Battle could be brewing over new FCC data breach reporting rules

On January 6, the United States Federal Communications Commission (FCC) launched a notice of proposed rulemaking (NPRM) to update its data breach reporting rules for telecommunications carriers. “The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said FCC Chairwoman Jessica Rosenworcel in announcing the proceeding. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

Although there is some common ground among the parties in this proceeding, a battle could be brewing over the FCC’s idea of an expanded definition of what constitutes a data breach and what information carriers should include in consumer notices. Most importantly, however, carriers seek to limit notifications to situations where they say they’ve determined concrete harm that can flow from a breach, which consumer advocates say will create gaps in knowing where data breaches have occurred.

FCC’s current rules date back to 2007

The Commission first adopted its customer proprietary network information (CPNI) data breach reporting rule in 2007 as VoIP services began to gain traction. CPNI is considered information that “relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”

Since the FCC adopted its rules, all 50 US states and other US jurisdictions have adopted data breach reporting requirements. In addition, federal government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Trade Commission (FTC), and the Securities Exchange Commission (SEC) have also begun formulating their own rules to serve as national data breach reporting requirements.

The current FCC rules require a telecommunications carrier to notify law enforcement of a breach of its customers’ CPNI no later than seven business days after a reasonable determination of a breach by sending electronic notification through a central reporting facility to the Secret Service and the Federal Bureau of Investigation (FBI). After notifying law enforcement, carriers are allowed to inform customers, although the current rules do not specify the precise content of the notice.

In 2013, the FCC adopted rules modeled on the CPNI rules that apply to video relay service (VRS) and telecommunications relay (TRS) programs used by persons who are deaf, hard of hearing, or deafblind. In 2016, the Commission tried to update its breach notification rules to address broadband provider service providers, but Congress nullified those revisions under the Congressional Review Act.

Carriers oppose expanded definition of breach

In its latest effort to address data breach notifications, the Commission proposes expanding its definition of a data breach to include inadvertent disclosures of customer information. In the NPRM, the FCC states it believes, “It is important that the Commission and law enforcement be made aware of any accidental access, use, or disclosures so that we can (1) investigate and advise carriers on how best to avoid future breaches, and (2) stand ready to investigate if and when any of the affected information falls prey to malicious actors.” Moreover, the Commission said carriers would be encouraged to adopt more robust data security practices by requiring notification for accidental breaches.

Carriers, however, oppose the expanded definition, saying it would impose burdens even when no harm from the breach is apparent. “Treating the inadvertent access or disclosure of CPNI as a ‘breach’ would unnecessarily increase the scope of reporting obligations and require notification when there has been no harm (or even risk of harm) to a customer’s privacy interests,” Verizon, for example, told the FCC. “If an employee accidentally mistypes an email address and thereby inadvertently sends CPNI to the wrong customer, even if the email was recovered and never opened, the proposed rule might require customer notification even though there was no harm to the customer.”

Breach notifications should include the FCC

The FCC is now proposing carriers notify the Commission itself in addition to the Secret Service and FBI as soon as “practicable” after discovering a breach. Most of the carriers don’t object to this requirement. NCTA, for example, said, “The existing portal reporting process works well for service providers and, with minimal timing modifications… will facilitate coordination between the Commission, law enforcement, and providers.”

Eliminate the mandatory waiting period

The FCC proposes to eliminate the current mandatory waiting period before notifying customers. Instead, the Commission proposes that carriers notify customers of CPNI breaches “without unreasonable delay” after the discovery of a breach unless requested by law enforcement. The carriers support this aspect of the FCC’s proposal mainly because it embraces greater flexibility and aligns with what they say most states require.

“Most state data breach notification requirements do not set a specific time period, and for good reason,” the trade association US Telecom said in its comments. “It takes time after determining an incident occurred to investigate and understand the scope of any breach, including the information compromised and the customers affected. In that early period, companies also must work to contain the breach. Containment can involve disconnecting networks, systems, and devices, restricting access to critical systems, resetting passwords, and engaging external support.”

Breach notice content requirements rejected 

The FCC asks whether it should establish minimum requirements for the content of customer breach notices to ensure that such data breach notifications contain actionable information. Among the data the Commission suggests should be included in the consumer notices are the name and contact information for the entity reporting the breach, the date of the breach, and the personally identifiable information (PII) disclosed.

The carrier community almost uniformly opposes such requirements. Verizon, for example, said, “If the provider were forced to first gather all the information outlined in the Commission’s proposed content requirements before sending a notice that complies with specific mandates, the customer’s account may already be irreparably compromised by the time the notice is sent.”

A harm-based trigger is the most controversial idea

Perhaps the most controversial component of the Commission’s rulemaking is what the FCC calls a “harm-based” notification trigger. The Commission seeks comment on such a trigger, which would require breach notifications based solely on the harm they cause. The FCC asks whether it would benefit consumers by avoiding confusion and “notice fatigue” regarding breaches that are unlikely to cause harm. On the other hand, the FCC also asks whether a harm-based notification risks consumers being unaware of important information regarding their data.

The carriers, and at least one cybersecurity company, agree that a harm-based trigger is the preferred route, underscoring the notion that the harm should be concrete. NCTA, for example, stated it “encourages the Commission to consider coupling a harm-based trigger with a threshold minimum number of affected customers before certain reporting requirements are triggered” and suggests that the number of customers affected should be at least 500.

Regarding the concrete nature of the harms, NCTA’s comments also reflect those of the other carriers. “Such harms include physical harms, identity theft, theft of services, or other financial harms,” the association said in its initial comments.

Surprisingly, cybersecurity giant CrowdStrike sides with the carriers on this question. In its initial comments to the Commission, CrowdStrike said, “The FCC should adopt a risk-based approach” and consider factors such as whether data was exfiltrated in the breach and whether the carrier mitigated such incidents.

Not surprisingly, consumer advocates stand in significant opposition to a harm trigger. For example, the Electronic Privacy Information Center (EPIC) told the FCC, “Establishing harm as a threshold issue can result in legal ambiguity and underreporting. Additionally, it can result in delayed reporting as it may take time to assess whether the minimum threshold for reportable harm has been met.” EPIC also represents the Center for Democracy and Technology, Privacy Rights Clearinghouse, and Public Knowledge in the proceeding.

“I think this is the most important part of this proceeding: Who gets to decide what constitutes harm,” Chris Frascella, law fellow at the Electronic Privacy Information Center, tells CSO. “Because that’s going to determine what you have to report to consumers.”

Carriers, who have over the years struggled with transparency regarding their data privacy practices, should not be calling the shots when it comes to deciding what causes harm, Frascella says. “They should not be able to filter through their own determination of what is likely to result in harm. If you’re then going to give carriers discretion about what they report and what they don’t, you’re going to get an incomplete picture of what the threat environment looks like.”

Rules not likely to emerge for years

The Commission has completed a round of comments and reply comments in the data breach proceeding. The next step will be a formal FCC report outlining their new rules, which likely will not occur until at least the end of 2023. If the rules meet with objections by any parties, the Commission will most likely have to deal with a petition for reconsideration from one or more parties, a process that could take another year. If the outcome of that proceeding meets stiff resistance, litigation is expected.

The upshot of these regulatory and legal challenges might mean that final data breach notification rules could take three to four years to emerge. However, when they ultimately go into effect, “I’m hoping that it leads to raising the floor on expectations for data security practices” for carriers, says Frascella.