Updates

EPIC Coalition Amicus: Congress Gave FCC Authority to Protect Phone Subscribers with Breach Notification Rules

August 10, 2024

EPIC, joined by Public Knowledge and Privacy Rights Clearinghouse, urged the Sixth Circuit to find that the Federal Communications Commission has the authority to require telecom companies to notify phone subscribers when their data has been accessed without authorization. This applies notwithstanding a 2017 Congressional Review Act (CRA) resolution of disapproval nullifying the FCC’s 2016 Broadband Privacy Order (BPO), a portion of which pertained to breach notifications. EPIC et al. argued that if the court adopted the Petitioners’ argument challenging the FCC’s breach notification rule, it would create perverse incentives and frustrate fair competition by exempting telecom companies from standard breach notification practices. It would also create permanent regulatory gaps by allowing a CRA resolution of disapproval to prohibit an agency from reviving any component of a disapproved rule.

The FCC updated its existing breach notification rules in 2023 to apply to include inadvertent disclosures, to breaches of personal data apart from Customer Proprietary Network Information (e.g., Social Security Numbers), and to telecommunications relay services (TRS). Petitioners, a mix of state and national level telecom lobbying groups, argued that the FCC did not have the statutory authority to enact this rule, and that the 2017 CRA nullification of the agency’s 2016 BPO prohibited it from enacting this 2023 breach notification rule.

EPIC, Public Knowledge, and Privacy Rights Clearinghouse described for the Sixth Circuit how much worse the data breach crisis had become by 2023 (and continuing into 2024) than it was in 2016. The groups argued that the FCC is the most appropriate regulator for telecom data breaches and cautioned the court about interpreting the CRA in a way that would hamstring agencies and burden Congress, especially on fast-evolving matters such as tech policy.

EPIC regularly files amicus briefs in data breach-related cases and cases supporting regulators’ ability to protect consumers. EPIC has consistently advocated for stronger safeguards in America’s communications networks to ensure the data privacy and data security of those who rely on it, including regulatory comments in the proceeding leading up to this rule.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate