Proposed Rule2023-00824
Data Breach Reporting Requirements
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
January 23, 2023
Issuing agencies
Federal Communications Commission
Abstract
In this document, the Federal Communications Commission (Commission) begins the process to update and strengthen its data breach rule to provide greater protections to the public. We propose to expand the Commission's definition of "breach" to include inadvertent disclosures of customer information and seek comment on adopting a harm-based trigger for breach notifications. We also propose to require carriers to notify the Commission, in addition to the Secret Service and FBI, as soon as practicable after discovery of a breach. We also propose to eliminate the mandatory waiting period before notifying customers and instead require carriers to notify customers of CPNI breaches without unreasonable delay after discovery of a breach unless requested by law enforcement. We also propose to make changes to our TRS data breach reporting rule consistent with those we propose to our CPNI breach reporting rule.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 14 (Monday, January 23, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 14 (Monday, January 23, 2023)]
[Proposed Rules]
[Pages 3953-3965]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-00824]
=======================================================================
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 64
[WC Docket No. 22-21; FCC 22-102; FR 122866]
Data Breach Reporting Requirements
AGENCY: Federal Communications Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
(Commission) begins the process to update and strengthen its data
breach rule to provide greater protections to the public. We propose to
expand the Commission's definition of ``breach'' to include inadvertent
disclosures of customer information and seek comment on adopting a
harm-based trigger for breach notifications. We also propose to require
carriers to notify the Commission, in addition to the Secret Service
and FBI, as soon as practicable after discovery of a breach. We also
propose to eliminate the mandatory waiting period before notifying
customers and instead require carriers to notify customers of CPNI
breaches without unreasonable delay after discovery of a breach unless
requested by law enforcement. We also propose to make changes to our
TRS data breach reporting rule consistent with those we propose to our
CPNI breach reporting rule.
DATES: Comments are due on or before February 22, 2023, and reply
comments are due on or before March 24, 2023. Written comments on the
Paperwork Reduction Act proposed information collection requirements
must be submitted by the public, Office of Management and Budget (OMB),
and other interested parties on or before March 24, 2023.
ADDRESSES: You may submit comments, identified by WC Docket No. 22-21,
by any of the following methods:
[ssquf] Federal Communications Commission's Website: <a href="https://apps.fcc.gov/ecfs/">https://apps.fcc.gov/ecfs/</a>. Follow the instructions for submitting comments.
[ssquf] People with Disabilities: Contact the FCC to request
reasonable accommodations (accessible format documents, sign language
interpreters, CART, etc.) by email: <a href="/cdn-cgi/l/email-protection#a6e0e5e5939692e6c0c5c588c1c9d0"><span class="__cf_email__" data-cfemail="33757070060307735550501d545c45">[email protected]</span></a> or phone: 202-418-
0530 or TTY: 202-418-0432.
For detailed instructions for submitting comments and additional
information on the rulemaking process, see the SUPPLEMENTARY
INFORMATION section of this document. In addition to filing comments
with the Secretary, a copy of any comments on the Paperwork Reduction
Act proposed information collection requirements contained herein
should be submitted to the Federal Communications Commission via email
to <a href="/cdn-cgi/l/email-protection#9fcfcddedff9fcfcb1f8f0e9"><span class="__cf_email__" data-cfemail="663634272600050548010910">[email protected]</span></a> and to Nicole On'gele, FCC, via email to
<a href="/cdn-cgi/l/email-protection#4f01262c20232a610021282a232a0f292c2c61282039"><span class="__cf_email__" data-cfemail="a2eccbc1cdcec78cedccc5c7cec7e2c4c1c18cc5cdd4">[email protected]</span></a>.
FOR FURTHER INFORMATION CONTACT: Melissa Kirkel, Competition Policy
Division, Wireline Competition Bureau, at (202) 418-7958,
<a href="/cdn-cgi/l/email-protection#f8959d94918b8b99d693918a939d94b89e9b9bd69f978e"><span class="__cf_email__" data-cfemail="1c717970756f6f7d3277756e7779705c7a7f7f327b736a">[email protected]</span></a>. For additional information concerning the
Paperwork Reduction Act information collection requirements contained
in this document, send an email to <a href="/cdn-cgi/l/email-protection#bfefedfeffd9dcdc91d8d0c9"><span class="__cf_email__" data-cfemail="4c1c1e0d0c2a2f2f622b233a">[email protected]</span></a> or contact Nicole
On'gele at (202) 418-2991.
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice
of Proposed Rulemaking in WC Docket No. 22-21, adopted on December 29,
2022 and released on January 6, 2023. The full text of this document is
available at <a href="https://docs.fcc.gov/public/attachments/FCC-22-102A1.pdf">https://docs.fcc.gov/public/attachments/FCC-22-102A1.pdf</a>.
To request materials in accessible formats for people with disabilities
(e.g., Braille, large print, electronic files, audio format, etc.) or
to request reasonable accommodations (e.g., accessible format
documents, sign language interpreters, CART, etc.), send an email to
<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b6d0d5d5838682f6d0d5d598d1d9c0">[email protected]</a> or call the Consumer & Governmental Affairs Bureau at
(202) 418-0530.
Pursuant to Sections 1.415 and 1.419 of the Commission's rules, 47
CFR 1.415, 1.419, interested parties may file comments and reply
comments on or before the dates indicated on the first page of this
document. Comments may be filed using the Commission's Electronic
Comment Filing System (ECFS). See Electronic Filing of Documents in
Rulemaking Proceedings, 63 FR 24121 (1998).
<bullet> Electronic Filers: Comments may be filed electronically
using the internet by accessing the ECFS: <a href="https://apps.fcc.gov/ecfs/">https://apps.fcc.gov/ecfs/</a>.
<bullet> Paper Filers: Parties who choose to file by paper must
file an original and one copy of each filing.
<bullet> Filings can be sent by commercial overnight courier, or by
first-class or overnight U.S. Postal Service mail. All filings must be
addressed to the Commission's Secretary, Office of the Secretary,
Federal Communications Commission.
<bullet> Commercial overnight mail (other than U.S. Postal Service
Express Mail and Priority Mail) must be sent to 9050 Junction Drive,
Annapolis Junction, MD 20701. U.S. Postal Service first-class, Express,
and Priority mail must be addressed to 45 L Street NE, Washington, DC
20554.
<bullet> Effective March 19, 2020, and until further notice, the
Commission no longer accepts any hand or messenger delivered filings.
This is a temporary measure taken to help protect the health and safety
of individuals, and to mitigate the transmission of COVID-19. See FCC
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020). <a href="https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy">https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy</a>.
The proceeding this document initiates shall be treated as a
``permit-but-disclose'' proceeding in accordance with the Commission's
ex parte rules. Persons making ex parte presentations must file a copy
of any written presentation or a memorandum summarizing any oral
presentation within two business days after the presentation (unless a
different deadline applicable to the Sunshine period applies). Persons
making oral ex parte presentations are reminded that memoranda
summarizing the presentation must (1) list all persons attending or
otherwise participating in the meeting at which the ex parte
presentation was made, and (2) summarize all data presented and
arguments made during the presentation. If the presentation consisted
in whole or in part of the presentation of data or arguments already
reflected in the presenter's written comments, memoranda or other
filings in the proceeding, the presenter may provide citations to such
data or arguments in his or her prior comments, memoranda, or other
filings (specifying the relevant page and/or paragraph numbers where
such data or arguments can be found) in lieu of summarizing them in the
memorandum. Documents shown or given to Commission staff during ex
parte meetings are deemed to be written ex parte presentations and must
be filed consistent with rule 1.1206(b). In proceedings governed by
rule 1.49(f) or for which the Commission has made available a method of
electronic filing, written ex parte presentations and memoranda
summarizing oral ex parte presentations, and all attachments thereto,
must be filed through the electronic comment filing system available
for that proceeding, and must be filed in their native format (e.g.,
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding
should familiarize
[[Page 3954]]
themselves with the Commission's ex parte rules.
This document contains proposed information collection
requirements. The Commission, as part of its continuing effort to
reduce paperwork burdens, invites the general public and the Office of
Management and Budget (OMB) to comment on the information collection
requirements contained in this document, as required by the Paperwork
Reduction Act of 1995, Public Law 104-13. Public and agency comments
are due March 24, 2023.
Comments should address: (a) whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information shall have practical
utility; (b) the accuracy of the Commission's burden estimates; (c)
ways to enhance the quality, utility, and clarity of the information
collected; (d) ways to minimize the burden of the collection of
information on the respondents, including the use of automated
collection techniques or other forms of information technology; and (e)
way to further reduce the information collection burden on small
business concerns with fewer than 25 employees. In addition, pursuant
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198,
see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might
further reduce the information collection burden for small business
concerns with fewer than 25 employees.
