The Federal Communications Commission (FCC) has unanimously adopted a Notice of Proposed Rulemaking (NPRM) to revise its requirements related to data breach reporting requirements applicable to telecommunications carriers and interconnected Voice over Internet Protocol providers. The proposal seeks to “strengthen the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).” CPNI is data on the subscribers’ telephone usage as originally defined in Section 222 of the Communications Act. The Commission’s aim is “to better align its rules with recent developments in federal and state data breach laws covering other sectors.”

The NPRM (FCC 22-102, released on January 6 in Docket WC No. 22-21) includes the following proposals:

  • To expand the Commission’s definition of “breach” to include inadvertent disclosures of customer information and seek comment on adopting a harm-based trigger for breach notifications.  
  • To require carriers to notify the Commission, in addition to the Secret Service and FBI, as soon as practicable after discovery of a breach. 
  • To eliminate the mandatory waiting period before notifying customers and instead require carriers to notify customers of CPNI breaches without unreasonable delay after the discovery of a breach unless requested by law enforcement.  
  • To make changes to our telecommunications relay (TRS) data breach reporting rule consistent with those we propose to our CPNI breach reporting rule.

The NPRM also seeks comment on the following questions.

  • Seek comment on whether we should adopt minimum requirements for the content of customer breach notices. 
  • Evaluate and seek comment on the impact of the Congressional disapproval of the 2016 Privacy Order on the Commission’s legal authority to issue the rules proposed herein for telecommunications carriers.  

With respect to its proposal regarding “inadvertent disclosures,” the NPRM notes that the current rule covers situations “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” The FCC notes that “the intervening years since the adoption of our existing rule have demonstrated that the inadvertent exposure of customer information can result in the loss and misuse of sensitive information by scammers and phishers and trigger a need to inform the affected individuals so that they can take appropriate steps to protect themselves and their information.”

Initial comments on the NPRM will be due 30 days after a summary is published in the Federal Register, with reply comments due 60 days after such publication.