC) has significantly bolstered the data breach notification and reporting requirements for telecommunications carriers. This expansion now encompasses providers of Voice over Internet Protocol (VoIP) services and telecommunications relay service (TRS), mandating a more comprehensive approach to data breach response involving personally identifiable information (PII) and customer proprietary network information (CPNI).
Enhanced Scope of PII and Breach Definition
Expanded PII Categories
The FCC now defines PII more broadly, encompassing data that can identify or trace an individual’s identity either in isolation or when combined with other linked or linkable information. This definition includes:
- Names with any government-issued or other authentication IDs (like social security or driver’s license numbers).
- Usernames or email addresses combined with passwords or security questions/answers or other authentication methods.
- Unique biometric, genetic, or medical data (e.g., fingerprints, voiceprints, or retina scans).
Additionally, dissociated data, if linked or linkable to an individual, also falls under PII. Publicly available information is excluded from this definition.
Refined Definition of a “Breach”
The term “breach” now includes inadvertent access, use, or disclosure of customer information. Both intentional and unintentional breaches fall under this purview, with an exemption for data acquired in good faith by an employee or agent of the carrier without further misuse or disclosure.
Notification Requirements to Federal Agencies
Per Breach Notice
Telecommunications providers are obligated to report all breaches to the FCC, FBI, and Secret Service. This includes breaches affecting any number of customers, with a particular focus on harm assessment. The breach notification, submitted within 7 business days of identifying the breach, must include the provider’s contact information, breach description, compromise method, incident dates, number of customers affected, and types of data breached. This can be reported via the FCC’s breach notice reporting facility.
Additionally, providers must submit an annual summary of all breaches affecting fewer than 500 customers by February 1, starting from the approval date by the Office of Management and Budget. This report encompasses breaches where harm to customers was deemed unlikely.
Customer Notification Protocols
Harm-Based Trigger for Notification
The FCC has adopted a harm-based trigger for notifying customers, with a rebuttable presumption of harm. Providers must notify customers when they cannot reasonably determine the likelihood of harm resulting from the breach. This harm includes financial, physical, identity theft, service theft, extortion, privacy invasion, and more.
Evaluation Criteria for Harm
Providers should consider the sensitivity of the breached information, the nature and duration of the breach, the speed of discovery and mitigation, and the intent behind the data access when evaluating harm likelihood.
Timing and Content of Notification
Customer notifications must be made without unreasonable delay after notifying the FCC, FBI, and Secret Service, typically within 30 days of breach determination. Law enforcement may request an initial delay of up to 30 days under special circumstances. The FCC suggests including specific information in these notifications, such as the breach date, affected customer information, provider contact details, regulatory agency contacts, and steps for identity theft protection.
Exemption for Encrypted Data
If the breach involves encrypted data and the encryption key was not compromised, customer notification might not be necessary. However, if there’s evidence of encryption circumvention, providers should conduct a harm-based analysis as if the data were unencrypted.
Conclusion: Elevating Cybersecurity Standards
The FCC’s revised regulations underscore an elevated standard for data protection and breach response in the telecommunications sector. These rules not only enhance the security and privacy of consumer data but also reinforce the accountability of service providers in the event of data breaches. As the digital landscape evolves, such regulatory updates are crucial in safeguarding personal and sensitive information against the ever-growing threat of cyber intrusions.