Synopsis
I. Notice of Proposed Rulemaking
1. To better protect telecommunications customers and ensure that
our rules keep pace with today's challenges, we propose a number of
updates to our rule addressing telecommunications carriers' breach
notification duties. We seek to ensure that affected customers, the
Commission, and other federal law enforcement agencies receive the
information they need in a timely manner so they can mitigate and
prevent harm due to the breach and take action to deter future
breaches. To identify best practices and to minimize burdens, we look
to other federal and state breach laws as potential models for our
rules.
2. We propose to expand the Commission's definition of ``breach''
to include inadvertent disclosures of customer information and seek
comment on adopting a harm-based trigger for breach notifications. We
also propose to require carriers to notify the Commission, in addition
to the Secret Service and FBI, as soon as practicable after discovery
of a breach. We also propose to eliminate the mandatory waiting period
before notifying customers and instead require carriers to notify
customers of CPNI breaches without unreasonable delay after discovery
of a breach unless requested by law enforcement. We also seek comment
on whether we should adopt minimum requirements for the content of
customer breach notices. We also evaluate and seek comment on the
impact of the Congressional disapproval of the 2016 Privacy Order on
the Commission's legal authority to issue the rules proposed herein for
telecommunications carriers. Finally, we propose to make changes to our
TRS data breach reporting rule consistent with those we propose to our
CPNI breach reporting rule.
A. Defining ``Breach''
3. Inadvertent Disclosures. We propose to expand the Commission's
definition of ``breach'' to include inadvertent access, use, or
disclosures of customer information and seek comment on our proposal.
Our current rule, adopted in response to the practice of pretexting,
defines a ``breach'' as ``when a person, without authorization or
exceeding authorization, has intentionally gained access to, used, or
disclosed CPNI.'' While the practice of pretexting necessarily involves
an intent to gain access to customer information, the intervening years
since the adoption of our existing rule have demonstrated that the
inadvertent exposure of customer information can result in the loss and
misuse of sensitive information by scammers and phishers, and trigger a
need to inform the affected individuals so that they can take
appropriate steps to protect themselves and their information. Further,
whether or not a breach was intentional may not always be immediately
apparent, which may lead to legal ambiguity and under-reporting. We
also believe that it is important that the Commission and law
enforcement be made aware of any accidental access, use, or disclosures
so that we can (1) investigate and advise carriers on how best to avoid
future breaches, and (2) stand ready to investigate if and when any of
the affected information falls prey to malicious actors. We anticipate
that requiring notification for accidental breaches will encourage
telecommunications carriers to adopt stronger data security practices
and will help us identify and confront systemic network
vulnerabilities. Do commenters agree with the foregoing analysis? Are
there other policy factors the Commission should consider in
determining whether to require disclosure for unintentional breaches?
What are the benefits and burdens associated with this proposal? We
note that state data breach laws overwhelmingly do not include an
intent limitation, and we seek comment on how state and other federal
data breach laws should influence the policy we adopt.
4. We seek comment on the impact of requiring reporting of
accidental breaches on the number of reported breaches. Do commenters
foresee a significant increase in the number of reported breaches? If
so, how would our proposal affect reporting costs for
telecommunications carriers and is that burden outweighed by the
benefits to customers, who may need to take actions to protect their
personal and financial information whether or not the breach was
intentional? Would removing the intentionality limit potentially risk
over-notification of data breaches to customers? What would the impacts
of over-notification be? Would the potential benefits outweigh any
potential harm? To help us assess the burden to both carriers and
consumers from requiring reporting of accidental breaches, we invite
commenters to provide estimates on the total number of breaches they
have detected over the past few years, as well as the number of people
affected by those breaches, and the severity of the compromised CPNI.
5. We propose to revise our definition to define a breach as any
instance in which a person, without authorization or exceeding
authorization, has gained access to, used, or disclosed CPNI. We seek
comment on this proposal and other possible definitions. Should we
retain the intent limitation in certain contexts? If so, what contexts
and why? With only a few exceptions, the vast majority of state
statutes include a provision exempting from the definition of breach a
good-faith acquisition of covered data by an employee or agent of the
company where such information is not used improperly or further
disclosed. Should we include such an exemption in our definition of
``breach'' or is such a provision unnecessary or otherwise inadvisable?
Is our proposed rule sufficient to capture all instances in which
persons, either purposefully or inadvertently, gain access to, use, or
disclose CPNI? If not, how should we revise our proposed rule to ensure
that it does? We also seek comment on whether we should expand the
definition of a breach to include situations where a telecommunications
carrier or a third party discovers
[[Page 3955]]
conduct that could have reasonably led to exposure of customer CPNI,
even if it has not yet determined if such exposure occurred.
6. Harm-Based Notification Trigger. We seek comment on whether to
forego requiring notification to customers or law enforcement of a
breach in those instances where a telecommunications carrier can
reasonably determine that no harm to customers is reasonably likely to
occur as a result of the breach. Our current rule requires no showing
of harm, instead requiring that notification be furnished in every
instance where a breach of a carrier's customers' CPNI has occurred,
where such breach is defined as any instance when ``a person, without
authorization or exceeding authorization, has intentionally gained
access to, used, or disclosed CPNI.''
7. We seek comment on the benefits and drawbacks of adopting a
``harm-based'' notification trigger. How would it impact consumers?
Would it benefit consumers by avoiding confusion and ``notice fatigue''
with respect to breaches that are unlikely to cause harm? Recognizing
that it is not only distressing, but time consuming and expensive, to
deal with the fallout of a data breach, we seek comment on whether a
harm-based notification trigger could save consumers the time, effort,
and financial difficulty of changing their passwords, purchasing fraud
alerts or credit monitoring, and freezing their credit in the wake of a
breach that is not reasonably likely to result in harm. Alternatively,
does a harm-based notification trigger risk that consumers would be
unaware of important information regarding their CPNI? We note that a
harm-based trigger has a basis in data breach notification frameworks
employed by states, which generally do not require covered entities to
notify customers of breaches when a determination is made that the
breach is unlikely to cause harm. How should state and other data
breach laws influence our analysis?
8. We also seek comment on the potential impacts of adopting a
harm-based trigger on telecommunications carriers. Would a harm-based
trigger allow carriers to better focus their resources on data security
and ameliorating the harms caused by data breaches? Or to the contrary,
would a harm-based trigger require carriers to unnecessarily expend
resources determining whether particular breaches are reasonably likely
to cause harm instead of more efficiently providing notice?
9. If we adopt a harm-based trigger, how should telecommunications
carriers and the Commission determine the likelihood of misuse or harm?
Should we identify a standard or set of factors that telecommunications
carriers must consider to evaluate whether no harm to customers is
reasonably likely? If so, what factors should carriers consider in
making their evaluation? We preliminarily believe that no single factor
on its own (e.g., basic encryption) is sufficient to make a
determination regarding harm to customers. Do commenters agree? Do
carriers have sufficient expertise and experience to determine whether
a breach is likely to result in harm? Should we establish a rebuttable
presumption of consumer harm unless and until a carrier demonstrates
that no harm to consumers is reasonably likely to occur as a result of
a breach?
10. We seek comment on whether we should clarify the definition of
``misuse'' or ``harm.'' For example, should we construe ``harm''
broadly to encompass not only financial, but also physical and
emotional harm, including reputational damage, personal embarrassment,
and loss of control over the exposure of intimate personal details?
Should we require telecommunications carriers to consider whether other
information about the customers that may be available combined with
CPNI could result in harm when determining whether notification is
required? Should any harm-based trigger apply even where the data
breached is encrypted? What are the potential enforcement and
compliance implications associated with this approach? Should breaches
without such ``harm'' be reported to the Commission even if not
reported to customers? Should we require the carrier to consult with
federal law enforcement and/or the Commission prior to determining that
there is no reasonable likelihood of harm or misuse? We seek comment on
whether there are other triggers we should consider for which notice
would be unnecessary, such as the number of affected consumers or the
length of time exposure occurred. Are there other factors that we
should consider before requiring breach notifications? Should we adopt
a harm-based trigger only if we require notices of unintentional
breaches, or should we evaluate the two issues independently? We also
seek comment on the current notification practices in the industry. How
do carriers currently make decisions regarding whether to notify
customers and law enforcement of a breach?
11. We seek comment on whether any harm-based notification trigger
should apply to both notifications to customers and notifications to
law enforcement. While there are legitimate reasons to consider
eliminating notifications to customers in those instances where a
breach is not reasonably likely to result in harm--including reducing
confusion, stress, financial hardship, and notice fatigue--can the same
be said of notifications to law enforcement? Are there compelling
reasons for carriers to continue notifying law enforcement of data
breaches even where such breaches are not reasonably likely to result
in consumer harm? Do the benefits of notifying law enforcement of all
breaches, regardless of whether the breach is likely to result in harm,
outweigh the attendant costs to carriers of providing such notice?
