Industry Gets Encryption Safe Harbor in Key Change to Data Breach Rules
The FCC’s controversial data breach notification rules included several changes from the draft. The rules were adopted at the December open meeting over Commissioners Brendan Carr's and Nathan Simington's dissents (see 2312130019). Republican lawmakers are weighing a response to the rules, which they see as sidestepping a 2017 Congressional Review Act resolution of disapproval that rescinded similar regulations as part of the commission's 2016 ISP privacy order (see 2312200001). The order was posted in Friday’s Daily Digest.
Industry raised questions about the proposed rules and whether they would survive a court challenge prior to the commissioners' vote (see 2312070034). The final order directly refutes complaints by CTIA and others about lack of notice of the changes proposed. “We reject claims that we did not provide sufficient notice to define the scope of protected consumer information in this manner,” the order says.
The final order includes an encryption safe harbor, which some associations and companies requested when the draft was before commissioners. Under the safe harbor “customer notification is not required where a breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed,” the order says: “We define encrypted data as covered data that has been transformed through the use of an algorithmic process into a form that is unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.”
The final version adds paragraphs about the scope of protected information. One of the paragraphs elaborates on the scope of covered personally identifiable information (PII) for the purposes of the rules. “We further define the scope of covered PII as (1) first name or first initial, and last name, in combination with any government-issued identification numbers or information issued on a government document used to verify the identity of a specific individual, or other unique identification number used for authentication purposes; (2) user name or e-mail address, in combination with a password or security question and answer, or any other authentication method or information necessary to permit access to an account; or (3) unique biometric, genetic, or medical data,” the final version says: “Dissociated data that, if linked, would constitute PII is to be considered PII if the means to link the dissociated data were accessed in connection with access to the dissociated data.”
A second new paragraph notes that the approach “brings our definition of covered data in line with the approaches taken at the state level, and responds to concerns raised in the record by certain parties regarding harmonization with existing breach notification regimes.” The order says the FCC will “monitor the data security landscape and will not hesitate to revisit and revise the list of data elements in a future rulemaking as necessary to ensure that carriers adequately protect sensitive customer data.”
Among other changes, the draft proposed to require providers to “notify customers of breaches of covered data without unreasonable delay after discovery of a breach, and in no case more than 30 days following discovery.” In the final version, the wording reads “after notification to the Commission,” and “no later than 30 days after reasonable determination of a breach.”
Annual Reports
The final order attempts to limit the burden on providers to report smaller breaches on an annual basis. The order adopts language in the draft rejecting arguments that reporting these smaller incidents isn’t necessary. But the order adds text instructing the Wireline Bureau to “minimize the burdens on carriers by, for example, limiting the content required for each reported breach to that absolutely necessary to identify patterns or gaps that require further Commission inquiry.” At a minimum, the bureau should “develop requirements that are less burdensome than what is required for individual breach submissions to the reporting facility, and consider streamlined ways for filers to report this summary information,” the order says. These reports will be due each year on Oct. 1, but only after the reporting requirement clears OMB.
The order refutes objections CTIA raised prior to the vote that the rules should be consistent with requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). “CIRCIA does not define ‘breaches,’” the FCC argues: “But under federal guidance to agencies, a breach is a specific type of incident -- an incident that involves the loss of control, compromise, unauthorized disclosure, unauthorized acquisition (etc.) of PII. And it would not be inconsistent for only some incidents to be reportable under CIRCIA but for all breaches to be reportable under our rules.”
The order also mentions industry arguments about the nature of harms that should be addressed. A “broader conception of harm is consistent with previous Commission precedent, and we disagree with commenters arguing that ‘harm’ should only include the risk of identity theft or financial harm,” the final order says: “We find that adopting such a narrow definition of harm is not only inconsistent with the Commission’s longstanding approach, but also could lead to underreporting of breaches, and disregards other important and potentially costly consequences of a breach to customers.”