On December 21, 2023, the Federal Communications Commission released an order updating its data breach rules. These updated rules require telecommunications providers to report breaches of customer proprietary network information, such as numbers that have been dialed and when they have been dialed, but also require reporting of personally-identifiable information (PII), such as driver’s license numbers, Social Security numbers, and credit card numbers. The new FCC rules also require companies to report accidental breaches, a significant change from the prior rules, which only required notification for intentional disclosures, such as when , when a company was tricked or bribed by a bad actor into revealing consumer information.
The FCC’s order also treats breaches as presumptively causing harm—including emotional harm and other harms not directly related to identity theft or financial fraud. This presumption can be overcome, however, if a data custodian can show there was no harm; by making such a showing, a custodian can avoid notifying consumers. Providers who are required to notify affected consumers must do so “without unreasonable delay” and to provide such notice within 30 days after reasonable determination of the occurrence of a breach.
The FCC’s new rules also contain a safe harbor for data breach reporting: no reporting is required if the breached data has been encrypted and there is definitive evidence that the encryption key was not also compromised (in other words, there is no harm that can come to consumers).
The FCC is just the latest federal agency to move forward with new breach reporting obligations, despite the Biden Administration’s attempts to harmonize such requirements. The FCC’s action follows on the heels of the Securities and Exchange Commission final rule requiring businesses to report cyberattacks to the agency within four days of determining the scope of compromise and the Federal Trade Commission’s recent updates to its breach reporting rules. The FCC acknowledged that it declined to take action to harmonize with the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, which requires the Cybersecurity and Infrastructure Security Agency to publish a proposed rule by March 2024; as such, the burden of making sense of the regulatory maze continues to fall on those companies subject to these regulations.