Last week, the Federal Communications Commission (FCC) launched a proceeding to update the rules requiring telecommunications providers to notify customers and federal law enforcement about customer proprietary network information (CPNI) breaches, which would eliminate the currently mandated seven-day waiting period for all such notifications and would improve the prevention of and response to future breaches according to the FCC.
What Is CPNI?
In general, CPNI is customer information related to a particular subscriber’s services and billing, such as phone numbers called by a consumer; the frequency, duration, and timing of such calls; the location of a mobile device; and any services purchased by the consumer. By contrast, customer names, addresses, and telephone numbers are not CPNI.
The FCC has long-required telecommunications providers to protect the privacy and security of information about their customers. Since 2007, it has required carriers to notify their customers and federal law enforcement of breaches of CPNI. The FCC also requires that carriers report breaches of CPNI to the United States Secret Service (Secret Service) and the Federal Bureau of Investigation (FBI) but refrain from informing the public for seven days after notifying law enforcement.
Due to recent and increased security breaches of customer information, the FCC proposes to update these requirements by:
- Expanding the definition of “breach” to include inadvertent disclosures;
- Requiring carriers to notify the FCC, in addition to the Secret Service and FBI, as soon as practicable after discovery of a breach, rather than within seven days;
- Eliminating the mandatory seven-day waiting period before notifying customers unless requested by law enforcement; and
- Creating and maintaining a centralized portal for reporting breaches to all required federal law enforcement agencies.
The FCC also asks for input from interested parties as to whether it should:
- Adopt a harm-based trigger for breach notifications, which would only require carriers to report breaches that are harmful to customers;
- Adopt a threshold number of affected customers before requiring notification; and
- Adopt minimum requirements for the content of customer breach notices.
How Could These Changes Impact Your Company’s Operations?
Companies will need to ensure they have proper personnel and protocols in place to handle a potential increase in reportable breaches and to respond swiftly if and when the seven-day waiting period is eliminated.
Please note that these rules concern only the FCC-imposed reporting obligations. Additional federal and state laws exist that will govern your response to a CPNI breach.
Comments are due 30 days after the order is published in the Federal Register, which usually happens shortly after the FCC releases its order. Reply comments will be due 60 days later.
If you have any questions concerning the FCC’s data breach Notice of Proposed Rulemaking (NPRM) or you would like to make your views known to the FCC by filing comments, then please contact JSI Policy Director Guy Benson (email@example.com) and JSI Senior Policy Counsel Farhan Chughtai (firstname.lastname@example.org) by simply clicking the button below.