Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Keeping Pace with Today’s Challenges: FCC Proposes New Data Breach Rules for CPNI

Share

Prompted by a rapid increase in frequency, sophistication, and scale of data leaks and data breach legislation in recent years, the Federal Communications Commission (FCC)  unanimously voted to kick off a proceeding aimed at adopting new proposals to update data breach response obligations involving Customer Proprietary Network Information (CPNI). These proposals aim to ensure timely notification to affected customers, the FCC, and federal law enforcement agencies and require effective measures to mitigate and prevent harm.

CPNI is a subset of personal information with regard to telecommunications carriers’ customers and the FCC has maintained rules about safeguarding the confidentiality of CPNI data for many years. Examples of CPNI are rate plan, minutes used, type of services subscribed to, type of device, location information, call detail records, and other proprietary information about a customer’s telecommunications services accounts.

If adopted, the most notable change in the FCC’s approach would be the agency’s definition of “breach.” The FCC’s existing rules impose obligations “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI,” whether or not the CPNI is encrypted. The new proposal seeks to expand those obligations to accidental or unintentional disclosures of CPNI. The FCC also proposed again (after Congress nullified its similar revisions in a 2016 Report and Order that addressed primarily broadband provider data privacy measures) to establish a harm-based trigger for breach notifications. This standard – requiring notification except “where a telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach” – resembles many existing state breach notification laws. The FCC believes that these two changes would strike a balance between “confront[ing] systemic network vulnerabilities” beyond intentional attacks by malicious actors and “allow[ing] carriers to better focus their resources on data security and ameliorating the harms caused by data breaches.”

In addition to notifying the Secret Service and FBI as soon as possible after the discovery of a breach under the FCC’s existing rules, these proposals also would require covered entities to notify FCC and affected customers at the same time. Through this mandatory data collection, the FCC expects to identify “security vulnerabilities,” “inadequate data security practices and employee training,” as well as “carriers’ ongoing compliance with [FCC] rules.” To ease the industry burden, the FCC proposes to create and maintain a centralized portal that shares a report automatically with the FCC and other federal law enforcement agencies.

The timing of notification to affected customers would also change – from a mandatory 7-business-day waiting period to “without unreasonable delay after . . . notification to law enforcement, unless law enforcement requests a delay.” The FCC believes that its current mandatory waiting period is out-of-step with other federal, state, and sector-specific legal requirements addressing the need to notify victims about breaches of their personal information. Elimination of the mandatory waiting period was viewed as providing customers with key information quickly, thus enabling customers to take prompt steps to reduce misuse of their personal information, and overall better serving the public interest.

These proposed rules would still have to go through a public comment period and a vote by the full Commission, and they could be subject to change prior to their adoption. To that end, the FCC invited public comments on many other aspects of potential changes to its existing CPNI breach rules. For example, it asks for the benefits and drawbacks of adopting minimum requirements for the content of customer breach notices, specifying a threshold trigger for notifications only if the breach affects a certain number of customers, and imposing different requirements for different types of entities that process CPNI (i.e., telecommunications carriers, interconnected Voice-over-Internet-Protocol service providers, and Telecommunications Relay Services providers).

This action signifies another step by the FCC toward addressing increased challenges with data privacy and security issues within its jurisdiction. Some readers may recall that the FCC in the past year probed a dozen mobile carriers on their data privacy practices and fined the four largest U.S. carriers for data collection practices involving their customers’ real-time location data. Although the FCC’s 2016 push to update and expand its data breach rules to include broadband internet access services did not take effect, recent developments – from breaches at multiple leading telecommunications carriers affecting millions of customers’ records to both federal- and state-level legislatures passing laws to protect consumer data – all demonstrate that the time is ripe for the FCC to re-examine its own data breach rules and update them as warranted.

As of the publication of this post, the comment deadlines are yet to be determined because the Federal Register has not published this Notice of Proposed Rulemaking. Once publication occurs, public comments will become due in 30 days and reply comments will be due in 60 days. We encourage interested parties to participate in this proceeding and help shape the revisions the FCC intends to make to its CPNI data breach rules. Faegre Drinker’s telecommunication and privacy teams are available to help.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Laura Phillips

Laura Phillips leads the firm’s telecommunications & mass media team. She counsels technology entrepreneurs and represents these clients on issues related to the development of new technologies. View Laura's full bio on the Faegre Drinker website.

About the Author: Qiusi Newcom

Qiusi Y. Newcom is an associate in the firm's government & regulatory affairs practice. Read Qiusi's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

January 12, 2023
Written by: Laura Phillips and Qiusi Newcom
Category: Data Strategy, FCC
Tags: CPNI

Post navigation

Previous Previous post: Update: AI Regulation in the U.K. — New Government Approach
Next Next post: Meta Fines Expose EU Regulators’ Differences and Highlight Fundamental Issues for Data Controllers

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT