All Things Newz
Law \ Legal

FCC Seeks Comments On Updates To CPNI Breach Reporting Rule – Data Protection


To print this article, all you need is to be registered or login on

The Federal Communications Commission (“FCC” or
“Commission”) is seeking comments on a Notice of Proposed Rulemaking (NPRM) to
refresh its customer proprietary network information
(“CPNI”) data breach reporting requirements (the
“Rule”). Adopted earlier this month by a unanimous 4-0
vote of the Commission, the NPRM solicits comments on rule
revisions that would expand the scope of notification obligations
and accelerate the timeframe to notify customers after a data
breach involving telephone call detail records and other CPNI. The
FCC cites “an increasing number of security breaches of
customer information” in the telecommunications industry in
recent years and the need to “keep pace with today’s
challenges” and best practices that have emerged under other
federal and state notification standards as reasons to update the

According to the current Rule, a “breach” means that a
person “without authorization or exceeding authorization, has
intentionally gained access to, used, or disclosed CPNI.” As
summarized in the NPRM, CPNI includes “phone numbers called by
a consumer, the frequency, duration, and timing of such calls, the
location of a mobile device when it is in active mode (i.e., able
to signal its location to nearby network facilities), and any
services purchased by the consumer, such as call waiting.”
(The NPRM does not propose any changes to the definition of

Initially adopted in 2007 as part of a broader effort to combat
pretexting – the practice of pretending to be a customer in
order to obtain that customer’s telephone records – the
current data breach notification rule (47 CFR § 64.2011) requires
telecommunications carriers, including interconnected VoIP
providers, to provide notice of a data breach involving CPNI to the
Secret Service, FBI, and affected customers. The Rule also requires
notifying law enforcement within seven business days at Carriers then must
wait an additional seven business days to notify customers about a
breach (barring any objection from law enforcement officials).

The NPRM solicits comments on a series of potential changes to
the Rule, including:

  • Removing the intent standard: Under the
    current Rule, a breach is reportable when a person to
    intentionally, and without authorization or exceeding
    authorization,gains access to, uses, or discloses CPNI. The NPRM
    proposes removing the intent standard, explaining that
    “inadvertent” disclosures of CPNI can still impact
    individuals, and that intent may not be immediately apparent
    “which may lead to legal ambiguity or under-reporting.”
    The FCC seeks comments on the benefits and burdens of this proposal
    and whether other data breach laws should influence the policy it

  • Adding a harm-based reporting trigger: The FCC
    proposes to include a harm-related reporting trigger, in an effort
    to avoid notifying customers about breaches that are not likely to
    cause harm – what the FCC terms “notice fatigue.”
    As an example, many data breach laws do not require notification
    about a data breach involving encrypted information based in part
    on a harm calculation. The FCC also solicits comments on how to
    determine and quantify “harm” in the context of

  • Expanding the notice requirement: The NPRM
    asks whether the FCC has authority to include in its Rule –
    and should include – information that is not considered CPNI,
    such as Social Security numbers or other financial records,.

  • Notice to the FCC: The FCC proposes that
    carriers should notify the FCC, in addition to the FBI and Secret
    Service, about CPNI breaches. It seeks comment on the costs and
    benefits of requiring such notification.

  • Notice Timeline: The FCC proposes removing the
    seven-business day waiting period to notify customers about a CPNI
    data breach, instead requiring notification “without
    unreasonable delay” after discovery of a breach, unless a law
    enforcement agency requests that the carrier delay notification.
    The FCC tentatively concludes this approach is consistent with
    other laws and better serves the public interest than the current

  • Minimum Requirements for Notice Content: The
    current rule does not address the content of notifications, and the
    NPRM solicits comment on whether to adopt a floor for information
    that must be included in data breach notices to consumers. The FCC
    notes that many state data breach notification laws impose minimum
    content requirements, requiring notices to describe what
    information was subject to the breach, the date(s) of the breach,
    how the breach occurred, and what steps were taken to remedy the

Finally, the NPRM raises the question of the FCC’s legal
authority to adopt its proposed changes to its Rule, particularly
in light of the fact that Congress nullified the 2016 revisions to
its Rule (2016 Privacy Order) under the Congressional
Review Act.

Comments on the NPRM are due on February 22, and reply comments
are due on March 24.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Revised Colorado Privacy Act Rules

Davis+Gilbert LLP

The Colorado Attorney General’s Office released proposed revised rules (Revised Rules) governing the Colorado Privacy Act (CPA) at the end of last year.


Source link

Related posts

New obligations to report cyber incidents – critical infrastructure – Security

Arbitration In The Kingdom Of Saudi Arabia Part 2 – Spotlight On The Saudi Center For Commercial Arbitration (SCCA) – Arbitration & Dispute Resolution

Subscription Finance: Electronic Signatures – Financial Services