February 16, 2023

FCC Proposes Updating Its CPNI Breach Reporting Rules

4 min

The Federal Communications Commission (FCC) is seeking to update and strengthen its rules governing breaches of consumer data and personal information. Public comments on the new rules are due February 22, 2023, and reply comments are due March 24, 2023.

Under current FCC rules, telecommunications carriers and Voice over Internet Protocol (VoIP) service providers must notify customers and federal law enforcement of data breaches involving certain customer proprietary network information (CPNI), data that includes the numbers customers call, the frequency or duration of calls, and mobile devices' locations. The FCC proposes expanding the definition of "breach" to include "inadvertent" breaches, and requiring telecommunications carriers to immediately notify customers, the FCC, and federal law enforcement of breaches.

Definition of "Breach"

Inadvertent Disclosures. Under current FCC rules, a "breach" occurs "when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI." The& FCC proposes to expand this definition to include the inadvertent unauthorized access, use, or disclosure of CPNI. The FCC asks for comment on the impact of requiring accidental breach reporting, and asks if and how to exempt a good-faith acquisition of CPNI where the information is not used improperly or disclosed. The FCC also asks if and how to police conduct that could reasonably have led to CPNI exposure, even if it has not been an actual breach.

Harm-Based Notification Trigger. While the current rules require notification in every instance of a breach, the FCC asks whether it should adopt a "harm-based notification trigger" where notification would not be required when a carrier reasonably determines that no harm to customers is reasonably likely to occur. The FCC seeks comment on how it should define "harm" and asks about the factors carriers should use to evaluate whether customers are reasonably likely to be harmed. The FCC also asks whether the harm-based trigger should apply to notifications to both customers and law enforcement. The FCC also asks whether it has the authority under the Communications Act to establish reporting obligations for other information carriers might possess, such as Social Security numbers and financial records.

FCC and Law Enforcement Notification

FCC Notification. The current rules require that when a carrier has reasonably determined that there has indeed been a CPNI breach involving CPNI, it notify the U.S. Secret Service and Federal Bureau of Investigation. The FCC proposes requiring carriers to also notify the FCC at the same time so that the agency can respond in a timely manner as appropriate to the circumstances.

Method of Notification. The FCC's current rules require that carriers notify law enforcement through a web-based "central reporting facility." The FCC proposes creating a centralized portal for reporting breaches to both law enforcement and the FCC.

Notification Contents. Carriers are currently required to include certain information in their breach notifications, such as contact information, a description of the breach, the method of compromise, the date range of the breach, the approximate number of customers affected, an estimate of the financial loss to the carrier and customers, and the addresses of the affected customers. The FCC proposes requiring the same information in FCC notifications.

Time Frame. Instead of allowing seven days after the reasonable determination of a breach, the FCC proposes that carriers notify law enforcement and the FCC "as soon as practicable" after discovering a breach.

Threshold Trigger. Under current rules, the notification requirement applies to all breaches, regardless of severity. Given the different levels of breach severity, the FCC asks whether different threshold levels of affected customers should trigger different notification obligations.

Customer Notification

Notifying Customers of Data Breaches without Unreasonable Delay. Current rules prohibit carriers from notifying customers of or disclosing a data breach until seven business days after notifying law enforcement. The FCC proposes requiring customer notification "without unreasonable delay" after discovering a breach unless law enforcement requests a delay.

Contents of Customer Breach Notification. The FCC asks whether it should require carriers to include specific, minimum information in customer notifications, such as:

  • the date of the breach
  • a description of the customer information that was used, disclosed, or accessed
  • how customers can contact the carrier to inquire about the breach
  • how to contact federal and state regulatory agencies
  • information about credit reporting and identity theft
  • other steps customers should take to reduce the risk of harm based on the specific information leaked

Method of Customer Breach Notification. The FCC asks whether it should require a particular notification method, such as e-mail, physical mail, or telephone calls.