12. We propose that if we adopt a harm-based trigger, where a
carrier is unable to make a determination regarding harm or is
uncertain whether harm is likely to occur, the obligation to notify
would remain. We seek comment on this proposal.
13. We also recognize that telecommunications carriers possess
proprietary information other than CPNI that customers have an interest
in protecting from public exposure, such as Social Security Numbers and
financial records. We seek comment on the Commission's authority to
establish breach-reporting obligations for this type of information
under Section 222, to the extent that this information is obtained by a
telecommunications carrier in its activity as a common carrier. We also
seek comment on the role of the Commission in protecting such
information in light of the existing role of other agencies, including
the FTC and Cybersecurity and Infrastructure Security Agency (CISA). If
we were to require telecommunications carriers to report breaches of
proprietary information other than CPNI under Section 222(a), how
broadly or narrowly should we define that category of information? If
we were to extend our data breach rule to cover such information, how
could we minimize duplicative reporting obligations from the FTC and
CISA?
B. Notifying the Commission and Other Federal Law Enforcement of Data
Breaches
14. Commission Notification. We propose to require
telecommunications carriers to notify the Commission of breaches, in
addition to the Secret Service and FBI, as soon as practicable, and
seek comment on our proposal. Our proposal is consistent with other
federal sector-specific laws, which require prompt notification to the
relevant subject-matter agency. For example, both HIPAA and the Health
Breach
[[Page 3956]]
Notification Rule require notice to the department of Health and Human
Services (HHS) and the FTC respectively. We seek comment on the
benefits and costs of requiring notification to the Commission in
addition to notifying the Secret Service and the FBI, as our existing
rules require.
15. As discussed above, the Commission adopted its existing data
breach rule to address concerns regarding pretexting practices. The
Commission found that notifying law enforcement of CPNI breaches is
consistent with the goal of protecting CPNI because it enables law
enforcement to investigate the breach, ``which could result in legal
action against the perpetrators, thus ensuring that they do not
continue to breach CPNI.'' Moreover, the Commission anticipated that
law enforcement investigations into how breaches occurred would enable
law enforcement to advise the carrier and the Commission to take steps
to prevent future breaches of that kind. However, as we have seen in
the years since our data breach rule was initially adopted, not all
breaches of customer data are the result of criminal pretexting, which
was Commission's sole focus in 2007. Large-scale security breaches can
also be the result of lax or inadequate data security practices and
employee training. Thus, we tentatively conclude that notification of
breaches will provide Commission staff important information about data
security vulnerabilities that Commission staff can help address and
remediate. We anticipate that breach notification to the Commission
will also shed light on carriers' ongoing compliance with our rules. We
seek comment on these tentative conclusions. How much of an incremental
burden is associated with notifying the Commission of data breaches as
compared to the existing data breach notification requirement for the
Secret Service and FBI? Are there any other government entities to
which we should require data breach reporting, such as the FTC? What
would be the benefits and burdens of doing so?
16. Method of Notification. We propose that the Commission create
and maintain a centralized portal for reporting breaches to the
Commission and other federal law enforcement agencies, and we seek
comment on our proposal. Our current breach notification rule requires
that telecommunications carriers notify the FBI and Secret Service
``through a central reporting facility'' to which the Commission
maintains a link on its website. We believe that the creation and
operation by the Commission of a centralized reporting facility for
reporting of breaches to the Commission, Secret Service, and FBI will
streamline the notification process and improve federal coordination.
Do commenters agree? Are there alternative mechanisms for breach
reporting to the Commission and other federal law enforcement that we
should consider instead, such as leveraging the existing central
reporting facility? Are there existing notification resources that we
can leverage? For example, could we leverage the CISA Incident
Reporting System to minimize burdens on carriers?
17. We seek comment on how we can minimize data breach reporting
burdens for telecommunications carriers. The recently-passed Cyber
Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
requires covered entities to notify CISA of cyber security incidents
and establishes an interagency Cyber Incident Reporting Council
intended to streamline interagency cyber incident reporting. When
implemented, CIRCIA will require covered entities to report
cybersecurity incidents to CISA, except where covered entities ``by
law, regulation, or contract'' are already required to report
``substantially similar information to another Federal agency within a
substantially similar timeframe,'' in which case the other agency will
report the incident to CISA. To the extent that a breach of CPNI is a
result of a cyber incident, we seek comment on whether there are any
modifications to our proposed rules that would minimize potential
duplicate reporting of such breaches.
18. Contents. We seek comment on applying our existing requirements
regarding the contents of the data breach notification to federal law
enforcement agencies to breaches reported to the Commission. Generally,
the central reporting facility requires carriers to report information
relevant to the breach, including carrier contact information; a
description of the breach incident; the method of compromise; the date
range of the incident, approximate number of customers affected; an
estimate of financial loss to the carriers and customers, if any; types
of data breached; and the addresses of affected customers. We believe
that the information currently submitted through the FBI/Secret Service
reporting facility is largely sufficient, and that generally the same
information should be reported under the rule we propose here. Do
commenters agree? Are there any additional or alternative categories of
information that should be included in these disclosures? For example,
should we require telecommunications carriers to report, at a minimum,
the information required under CIRCIA with the aim of minimizing
potentially duplicate reporting requirements? Should we curtail or
streamline any of the existing content requirements? For example,
should we eliminate the requirement that carriers report the addresses
of affected individuals to law enforcement and the Commission, to
minimize the personal information reported to the Commission and law
enforcement?
19. Timeframe. We seek comment on the appropriate timeframe for
notifying the Commission and other federal law enforcement of a breach.
Our current rule requires telecommunications carriers to notify the
Secret Service and the FBI of all breaches of CPNI no later than seven
business days after reasonable determination of the breach. We propose
to require carriers to notify the Commission of a reportable breach
contemporaneously with notification to other law enforcement agencies
as soon as practicable after discovery of a breach. We believe that
requiring carriers to notify the Commission, Secret Service, and FBI at
the same time will minimize burdens on carriers, eliminate confusion
regarding obligations, and streamline the reporting process, allowing
carriers to free up resources that can be used to address the breach
and prevent further harm. We seek comment on our proposal. Is ``as soon
as practicable after discovery of a breach'' an appropriate timeframe
for notifying law enforcement after reasonable determination of a CPNI
breach? Or, should we maintain the current ``no later than seven
business days'' standard? Is there an alternative timeframe we should
adopt for reporting CPNI breaches to the Commission and other federal
law enforcement such as 24 hours or 72 hours as has been proposed in
other contexts, or should we consider adopting a graduated timeframe?
We also seek comment on whether we should clarify when a carrier should
be treated as having ``reasonably determined'' that a breach has
occurred. Should a carrier be held to have ``reasonably determined'' a
breach has occurred when it has information indicating that it is more
likely than not that there was a breach? Should we publish guidance on
what constitutes a reasonable determination? Should we adopt a more
definite standard?
20. Threshold Trigger. We seek comment on whether it is appropriate
to set a threshold for the number of customers affected to require a
breach report to the Commission, Secret
[[Page 3957]]
Service, and/or FBI. We observe that breaches affecting smaller numbers
of customers may not necessitate the same law enforcement attention as
larger breaches because they may be less likely to reflect coordinated
attacks on CPNI. Under our current rule, telecommunications carriers
must notify federal law enforcement of all reportable breaches,
regardless of the number of customers affected. Setting a threshold for
the number of customers affected for breach reporting to the Secret
Service and FBI could reduce the administrative burdens on carriers and
law enforcement agencies from excessive reporting, and is consistent
with many state statutes requiring notice to state law enforcement
authorities, which require law enforcement notification of large
breaches.
21. At the same time, establishing a threshold may limit our and
our federal partners' abilities to remediate, investigate, and deter
smaller breaches. Further, as the Commission has previously found,
notification of all breaches could allow the Commission and federal law
enforcement to be ``better positioned than individual carriers to
develop expertise about the methods and motives associated with CPNI
breaches.'' Is this still the case, given the development of data
breach law and practices since 2007? Should we adopt a threshold for
reporting to federal law enforcement? If so, should the threshold be
the same for the Commission as for federal law enforcement? If not, how
should the threshold differ? What would be an appropriate threshold for
reporting? Most states that adopt a threshold for reporting to law
enforcement or government agencies require reporting at 250, 500, or
1000 individuals affected. What reporting threshold would meet the
needs of law enforcement and provide adequate safeguards? What are the
benefits and drawbacks of setting a threshold, particularly for small
carriers? If we adopt a threshold trigger, should we require carriers
to maintain a record of smaller breaches that fall below the threshold
and report such small breaches to the Commission in a report at the end
of the year? What are the benefits and drawbacks to such an approach?
