EPIC Cautions FCC About Limiting Breach Notices, Applauds Agency Attention to Data Security

This week, EPIC filed comments with the Federal Communications Commission regarding the agency’s plan to enhance its breach notification requirements for telecommunications and interconnected VoIP providers. Although many of the Commission’s proposals represent a significant improvement, not all are in the best interest of consumers. For example, the FCC proposes that companies only be obligated to report a breach if there is a likelihood of harm to result from the breach. EPIC cautioned the FCC against allowing companies to first determine the likelihood of harm resulting from a breach before deciding whether to notify consumers, because that determination process could delay notifications or result in outright underreporting of threats to consumer privacy and security.

Historically, the FCC has focused on safeguarding phone usage data (known as Customer Proprietary Network Information, or CPNI), which includes who a phone subscriber calls, their location, and other information, and on intentional misuse of CPNI. EPIC supports the FCC’s proposals to expand the definition of breach to include unintentional disclosure of personal data and to protect sensitive information such as Social Security Numbers—not just CPNI. EPIC also supports the Commission’s proposals to require breached companies to provide guidance to subscribers in their breach notifications regarding how to prevent identity theft, account compromise, and other breach-related harms, in addition to a brief description of what consumer data may have been accessed in the breach.

EPIC regularly comments on regulations and testifies on policies to promote better cybersecurity practices that protect consumer data from unauthorized access and other misuse.