Telecommunications carriers must continue to adhere to a 2024 Federal Communications Commission (FCC) Order that substantially broadened carriers' breach notification obligations, requiring that they disclose breaches of any customer personally identifiable information (PII), not just customer proprietary network information (CPNI), and do so for both inadvertent and intentional breaches, according to a decision on August 14 by the U.S. Court of Appeals for the Sixth Circuit upholding the order.1 The FCC's order defines "breach" broadly to include "inadvertent access, use, or disclosure of customer information." Notification is triggered within seven business days when 500 or more customers are affected or when there is a "risk of customer harm."2
Background
The FCC has broad authority under the Communications Act of 1934 to regulate interstate telephone communications, including, under 47 U.S.C. ' 201(b), the authority to ensure that "[a]ll charges, practices, classifications, and regulations for and in connection with [a carrier's] communication service, shall be just and reasonable." Congress amended the Communications Act in 1996 to further authorize the FCC to ensure that carriers protect the privacy of customer information.
Under 47 U.S.C. ' 222(a), carriers must "protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers." Other subsections of Section 222 provide more specific guidance on how carriers handle CPNI, defined in 47 U.S.C. ' 222(h)(1) as:
(a) information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (b) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.
The FCC promulgated regulations in 2007 requiring carriers (and, in 2013, relay service providers) to notify law enforcement and customers in the event of a breach involving CPNI, in what is commonly known as the "Data Breach Notification Rule." Under this rule, carriers must notify the Secret Service and the FBI, through a central reporting facility, within seven business days after a reasonable determination of a breach, defined as "when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI."3
After reclassifying broadband internet service providers (ISPs) as "telecommunication services" in 2015, the FCC went on the following year to issue an omnibus Broadband Privacy Order (the 2016 Privacy Rules). These rules not only expanded the breach notification requirements to include breaches of both CPNI and PII, they also placed extensive consent requirements on ISPs to provide customers with greater transparency, choice and security regarding their personal information.
For example, under the 2016 Privacy Rules, ISPs were required to obtain "opt in" consent from consumers prior to using and sharing their sensitive information, and to give consumers the opportunity to "opt out" of the use and sharing of non-sensitive PII.
By 2016, the world had experienced the high-profile data breaches of Target, Yahoo and Ashley-Madison, among many others, and the European Union had promulgated the General Data Protection Regulation. The Federal Trade Commission (FTC) had significantly stepped up its enforcement authority under Section 5 of the FTC Act to address mishandling of customers' personal information as an "unfair" or "deceptive" trade practice. Consumer privacy had come of age.
According to Congress, however, the 2016 Privacy Rule extended the FCC's authority too far. It struck down the regulation...