Rather than a numerical threshold, should we instead consider requiring
carriers to report only intentional breaches to law enforcement, but to
report all breaches, whether intentional or inadvertent, to the
Commission?
C. Customer Notification
22. Notifying Customers of Data Breaches without Unreasonable
Delay. We propose to require telecommunications carriers to notify
customers of CPNI breaches without unreasonable delay after discovery
of a breach and notification to law enforcement, unless law enforcement
requests a delay. We seek comment on our proposal. Our existing data
breach rule prohibits telecommunications carriers from notifying
customers or disclosing the breach to the public until at least seven
full business days after notification to the Secret Service and FBI. In
cases where a carrier believes that there is an extraordinarily urgent
need to notify affected customers in order to avoid immediate and
irreparable harm, our rules permit carriers to notify affected
customers after consultation with relevant investigating agencies. In
adopting the existing rule, the Commission concluded that once
customers have been notified, a breach may become public knowledge,
``thereby impeding law enforcement's ability to investigate the breach,
identify the perpetrators, and determine how the breach occurred.'' In
short, the Commission found, ``immediate customer notification may
compromise all the benefits of requiring carriers to notify law
enforcement of CPNI breaches,'' and therefore a short delay was
warranted.
23. We tentatively conclude that this existing approach is out-of-
step with current approaches regarding the urgency of notifying victims
about breaches of their personal information. We tentatively conclude
that our proposal better serves the public interest than our current
rule because it increases the speed at which customers may receive the
important information contained in a notice, except in those specific
circumstances when law enforcement officials specifically request
otherwise. We seek comment on our tentative conclusion. What are the
benefits and drawbacks to such an approach? Is there any reason to
maintain our current absolute bar to customer notification for a set
period? Does our proposal to eliminate the seven business-day waiting
period before notifying customers appropriately balance legitimate law
enforcement needs with the customers' need to take action to timely
protect their information after a breach? We seek comment on whether a
``without unreasonable delay'' notification requirement would allow
carriers enough time to determine the scope and impact of a breach.
Would prompt customer notification compromise a carrier's ability to
discover the source of the breach, mitigate the loss of data, and
ensure further data is not compromised?
24. Our proposed requirement is consistent with many existing data
breach notification laws that require expedited notice but refrain from
requiring a specific timeframe. For example, the GLBA requires customer
notification ``as soon as possible'' after a determination that
customer information has been misused. California law requires
notification ``be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of law
enforcement.'' Similarly, many state data breach statutes impose an
``expeditiously as practicable'' or ``without unreasonable delay''
standard instead of a set time limit for reporting. In addition, FTC
guidance on addressing data breaches explains that ``if you quickly
notify people that their personal information has been compromised,
they can take steps to reduce the chance that their information will be
misused.'' How should state and other federal law influence the
approach we adopt?
25. We seek comment on whether requiring notice to customers
``without unreasonable delay'' after discovery of a breach provides
sufficient guidance as to the required timeframe to notify customers.
Should we adopt a different approach, such as a fixed number of days
for notification, and if so what should we adopt? If we were to adopt a
``without unreasonable delay'' standard, we seek comment on whether we
should provide guidance on a specific time period that would be
considered ``reasonable'' for notification. For example, HIPAA requires
notification to individuals ``without unreasonable delay and in no case
later than 60 calendar days after discovery of a breach.'' The Health
Breach Notification Rule also requires notification to individuals
``without unreasonable delay and in no case later than 60 days after
the discovery of a breach of security.'' Most states that impose an
outside limit on when consumers must be notified of a breach require
notification to affected consumers no later than 30, 45, or 60 days
after discovery of a breach. What are the benefits and drawbacks to
setting a definite time limit on notification while requiring
notification without unreasonable delay?
26. We also seek comment on whether the same notification deadline
should be applied to all carriers. Are there unique concerns or
compliance barriers for small carriers that make prompt
[[Page 3958]]
response unfeasible, such as resource availability or reliance on
third-party cybersecurity services for breach detection? Should we
adopt different notification requirements for small carriers? If so,
what threshold should we establish for small carriers? Should we
consider establishing any other exceptions to this proposed
requirement? We also seek comment on whether we should take into
consideration the scope of the breach, e.g., how many customers are
affected, the type of information breach, in determining the
appropriate timeframe for customer breach reporting.
27. We seek comment on how best to coordinate the timing of
customer notification and federal law enforcement notification. Our
current rule, providing for consecutive rather than simultaneous
notification of federal law enforcement and customers, was adopted at
the request of federal law enforcement. Is such an approach still
necessary? Are there circumstances where it would be acceptable for
carriers to notify customers and law enforcement simultaneously in
certain instances? Given that nearly all, if not all, state data breach
statutes subject the timing of customer notification to legitimate law
enforcement needs, we seek comment on whether it is necessary to
provide any further guidance to help coordinate the timing of notice to
customers with notice to the Commission and other federal law
enforcement.
28. In addition, consistent with our current rules implementing
Section 222, our proposed rules would allow a federal agency to direct
a carrier to delay customer notification for an initial period of up to
30 days if such notification would interfere with a criminal
investigation or national security. In circumstances when a carrier
reasonably decides to consult with law enforcement, a short delay
pending such consultation would likely be reasonable for purposes of a
``without unreasonable delay'' standard for customer notification. We
seek comment on this proposal. We observe that HIPAA, the GLBA, and the
Health Breach Notification Rules allow for a delay of customer
notification if law enforcement determines notification to customers
would ``impede a criminal investigation or cause damage to national
security,'' but only if law enforcement officials request such a delay.
Both HIPAA and the Health Breach Notification Rule allow notification
delays of up to 30 days if requested by law enforcement. Similarly,
GLBA allows that ``customer notice may be delayed if an appropriate law
enforcement agency determines that notification will interfere with a
criminal investigation and provides the institution with a written
request for a delay.'' Likewise, most, if not all, states permit delays
in notifying affected consumers for legitimate law enforcement needs.
We tentatively conclude that our proposal strikes an appropriate
balance between the needs of law enforcement to have time to
investigate criminal activity and the needs of customers to be notified
of data breaches. Do commenters agree? We also observe that these other
regimes appear to allow non-federal law enforcement to request a delay,
whereas the Commission's rule currently allows only federal agencies to
so request. Should our rule also allow carriers to delay notification
upon request of non-federal law enforcement?
29. Contents of Customer Breach Notification. We seek comment on
whether we should require customer breach notifications to include
specific minimum categories of information. Our current rules specify
when and to whom breach notifications must be made, but do not address
the content of such notifications. In adopting the current breach
notification rules, the Commission declined to specify the precise
content of the notice that must be provided to customers in the event
of a security breach of CPNI, ``leav[ing] carriers the discretion to
tailor the language and method of notification to the circumstances.''
Nearly 15 years later, we now seek comment on whether it is appropriate
to require a minimum amount of information to ensure that such data
breach notifications contain actionable information that is useful to
the consumer. We seek comment on the benefits to customers and carriers
of requiring carriers to include minimum categories of information in
customer data breach notices. Will having minimum consistent fields of
information assist consumers in understanding the circumstances and
nature of the breach and streamline notice practices for carriers? What
are the drawbacks to doing so? Are there any legal barriers to adopting
a rule that prescribes the minimum categories of information in these
breach notices?
30. To so identify possible categories of information to require,
we look to numerous state data breach statutes as well as existing
federal guidance regarding data breach notices. All 50 states, the
District of Columbia, Guam, Puerto Rico, and the Virgin Islands have
laws requiring private or governmental entities to notify individuals
of breaches involving their personal information. Of these, many impose
minimum content requirements on the notifications that must be
transmitted to affected individuals in the wake of a data breach,
including: the name and contact information for the entity reporting
the breach; the date, estimated date, or estimated date range of the
breach; a description of the breach incident; a description of the
personally identifiable information that was used, disclosed, or
accessed, or reasonably believed to have been used, disclosed, or
accessed; any actions the entity is taking to remedy the situation and/
or protect affected individuals; a brief list of steps that affected
consumers can take to protect themselves and their information, such as
contacting credit bureaus to ask that fraud alerts or credit freezes be
placed on their credit reports; and contact information for the FTC and
any federal agency that assists consumers with matters of identity
theft. Similarly, both the HIPAA Breach Notification Rule and guidance
issued by the Federal Deposit Insurance Corporation (FDIC) in response
to the GLBA impose minimum content requirements on data breach
notifications. In its Data Breach Response Guide, the FTC advises
companies on specific information that should be included in their
breach notices to individuals, including describing what the company
knows about the breach (how it happened, what information was taken,
how the thieves have used the information (if known), what actions the
company has taken to remedy the situation, what actions the company is
taking to protect individuals, how to reach the relevant contact in the
organization); the steps individuals can take, given the type of
information exposed, and provide relevant contact information; current
information about how to recover from identity theft; information about
the law enforcement agency working on the case, if the law enforcement
agency agrees that would help; encouraging people who discover that
their information has been misused to report it to the FTC; and
describing how the company will contact consumers in the future to help
victims avoid phishing scams.
