The Federal Communications Commission (“FCC”) achieved victory this week as the U.S. Court of Appeals for the Sixth Circuit upheld a heavily contested set of new data breach reporting requirements for telecommunications companies. Despite challenges from trade groups, the court held, 2-1, that the Communications Act of 1934’s authorization to “prescribe such rules and regulations as may be necessary” to prevent “unjust or unreasonable” practices provided sufficient authority for the FCC to adopt the new rules. The changes are significant, as the updated rules expand the definitions of “covered data” and reportable breaches, mandate notification to the FCC in addition to federal law enforcement, and change some customer notification requirements.
What You Need to Know
- In December 2023, the FCC introduced new data breach reporting rules that apply to telecommunications carriers, interconnected VoIP providers, and telecommunications relay service (“TRS”) providers. The new rules expand the scope of covered data and include more activity in the definition of a breach, in addition to imposing increased reporting requirements.
- A variety of trade groups challenged the rules, arguing that the FCC had exceeded its authority and violated a prior congressional determination concerning similar rulemaking. The challengers also asserted the new rules would produce burdensome compliance costs and additional bureaucratic formalities for federal agencies.
- The Sixth Circuit rejected the challenges, 2-1, and said that carriers’ failures to notify authorities and consumers were practices “in connection with” communication services and thus permissible. The court also rejected industry warnings that such an interpretation would grant the FCC unlimited regulatory scope.
The Communications Act of 1934 (the “Act”) granted the FCC broad authority to regulate interstate communications. The Act authorized the FCC to “prescribe such rules and regulations as may be necessary” to carry out the Act’s prohibition on “unjust or unreasonable” practices “for and in connection with” a carrier’s communication service. 47 U.S.C. § 201(b). In 1996, Congress updated the Act and included a provision requiring telecommunications carriers to “protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers.” 47 U.S.C. § 222(a). Concerned with ever-increasing data breaches, in December 2023 the FCC issued a new rule revising data breach requirements.
The revisions were significant. The rule provides that a breach includes any access to, use, or disclosure of “covered data” that is not authorized or exceeds authorization, including inadvertent access, use, or disclosure. The revised rule expands the scope of “covered data,” to now include personally identifiable information (“PII”) such as government-issued identification numbers, usernames and email addresses in combination with passwords or security answers, and unique biometric, genetic, or medical data. The rule also provides that PII could include any one of the types of data listed, or a combination, if the data could be used to commit identity theft or fraud.
While previously carriers were only required to notify the Federal Bureau of Investigation and U.S. Secret Service of a breach, the new rules require notification to the FCC. The notification requirements vary by size; if a breach affects 500 or more customers – regardless of potential harm – carriers must file notifications within seven business days of reasonably determining a breach. If a breach affects fewer than 500 customers, the same deadline applies unless the covered entity can reasonably determine no harm to customers is reasonably likely, in which case the breach only needs to be reported in an annual summary report.
Requirements for customer notifications are more stringent as well. Covered entities must notify customers unless they can reasonably determine that the breach is unlikely to cause harm, or where only encrypted data was breached and there is “definitive evidence” the encryption key was not accessed, used, or disclosed. The new rule also eliminates a seven-day waiting period for customer notification, and now requires notification without unreasonable delay after notifying the federal agencies and no later than 30 days after determination of the breach.
The breadth of the changes created industry ire. Opponents of the rule argued that the FCC exceeded its statutory authority and violated the Congressional Review Act (“CRA”). Although the Sixth Circuit found that Section 222(a) of the Act did not confer statutory authority for the FCC to impose data breach reporting requirements regarding customer PII, it further found that the “statutory text, context, and structure” of Section 201(b) of the Act permitted the FCC to do so. The court ruled that a carrier’s refusal to report a breach of customer data constituted a “practice[] . . . in connection with [a] communication service” as specified in the statute, so the FCC had authority to prescribe rules necessary to prohibit such refusals.
The Sixth Circuit also found the new rule did not run afoul of the CRA. The industry groups argued that the rule violated the CRA’s prohibition on rules being “reissued in substantially the same form’ after a rule has been previously rejected by a disapproval resolution. According to the groups, the FCC’s new rule was “substantially the same” as a rule covering breaches of PII that Congress shot down in 2017. However, the court observed that the “data breach notification requirements were a mere subset of the broader compendium of privacy rules” in the prior FCC proposal, whereas the current rule only addresses data breach reporting requirements. Thus, the two rules were not “substantially the same.”
As the strong industry opposition suggests, this is a significant development for telecommunications carriers. As then-FCC Chairwoman Jessica Rosenworcel observed when the rule was introduced in 2023, it had been 16 years since the FCC updated its consumer data breach policies. That means companies will likely have to substantially update their practices and procedures as well.
The breadth of the new definition of “covered data” means that covered entities would be wise to conduct a fresh inventory of the data they collect and how it is stored to ensure appropriate levels of security and internal awareness of what data may be affected if unauthorized access occurs. Carriers, VoIP providers, and TRS providers will also need to revise their policies and processes for breach notifications, including updating incident response plans to take into account the expansion of covered data as well as revising data breach notification letters and regulatory notices. And covered entities should consider if they have sufficient personnel and an appropriate division of labor to handle the workload of potential notification obligations given the tight timeframes and multiple considerations. As with any data privacy regulation, there’s no such thing as too much diligence.
