On December 13, 2023, the Federal Communications Commission (FCC) voted to update a 16-year-old privacy rule expanding breach notification requirements for telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). Under the new rule, these companies are now required to adequately safeguard sensitive customer information in an attempt to hold phone companies accountable for protecting customer information and to allow customers to protect their own information.
This expansion of the rule is an effort by the FCC to enable law enforcement and the public to be kept updated with real-time information about breaches to collected personally identifiable information (PII) and Customer Proprietary Network Information (CPNI), which relates to the type, quantity, destination, technical configuration, location, and amount of use of the telecommunications and interconnected VoIP services customers purchase from the providers, as well as related billing information.
Change in Scope of Information Triggering Notification
This updated rule expands the power of the Commission’s breach notification rule and covers certain PII of customers that is held by carriers and TRS providers, not just CPNI. Under the new rules, disclosure of or access to any information “that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information” would trigger notification requirements. This expansion seemingly overlaps with the notification obligations under state data breach notification laws and would likely result in a significant increase in reported breaches by telecommunications carriers and TRS providers. The expansive definition of PII, goes beyond most state data breach notification laws, as the FCC explicitly states that an individual’s name, address, and phone number would be considered PII under the new definition, requiring notification to the FCC, law enforcement, and customers, which is not generally considered PII under any state data breach notification law.
Expanded Definition of Breach
In addition, the definition of a breach has been expanded to include “the inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.”
Changes in Reporting Requirements
Under this updated rule reporting requirements have been slightly shifted. Prior to the updated rule, carriers and TRS providers were required only to notify the United States Secret Service and Federal Bureau of Investigation in the case of an incident. This rule expands on the reporting requirements requiring both carriers and TRS providers to notify the Commission within seven days if a breach affects more than 500 customers or if there is a risk of customer harm because of the breach. Carriers and TRS providers are also required to file an annual summary of breaches that affect fewer than 500 customers for which the carrier or TRS provider can reasonably determine that there is no harm likely to customers.
Furthermore, customers no longer need to be notified where it can be “reasonably determined that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed.” There is no longer a mandatory waiting period for notice to be provided to customers, instead this must be done without “unreasonable delay” after notice to the Commission and law enforcement agencies, but this must not be longer than 30 days after a reasonable determination of a breach unless a delay is requested by law enforcement.
While the content of required notifications remains largely the same, the FCC’s report does include a new requirement that TRS providers include “a description of the customer information that was used, disclosed, or accessed,” including “whether data on the contents of conversations, such as call transcripts, are compromised.” Actual audio or transcripts, however, should not be included.
Going Forward
These new breach notification rules come at a time when the US is seeing a large number of new and updated breach reporting requirements including the new SEC breach notification rule and the new Federal Trade Commission safeguards.
This new rule will become effective 30 days after its publication in the Federal Register, however, the rule has already attracted pushback from certain Senate Republicans who argue that such changes would violate a Congressional order killing expanded FCC privacy rules in 2017.