31. We seek comment on adapting these models to telecommunications
carriers and requiring carriers to include, at a minimum, the following
information in security breach notices to customers: (1) the date of
the breach; (2) a description of the customer information that was
used, disclosed, or accessed; (3) information on how customers,
including customers with disabilities, can contact the carrier to
[[Page 3959]]
inquire about the breach; (4) information about how to contact the
Commission, FTC, and any state regulatory agencies relevant to the
customer and the service; (5) if the breach creates a risk of identity
theft, information about national credit reporting agencies and the
steps customers can take to guard against identity theft, including any
credit monitoring, credit reporting, or credit freezes the carrier is
offering to affected customers; and (6) what other steps customers
should take to mitigate their risk based on the specific categories of
information exposed in the breach. Are the identified categories the
correct information to be included in data breach notices? Should we
consider requiring any additional or alternative categories of
information that carriers must include in customer breach notices? For
example, would it be helpful to include a statement of whether the
notification was delayed due to reporting requirements to law
enforcement or a law enforcement investigation, and if so, the length
of the delay to help explain to customers the time lapse between
discovery of the breach and customer notification? Should we require
notifications to include a list of the law enforcement and government
entities that have been notified of the breach? Should we require
carriers to include a brief description of how the carrier will contact
consumers in the future regarding the breach to help consumers avoid
phishing scams related to breaches? What are best practices for
providing consumers with actionable information in a breach
notification? We seek comment on what minimum required information
appropriately balances empowering consumers to take the necessary steps
to protect themselves and their information in the wake of a data
breach and appropriately limiting burdens on telecommunications
carriers. We also seek comment on whether adopting or adapting a set of
existing notification contents requirements will help to create a
measure of consistency across breach notifications and will benefit
both consumers and carriers, particularly smaller carriers, by
streamlining the manner and content of their response in the event of a
data breach.
32. Method of Customer Breach Notification. We observe that many
state regulations specify the form that notifications to customers may
take, whether by physical mail, email, or telephone. We seek comment on
whether we should adopt a similar requirement and, if so, on what form
notifications to consumers should take. Is there a method or methods of
notification that would make the most sense or be most beneficial to
consumers? What are the benefits and burdens of imposing such a
requirement?
D. TRS Breach Reporting
33. In 2013, the Commission adopted CPNI rules applicable to all
forms of Telecommunications Relay Services (TRS), as well as to point-
to-point video calls handled over the video relay services (VRS)
network. The Commission found that ``for TRS to be functionally
equivalent to voice telephone services, consumers with disabilities who
use TRS are entitled to have the same assurances of privacy as do
consumers without disabilities for voice telephone services.'' The CPNI
rules for TRS include a breach notification rule that is equivalent to
Sec. 64.2011 in terms of the substantive protection provided to TRS
users. The texts of the two provisions are virtually identical, except
for the substitution of the term ``TRS provider'' for
``telecommunications carrier'' in Sec. 64.5111. The only substantive
difference is that under the TRS rule, after a TRS provider notifies
law enforcement of a breach, it ``shall file a copy of the notification
with the Disability Rights Office of the Consumer and Governmental
Affairs Bureau at the same time as when the TRS provider notifies the
customers.''
34. To maintain functional equivalency for TRS users, we propose to
amend Sec. 64.5111 so that it continues to provide equivalent privacy
protection for TRS users. The amendments we propose for Sec. 64.5111
are thus essentially the same as those proposed for users of
telecommunications and interconnected VoIP services. That is, we
propose: (1) to expand the Commission's definition of ``breach'' to
include inadvertent disclosures of customer information; (2) to require
TRS providers to notify the Commission, in addition to the Secret
Service and FBI, as soon as practicable after discovery of a breach;
and (3) to eliminate the mandatory waiting period to notify customers,
instead requiring TRS providers to notify customers of CPNI breaches
without unreasonable delay after discovery of a breach unless law
enforcement requests a delay. Further, we seek comment on the following
additional issues, raised above regarding Sec. 64.2011, as they relate
to TRS providers: (1) whether to adopt a harm-based trigger for breach
notifications; (2) whether we should adopt minimum requirements for the
content of customer breach notices; and (3) whether our rules should
address breaches of sensitive personal information.
35. We seek comment on each of these proposals and their costs and
benefits. Should updated data breach requirements for TRS providers be
identical to those we adopt for providers of telecommunications and
interconnected VoIP services, or are there circumstances unique to TRS
providers that warrant differences in their obligations regarding data
breaches? Are any additional notification requirements necessary to
ensure TRS users receive functionally equivalent privacy protection? If
we adopt the proposed requirement that service providers notify the
Commission of breaches via a centralized portal, is there any need to
retain the current requirement that TRS providers submit a copy of any
breach notification to the Disability Rights Office of the Consumer and
Governmental Affairs Bureau? Finally, would TRS providers incur costs
or other compliance burdens under the proposed amendments that are
disproportionately greater than those incurred by providers of
telecommunications and interconnected VoIP services, and if so, would
the extent of such costs or burdens justify the application of
different breach notification requirements to TRS?
36. Legal Authority. Section 225 of the Act directs the Commission
to ensure that TRS are available to enable communication in a manner
that is functionally equivalent to voice telephone services. In 2013,
the Commission found that applying the privacy protections of the
Commission's CPNI regulations to TRS users advances the functional
equivalency of TRS. The Commission concluded further that the specific
mandate of Section 225 to establish ``functional requirements,
guidelines, and operations procedures for TRS'' authorizes the
Commission to make the privacy protections of the Commission's CPNI
regulations applicable to TRS users. In addition, the Commission found
that extending the CPNI regulations to TRS users is ancillary to its
responsibilities under Section 222 of the Act to telecommunications
service subscribers that place calls to or receive calls from TRS
users, because TRS call records include call detail information
concerning all calling and called parties. Finally, the Commission
determined that applying CPNI requirements to point-to-point video
services provided by VRS providers is ancillary to its
[[Page 3960]]
responsibilities under Sections 222 and 225.
37. We tentatively conclude that, for the same reasons cited in the
2013 VRS Reform Order, these sources of authority for establishing the
current CPNI rules for TRS authorize the Commission to amend those
rules to ensure that TRS users receive privacy protections equivalent
to those proposed for users of telecommunications and VoIP services. We
seek comment on this tentative conclusion.
E. Legal Authority
38. Section 222. We believe that Section 222 provides authority to
adopt the breach notification rules for which we seek comment in this
Notice of Proposed Rulemaking. We also tentatively conclude that we
have authority to apply the rules proposed in this Notice of Proposed
Rulemaking to interconnected VoIP providers. We seek comment on these
tentative conclusions.
39. Section 222 of the Act governs telecommunications carriers in
their use, disclosure, and protection of proprietary information that
they obtain in the course of providing telecommunications services.
Section 222(a) imposes a duty on carriers to ``protect the
confidentiality of proprietary information of, and relating to''
customers, fellow carriers, and equipment manufacturers. Section 222(c)
imposes more specific requirements on carriers as to the protection and
confidentiality of CPNI. We tentatively conclude that both subsections
provide us authority to adopt rules requiring telecommunications
carriers and interconnected VoIP providers to address breaches of CPNI.
40. The Commission has long required carriers to report data
breaches as part of their duty to protect the confidentiality of
customers' information. We believe that the proposed revisions to the
Commission's data breach reporting rule reinforce carriers' duty to
protect the confidentiality of their customers' information. Data
breach reporting requirements also reinforce our other rules addressing
the protection of CPNI. For example, data breach notifications can
meaningfully inform customer decisions regarding whether to give,
withhold, or retract their approval to use or disclose their
information. Similarly, we believe that requiring carriers to notify
the Commission in the event of a data breach will better enable the
Commission to identify and confront systemic network vulnerabilities
and help investigate and advise carriers on how best to avoid future
breaches, also helping carriers to fulfill their duty under Section
222(a) to protect the confidentiality of their customers' information.
We seek comment on this analysis.
