FCC Adopts Updates to Data Breach Rules

On December 21, the Federal Communications Commission released an order updating its sixteen year old data breach rules (which as FCC Chair Rosenworcel noted dated back to before the introduction of the iPhone). The updated rules require telecommunications providers to report breaches of not only customer proprietary network information, such as what numbers are dialed and when, but also of personally-identifiable information (PII), such as Social Security Numbers. It also requires companies to report accidental breaches, a recommendation EPIC made in its own comments. Previously the FCC’s rules had only required notification for intentional disclosures—for example, when a company was tricked or bribed by a fraudster into revealing consumer information.

The 2023 order treats breaches as presumptively causing harm—including emotional and other harms not directly related to identity theft or financial fraud—but permits providers who can determine otherwise to refrain from notifying consumers. The order offers a safe harbor where the breached data was encrypted and there is definitive evidence that the encryption key was not also compromised. Providers are required to notify consumers “without unreasonable delay” and in no instance longer than 30 days after reasonable determination of a breach. The Commission is extending similar protections to telecommunications relay service (TRS) providers, including a broad definition of harm where the content of communications is disclosed as a result of a breach.

EPIC filed comments, and along with the Center for Democracy and Technology, Privacy Rights Clearinghouse, and Public Knowledge filed reply comments in this proceeding. EPIC filed the petition for rulemaking that gave rise to the FCC’s 2007 pretexting rules. EPIC regularly advocates for policies that strengthen data security for consumer information.