FCC Adopts Updated Data Breach Notification Rules To Protect Consumers

The Federal Communications Commission adopted rules to modify it’s 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) adequately safeguard sensitive customer information.  The action would hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised. Existing breach notification rules provide important protections against the risk of improper access, use, or disclosure of customer data, helping to ensure that carriers are held accountable when breaches occur, and that they provide customers with adequate and timely notice.  However with the increase in frequency and severity of data breaches over recent years, these rules needed to be updated to reflect the current security landscape. This action will expand the scope of the FCC’s breach notification rules to cover certain personally identifiable information that carriers and TRS providers hold with respect to their customers.  It also expands the definition of “breach” to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed. The Report and Order will require carriers and TRS providers to notify the FCC of breaches, in addition to their current obligation to notify the United States Secret Service and Federal Bureau of Investigation, via the existing central reporting facility.  It will also eliminate the requirement to notify customers of a breach in those instances where a carrier or TRS provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed.  It will also eliminate the mandatory waiting period for carriers and TRS providers to notify customers. Instead, it will require carriers and TRS providers to notify customers of breaches of covered data without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement.