Sixth Circuit Upholds FCC Data Breach Notification Rules

On August 13, the Sixth Circuit affirmed the ability of the Federal Communications Commission to issue data breach reporting requirements under Section 201(b) of the Communications Act. These FCC rules were a long overdue improvement to the agency’s existing breach reporting regime, for example by expanding the definition of “breach” to include unintentional breaches (as opposed to intentional acts of employees, even if the employee was fooled) and making explicit that covered data includes Social Security Numbers (SSNs). SSNs would not have been explicitly protected under the longstanding breach reporting rule as the Sixth Circuit’s decision implicates that SSNs are personally-identifiable information (PII) but not Customer Proprietary Network Information (CPNI) and that the existing rules only protected CPNI.

The FCC updated its breach reporting requirements rules in 2023, and faced a legal challenge in the Sixth Circuit from telecom lobbying groups on the grounds that the agency did not have the authority to enact this rule and that Congress’s nullification of a much broader rule containing some similar provisions in 2017 under the Congressional Review Act (CRA) prohibited the FCC from enacting this 2023 rule.

EPIC, joined by Public Knowledge and Privacy Rights Clearinghouse, filed an amicus brief in support of the agency’s rule, arguing that the FCC is the most appropriate regulator for telecom data breaches and cautioning the court about a CRA interpretation that would hamstring agencies and burden Congress, especially on fast-evolving matters such as tech policy.

In its 2-1 Opinion, the Sixth Circuit held that the FCC has ample authority to hold carriers accountable for protecting subscriber data, saying that:

and that: “the plain text of §201(b) allows for regulation of unjust or unreasonable practices regarding customer PII.”

Even the dissent acknowledged that: “carriers collect and store such data as part of their provision of services, so perhaps those activities (PII collection and storage) are inherent in or necessary for the provision of communication services.”

Additionally, the court agreed 2-1 that the FCC’s 2023 rule is not substantially the same as the CRA-nullified rule, both as a matter of the specific content of each rule and because the proper unit of comparison is the entire nullified rule, not mere portions of the prohibited rule.

EPIC regularly files amicus briefs in data breach-related cases and cases supporting regulators’ ability to protect consumers. EPIC has consistently advocated for stronger safeguards in America’s communications networks to ensure the data privacy and data security of those who rely on it, including regulatory comments in the proceeding leading up to this rule.