41. Interconnected VoIP. We believe that we have authority under
Section 222 and our ancillary jurisdiction to apply the rules we
propose today to interconnected VoIP providers. In 2007, the Commission
exercised ancillary jurisdiction to extend its Part 64 CPNI rules to
interconnected VoIP services. Since then, interconnected VoIP providers
have operated under these rules. Interconnected VoIP services remain
within the Commission's subject matter jurisdiction and we believe that
the application of customer privacy requirements to these services is
``reasonably ancillary to the effective performance'' of our statutory
responsibility under Section 222. As the Commission explained in 2007,
``American consumers [can reasonably] expect that their telephone calls
are private irrespective of whether the call is made using the service
of a wireline carrier, a wireless carrier, or an interconnected VoIP
provider.'' Now, as then, extending Section 222's protections to
interconnected VoIP service customers is also ``necessary to protect
the privacy of wireline or wireless customers that place calls to or
receive calls from interconnected VoIP providers.'' In addition, in
2008, Congress ratified the Commission's decision to apply Section
222's requirements to interconnected VoIP services by adding language
to Section 222 that expressly covers ``IP-enabled voice service,''
defined expressly to incorporate the Commission's definition of
``interconnected VoIP service.'' The 2008 revisions to Section 222
would not make sense if the privacy-related duties of subsections (a)
and (c) did not apply to interconnected VoIP providers. We seek comment
on this analysis.
42. We seek comment on whether there are other bases of authority
on which we can rely to adopt the rules we propose and seek comment on
today.
F. Impact of the Congressional Disapproval of the 2016 Privacy Order
43. As noted above, in 2016, the Commission acted to revise its
breach notification rule as part of a larger proceeding addressing
privacy requirements for broadband internet access service providers
(ISPs). The rules the Commission adopted in the 2016 Privacy Order
applied to telecommunications carriers and interconnected VoIP
providers in addition to ISPs, which had been classified as providers
of telecommunications services in 2015. In 2017, however, Congress
nullified those 2016 revisions to the Commission's CPNI rules under the
Congressional Review Act.
44. As a threshold matter, we seek comment on the effect of the
Congressional disapproval of the 2016 Privacy Order under the
Congressional Review Act. While we seek comment on a range of proposals
in this item, we clarify that, in light of the Congressional resolution
of disapproval, we are not seeking comment on ``reissu[ing] . . . in
substantially the same form,'' or on issuing ``a new rule that is
substantially the same as,'' the rule disapproved by Congress. More
generally, though, we seek comment here on the effect and scope of the
Congressional disapproval of the 2016 Privacy Order for purposes of
adopting rules that apply to telecommunications carriers.
G. Digital Equity Considerations
45. The Commission, as part of its continuing effort to advance
digital equity for all, including people of color and others who have
been historically underserved, marginalized, and adversely affected by
persistent poverty and inequality, invites comment on any equity-
related considerations and benefits (if any) that may be associated
with the proposals and issues discussed herein. Specifically, we seek
comment on how our proposals may promote or inhibit advances in
diversity, equity, inclusion, and accessibility.
II. Procedural Matters
46. Initial Regulatory Flexibility Analysis. As required by the
Regulatory Flexibility Act, the Commission has prepared an Initial
Regulatory Flexibility Analysis (IRFA) of the possible significant
economic impact on small entities of the policies and rules addressed
in this document. The IRFA is set forth in Appendix B. Written public
comments are requested on the IRFA. Comments must be filed by the
deadlines for comments on the Notice of Proposed Rulemaking indicated
on the first page of this document and must have a separate and
distinct heading designating them as responses to the IRFA. The
Commission's Consumer and Governmental Affairs Bureau, Reference
Information Center, will send a copy of this Notice of Proposed
Rulemaking, including the IRFA, to the Chief Counsel for Advocacy of
the SBA.
47. People with Disabilities. To request materials in accessible
formats for people with disabilities (braille, large print, electronic
files, audio format), send an email to <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a6c0c5c5939692e6c0c5c588c1c9d0">[email protected]</a>
[[Page 3961]]
or call the Consumer & Governmental Affairs Bureau at 202-418-0530
(voice).
III. Initial Regulatory Flexibility Analysis
1. As required by the Regulatory Flexibility Act of 1980, as
amended (RFA), the Commission has prepared this Initial Regulatory
Flexibility Analysis (IRFA) of the possible significant economic impact
on small entities by the policies and rules proposed in this Notice of
Proposed Rulemaking. The Commission requests written public comments on
this IRFA. Comments must be identified as responses to the IRFA and
must be filed by the deadlines for comments provided on the first page
of the Notice of Proposed Rulemaking. The Commission will send a copy
of the Notice of Proposed Rulemaking, including this IRFA, to the Chief
Counsel for Advocacy of the Small Business Administration (SBA). In
addition, the Notice of Proposed Rulemaking and IRFA (or summaries
thereof) will be published in the Federal Register.
A. Need for, and Objectives of, the Proposed Rules
2. The Commission first adopted a rule in 2007 requiring
telecommunications carriers and interconnected Voice over internet
Protocol (VoIP) providers to notify customers and federal law
enforcement of breaches of customer proprietary network information
(CPNI) in the carriers' possession. In the almost decade and a half
since that time, data breaches nationwide have increased in both
frequency and severity in all industries. In the telecommunications
industry, the public has suffered an increasing number of security
breaches of customer information in recent years. Federal and state
data breach laws covering other areas have evolved since 2007. Those
developments combined with our specific experience suggest
opportunities for improvement in our own breach notification rule.
Today, we begin the process to update and strengthen our data breach
rule to provide greater protections to the public.
3. The Commission adopted the data breach rule, like the rest of
the privacy safeguards adopted in the 2007 CPNI Order, to address the
problem of ``pretexting,'' the practice of pretending to be a
particular customer or other authorized person in order to obtain
access to that customer's call detail or other private communications
records. In the almost 15 years since, it has become clear that
breaches of customer information in many contexts extend far beyond
pretexting in general or the specific type of pretexting addressed at
that time and are increasing in scale and evolving in methodology. The
increasing severity and diversifying methods of security breaches
involving customer information can have lasting detrimental impacts on
customers whose information has been breached.
4. To better protect telecommunications customers and ensure that
our rules keep pace with today's challenges, we propose a number of
updates to our rule addressing telecommunications carriers' breach
notification duties. We seek to ensure that affected customers, the
Commission, and other federal law enforcement agencies receive the
information they need in a timely manner so they can mitigate and
prevent harm due to the breach and take action to deter future
breaches. To identify best practices and to minimize burdens, we look
to other federal and state breach laws as potential models for our
rules.
5. In this document, we propose to expand the Commission's
definition of ``breach'' to include inadvertent disclosures of customer
information and seek comment on adopting a harm-based trigger for
breach notifications. We also propose to require carriers to notify the
Commission, in addition to the Secret Service and FBI, as soon as
practicable after discovery of a breach. We also propose to eliminate
the mandatory waiting period before notifying customers and instead
require carriers to notify customers of CPNI breaches without
unreasonable delay after discovery of a breach unless law enforcement
requests a delay. We also seek comment on whether we should adopt
minimum requirements for the content of customer breach notices, and we
seek comment on whether our rules should address breaches of other
types of sensitive personal information beyond CPNI. Finally, we
propose to make changes to our TRS data breach reporting rule
consistent with those we propose to our CPNI breach reporting rule.
B. Legal Basis
6. The legal basis for any action that may be taken pursuant to
this Notice of Proposed Rulemaking is contained in Sections 1, 4(i),
4(j), 201, 202, 222, 225, 303(r), and 332 of the Communications Act of
1934, as amended, 47 U.S.C. 151, 154, 201, 202, 222, 225, 303(r), 332.
C. Description and Estimate of the Number of Small Entities to Which
the Proposed Rules Will Apply
7. The RFA directs agencies to provide a description of and, where
feasible, an estimate of the number of small entities that may be
affected by the proposed rules and by the rule revisions on which the
Notice of Proposed Rulemaking seeks comment, if adopted. The RFA
generally defines the term ``small entity'' as having the same meaning
as the terms ``small business,'' ``small organization,'' and ``small
governmental jurisdiction.'' In addition, the term ``small business''
has the same meaning as the term ``small-business concern'' under the
Small Business Act. A ``small-business concern'' is one which: (1) is
independently owned and operated; (2) is not dominant in its field of
operation; and (3) satisfies any additional criteria established by the
SBA.
8. Small Businesses, Small Organizations, Small Governmental
Jurisdictions. Our actions, over time, may affect small entities that
are not easily categorized at present. We therefore describe here, at
the outset, three broad groups of small entities that could be directly
affected herein. First, while there are industry specific size
standards for small businesses that are used in the regulatory
flexibility analysis, according to data from the Small Business
Administration's (SBA) Office of Advocacy, in general a small business
is an independent business having fewer than 500 employees. These types
of small businesses represent 99.9 percent of all businesses in the
United States, which translates to 32.5 million businesses.
9. Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. Nationwide, for tax year 2018, there were
approximately 571,709 small exempt organizations in the U.S. reporting
revenues of $50,000 or less according to the registration and tax data
for exempt organizations available from the IRS.
10. Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2017 Census of
[[Page 3962]]
Governments indicate that there were 90,075 local governmental
jurisdictions consisting of general purpose governments and special
purpose governments in the United States. Of this number there were
36,931 general purpose governments (county, municipal and town or
township) with populations of less than 50,000 and 12,040 special
purpose governments--independent school districts with enrollment
populations of less than 50,000. Accordingly, based on the 2017 U.S.
Census of Governments data, we estimate that at least 48,971 entities
fall into the category of ``small governmental jurisdictions.''
1. Wireline Carriers
11. Wired Telecommunications Carriers. The U.S. Census Bureau
defines this industry as establishments primarily engaged in operating
and/or providing access to transmission facilities and infrastructure
that they own and/or lease for the transmission of voice, data, text,
sound, and video using wired communications networks. Transmission
facilities may be based on a single technology or a combination of
technologies. Establishments in this industry use the wired
telecommunications network facilities that they operate to provide a
variety of services, such as wired telephony services, including VoIP
services, wired (cable) audio and video programming distribution, and
wired broadband internet services. By exception, establishments
providing satellite television distribution services using facilities
and infrastructure that they operate are included in this industry.
Wired Telecommunications Carriers are also referred to as wireline
carriers or fixed local service providers.
12. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees.
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 5,183 providers
that reported they were engaged in the provision of fixed local
services. Of these providers, the Commission estimates that 4,737
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
13. Local Exchange Carriers (LECs). Neither the Commission nor the
SBA has developed a size standard for small businesses specifically
applicable to local exchange services. Providers of these services
include both incumbent and competitive local exchange service
providers. Wired Telecommunications Carriers is the closest industry
with an SBA small business size standard. Wired Telecommunications
Carriers are also referred to as wireline carriers or fixed local
service providers. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that there
were 3,054 firms that operated in this industry for the entire year. Of
this number, 2,964 firms operated with fewer than 250 employees.
Additionally, based on Commission data in the 2021 Universal Service
Monitoring Report, as of December 31, 2020, there were 5,183 providers
that reported they were fixed local exchange service providers. Of
these providers, the Commission estimates that 4,737 providers have
1,500 or fewer employees. Consequently, using the SBA's small business
size standard, most of these providers can be considered small
entities.
14. Incumbent LECs. Neither the Commission nor the SBA has
developed a small business size standard specifically for incumbent
local exchange services. Wired Telecommunications Carriers is the
closest industry with an SBA small business size standard. The SBA
small business size standard for Wired Telecommunications Carriers
classifies firms having 1,500 or fewer employees as small. U.S. Census
Bureau data for 2017 show that there were 3,054 firms in this industry
that operated for the entire year. Of this number, 2,964 firms operated
with fewer than 250 employees. Additionally, based on Commission data
in the 2021 Universal Service Monitoring Report, as of December 31,
2020, there were 1,227 providers that reported they were incumbent
local exchange service providers. Of these providers, the Commission
estimates that 929 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of incumbent local exchange
carriers can be considered small entities.
15. Competitive Local Exchange Carriers (Competitive LECs). Neither
the Commission nor the SBA has developed a size standard for small
businesses specifically applicable to local exchange services.
Providers of these services include several types of competitive local
exchange service providers. Wired Telecommunications Carriers is the
closest industry with a SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms that operated in this
industry for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 3,956 providers that reported they were competitive local
exchange service providers. Of these providers, the Commission
estimates that 3,808 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
16. Interexchange Carriers (IXCs). Neither the Commission nor the
SBA has developed a small business size standard specifically for
Interexchange Carriers. Wired Telecommunications Carriers is the
closest industry with a SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms that operated in this
industry for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 151 providers that reported they were engaged in the
provision of interexchange services. Of these providers, the Commission
estimates that 131 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, the
Commission estimates that the majority of providers in this industry
can be considered small entities.
17. Cable System Operators (Telecom Act Standard). The
Communications Act of 1934, as amended (the Act), also contains a size
standard for small cable system operators, which is ``a cable operator
that, directly or through an affiliate, serves in the aggregate fewer
than one percent of all subscribers in the United States and is not
affiliated with any entity or entities whose gross annual revenues in
the aggregate exceed $250,000,000.'' For purposes of the Telecom Act
Standard, the Commission
[[Page 3963]]
determined that a cable system operator that serves fewer than 677,000
subscribers, either directly or through affiliates, will meet the
definition of a small cable operator based on the cable subscriber
count established in a 2001 Public Notice. Based on industry data, only
six cable system operators have more than 677,000 subscribers.
Accordingly, the Commission estimates that the majority of cable system
operators are small under this size standard. We note however, that the
Commission neither requests nor collects information on whether cable
system operators are affiliated with entities whose gross annual
revenues exceed $250 million. Therefore, we are unable at this time to
estimate with greater precision the number of cable system operators
that would qualify as small cable operators under the definition in the
Communications Act.
18. Other Toll Carriers. Neither the Commission nor the SBA has
developed a size standard for small businesses specifically applicable
to other toll carriers. This category includes toll carriers that do
not fall within the categories of interexchange carriers, operator
service providers, prepaid calling card providers, satellite service
carriers, or toll resellers. Wired Telecommunications Carriers is the
closest industry with a SBA small business size standard. The SBA small
business size standard for Wired Telecommunications Carriers classifies
firms having 1,500 or fewer employees as small. U.S. Census Bureau data
for 2017 show that there were 3,054 firms in this industry that
operated for the entire year. Of this number, 2,964 firms operated with
fewer than 250 employees. Additionally, based on Commission data in the
2021 Universal Service Monitoring Report, as of December 31, 2020,
there were 115 providers that reported they were engaged in the
provision of other toll services. Of these providers, the Commission
estimates that 113 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
2. Wireless Carriers
19. Wireless Telecommunications Carriers (except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
SBA size standard for this industry classifies a business as small if
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show
that there were 2,893 firms in this industry that operated for the
entire year. Of that number, 2,837 firms employed fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 797
providers that reported they were engaged in the provision of wireless
services. Of these providers, the Commission estimates that 715
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
20. Satellite Telecommunications. This category comprises firms
``primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications.'' Satellite
telecommunications service providers include satellite and earth
station operators. The SBA small business size standard for this
industry classifies a business with $38.5 million or less in annual
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms
in this industry operated for the entire year. Of this number, 242
firms had revenue of less than $25 million. Additionally, based on
Commission data in the 2021 Universal Service Monitoring Report, as of
December 31, 2020, there were 71 providers that reported they were
engaged in the provision of satellite telecommunications services. Of
these providers, the Commission estimates that approximately 48
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, a little more than of these providers can
be considered small entities.
3. Resellers
21. Local Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Local
Resellers. Telecommunications Resellers is the closest industry with a
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 293
providers that reported they were engaged in the provision of local
resale services. Of these providers, the Commission estimates that 289
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
22. Toll Resellers. Neither the Commission nor the SBA have
developed a small business size standard specifically for Toll
Resellers. Telecommunications Resellers is the closest industry with a
SBA small business size standard. The Telecommunications Resellers
industry comprises establishments engaged in purchasing access and
network capacity from owners and operators of telecommunications
networks and reselling wired and wireless telecommunications services
(except satellite) to businesses and households. Establishments in this
industry resell telecommunications; they do not operate transmission
facilities and infrastructure. Mobile virtual network operators (MVNOs)
are included in this industry. The SBA small business size standard for
Telecommunications Resellers classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
1,386 firms in this industry provided resale services for the entire
year. Of that number, 1,375 firms operated with fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 518
providers that reported they were engaged in the provision of toll
services. Of these providers, the Commission estimates that 495
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard,
[[Page 3964]]
most of these providers can be considered small entities.
23. Prepaid Calling Card Providers. Neither the Commission nor the
SBA has developed a small business definition specifically for prepaid
calling card providers. Telecommunications Resellers is the closest
industry with a SBA small business size standard. The
Telecommunications Resellers industry comprises establishments engaged
in purchasing access and network capacity from owners and operators of
telecommunications networks and reselling wired and wireless
telecommunications services (except satellite) to businesses and
households. Establishments in this industry resell telecommunications;
they do not operate transmission facilities and infrastructure. Mobile
virtual network operators (MVNOs) are included in this industry. The
SBA small business size standard for Telecommunications Resellers
classifies a business as small if it has 1,500 or fewer employees. U.S.
Census Bureau data for 2017 show that 1,386 firms in this industry
provided resale services for the entire year. Of that number, 1,375
firms operated with fewer than 250 employees. Additionally, based on
Commission data in the 2021 Universal Service Monitoring Report, as of
December 31, 2020, there were 58 providers that reported they were
engaged in the provision of payphone services. Of these providers, the
Commission estimates that 57 providers have 1,500 or fewer employees.
Consequently, using the SBA's small business size standard, most of
these providers can be considered small entities.
4. Other Entities
24. All Other Telecommunications. This industry is comprised of
establishments primarily engaged in providing specialized
telecommunications services, such as satellite tracking, communications
telemetry, and radar station operation. This industry also includes
establishments primarily engaged in providing satellite terminal
stations and associated facilities connected with one or more
terrestrial systems and capable of transmitting telecommunications to,
and receiving telecommunications from, satellite systems. Providers of
internet services (e.g. dial-up ISPs) or voice over internet protocol
(VoIP) services, via client-supplied telecommunications connections are
also included in this industry. The SBA small business size standard
for this industry classifies firms with annual receipts of $35 million
or less as small. U.S. Census Bureau data for 2017 show that there were
1,079 firms in this industry that operated for the entire year. Of
those firms, 1,039 had revenue of less than $25 million. Based on this
data, the Commission estimates that the majority of ``All Other
Telecommunications'' firms can be considered small.
D. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
25. In this document, we propose to expand the Commission's
definition of ``breach'' to include inadvertent disclosures of customer
information and seek comment on adopting a harm-based trigger for
breach notifications. We also propose to require carriers to notify the
Commission, in addition to the Secret Service and FBI, as soon as
practicable after discovery of a breach. We also propose to eliminate
the mandatory waiting period before notifying customers and instead
require carriers to notify customers of CPNI breaches without
unreasonable delay after discovery of a breach unless law enforcement
requests a delay. We also seek comment on whether we should adopt
minimum requirements for the content of customer breach notices, and we
seek comment on whether our rules should address breaches of other
types of sensitive personal information beyond CPNI. Finally, we
propose to make changes to our TRS data breach reporting rule
consistent with those we propose to our CPNI breach reporting rule.
26. Should the Commission decide to modify existing rules or adopt
new rules to strengthen our data breach reporting rule, such action
could potentially result in increased, reduced, or otherwise modified
recordkeeping, reporting, or other compliance requirements for affected
providers of service. We seek comment on the effect of any proposals on
small entities. Entities, especially small businesses, are encouraged
to quantify the costs and benefits of any reporting, recordkeeping, or
compliance requirement that may be established in this proceeding.
E. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
27. The RFA requires an agency to describe any significant
alternatives that it has considered in reaching its proposed approach,
which may include the following four alternatives (among others): (1)
the establishment of differing compliance or reporting requirements or
timetables that take into account the resources available to small
entities; (2) the clarification, consolidation, or simplification of
compliance and reporting requirements under the rules for such small
entities; (3) the use of performance rather than design standards; and
(4) an exemption from coverage of the rule, or any part thereof, for
such small entities.
28. The document seeks comment on the particular impacts that the
proposed rules may have on small entities. Specifically, the document
seeks comment on whether there are unique concerns or compliance
barriers for small carriers that make notice to customers without
unreasonable delay unfeasible; if there should be different
notification requirements for small carriers; if streamlining notice
requirements will benefit small providers; if a centralized reporting
portal would reduce compliance barriers for small providers; and if a
threshold trigger would benefit small providers.
F. Federal Rules That May Duplicate, Overlap, or Conflict With the
Proposed Rules
29. None.
IV. Ordering Clauses
30. Accordingly, it is ordered that, pursuant to Sections 1, 2,
4(i), 4(j), 201, 202, 222, 225, 303(b), 303(r), 332 of the
Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154(i),
154(j), 201, 202, 222, 225, 303(b), 303(r), 332, this Notice of
Proposed Rulemaking is adopted.
31. It is further ordered, that the Commission's Consumer and
Governmental Affairs Bureau, Reference Information Center, shall send a
copy of this Notice of Proposed Rulemaking, including the Initial
Regulatory Flexibility Analysis (IRFA), to the Chief Counsel for
Advocacy of the Small Business Administration.
List of Subjects in 47 CFR Part 64
Communications, Communications common carriers, Communications
equipment, Individuals with disabilities, Reporting and recordkeeping
requirements, Security measures, Telecommunications, Telephone.
Federal Communications Commission.
Marlene Dortch,
Secretary.
Proposed Rules
For the reasons discussed in the preamble, the Federal
Communications Commission proposes to amend 47 part 64 as follows:
[[Page 3965]]
PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
0
1. The authority citation for part 64 continues to read as follows:
Authority: 47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220,
222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 255, 262,
276, 403(b)(2)(B), (c), 616, 617, 620, 1401-1473, unless otherwise
noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.
Subpart U--Customer Proprietary Network Information
0
2. Amend Sec. 64.2011 by revising paragraphs (a) through (e) to read
as follows:
Sec. 64.2011 Notification of customer proprietary network
information security breaches.
(a) A telecommunications carrier shall notify affected customers,
the Federal Communications Commission (Commission), and other federal
law enforcement of a breach of its customers' CPNI as provided in this
section.
(b)(1) As soon as practicable after reasonable determination of a
breach, a telecommunications carrier shall electronically notify the
Commission, the United States Secret Service (USSS), and the Federal
Bureau of Investigation (FBI) through a central reporting facility
maintained by the Commission and made available on its website.
(2) If a law enforcement or national security agency notifies the
carrier that public disclosure or notice to customers would impede or
compromise an ongoing or potential criminal investigation or national
security, such agency may direct the carrier not to so disclose or
notify for an initial period of up to 30 days. Such period may be
extended by the agency as reasonably necessary in the judgment of the
agency. If such direction is given, the agency shall notify the carrier
when it appears that public disclosure or notice to affected customers
will no longer impede or compromise a criminal investigation or
national security. The agency shall provide in writing its initial
direction to the carrier, any subsequent extension, and any
notification that notice will no longer impede or compromise a criminal
investigation or national security.
(c) Customer Notification. A telecommunications carrier shall
notify affected customers of covered breaches of CPNI without
unreasonable delay after discovery of the breach after notification to
the Commission and law enforcement as described in paragraph (b) of
this section.
(d) Recordkeeping. All carriers shall maintain a record,
electronically or in some other manner, of any breaches discovered,
notifications made to the Federal Communications Commission, USSS, and
the FBI pursuant to paragraph (b) of this section, and notifications
made to customers. The record must include, if available, dates of
discovery and notification, a detailed description of the CPNI that was
the subject of the breach, and the circumstances of the breach.
Carriers shall retain the record for a minimum of 2 years.
(e) Definitions. As used in this section, a ``breach'' has occurred
when a person, without authorization or exceeding authorization, has
gained access to, used, or disclosed CPNI.
* * * * *
0
3. Amend Sec. 64.5111 by revising paragraphs (a) through (e) to read
as follows:
Sec. 64.5111 Notification of customer proprietary network
information security breaches.
(a) A TRS provider shall notify affected customers, the Federal
Communications Commission (Commission), and other federal law
enforcement of a breach of its customers' CPNI as provided in this
section.
(b)(1) As soon as practicable after reasonable determination of a
breach, a TRS provider shall electronically notify the Commission, the
United States Secret Service (USSS), and the Federal Bureau of
Investigation (FBI) through a central reporting facility maintained by
the Commission and made available on its website.
(2) If a law enforcement or national security agency notifies the
TRS provider that public disclosure or notice to customers would impede
or compromise an ongoing or potential criminal investigation or
national security, such agency may direct the TRS provider not to so
disclose or notify for an initial period of up to 30 days. Such period
may be extended by the agency as reasonably necessary in the judgment
of the agency. If such direction is given, the agency shall notify the
TRS provider when it appears that public disclosure or notice to
affected customers will no longer impede or compromise a criminal
investigation or national security. The agency shall provide in writing
its initial direction to the TRS provider, any subsequent extension,
and any notification that notice will no longer impede or compromise a
criminal investigation or national security and such writings shall be
contemporaneously logged on the same reporting facility that contains
records of notifications filed by TRS provider.
(c) Customer Notification. A TRS provider shall notify affected
customers of covered breaches of CPNI without unreasonable delay after
discovery of the breach after notification to the Commission and law
enforcement as described in paragraph (b) of this section.
(d) Recordkeeping. All TRS provider shall maintain a record,
electronically or in some other manner, of any breaches discovered,
notifications made to the Federal Communications Commission, USSS, and
the FBI pursuant to paragraph (b) of this section, and notifications
made to customers. The record must include, if available, dates of
discovery and notification, a detailed description of the CPNI that was
the subject of the breach, and the circumstances of the breach. TRS
providers shall retain the record for a minimum of 2 years.
(e) Definitions. As used in this section, a ``breach'' has occurred
when a person, without authorization or exceeding authorization, has
gained access to, used, or disclosed CPNI.
* * * * *
[FR Doc. 2023-00824 Filed 1-20-23; 8:45 am]
BILLING CODE 6712-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on January 23, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.