Ohio Group Petitions 6th Circuit for Review of FCC's Updated Data Breach Rules
The Ohio Telecom Association (OTA) petitioned the 6th U.S. Circuit Appeals Court for review of the FCC’s updated data breach notification rules, adopted Dec. 13, released Dec. 21 and published in the Federal Register Feb. 12, said its Tuesday filing (docket 24-3133). The rules are effective March 13.
The order (docket 23-111), imposes certain duties on telecom carriers, VoIP providers and telecommunications relay service (TRS) providers regarding unauthorized access to or disclosure of customer proprietary network information (CPNI) and personally identifiable information (PII).
OTA, representing over 40 telecom providers directly affected by the order, said it “exceeds the FCC’s statutory authority” and is “arbitrary, capricious, and an abuse of discretion” as described in the Administrative Procedure Act. It is also “contrary to law,” the petition said. OTA requests that the 6th Circuit “hold unlawful, vacate, enjoin, and set aside” the order and grant additional relief as appropriate.
In the 16 years since the FCC adopted its data breach reporting rule -- designed to protect customers against the threat of “pretexting” by a scammer to get access to a customer’s call detail or private communications records -- data breaches “have only grown in frequency and severity,” said the FCC. The commission expanded the scope of its breach notification rules because consumers “may be harmed by the improper use or disclosure of sensitive customer data other than CPNI,” such as PII, it said. Telecom providers “may be particularly vulnerable” to such cyberattacks, it said.
The updated order expands the definition of a data breach for carriers and TRS providers to include “inadvertent disclosures” of customer information, except in cases where the information is “acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” It requires carriers and TRS providers to notify the FCC of breaches, in addition to the U.S. Secret Service and FBI. The notice must be made “as soon as practicable” and no later than seven business days “after reasonable determination of the breach," the order said.
To limit potential burden on carriers, TRS providers and consumers from breach notifications that are unlikely to require protective action, the FCC eliminated the requirement to notify customers of a breach in instances where carriers or TRS providers can “reasonably determine that no harm to consumers is reasonably likely to occur,” the order said.
For instances following a breach in which there is a risk of harm to consumers, the commission eliminated the mandatory waiting period for carriers to notify customers, and instead requires carriers and TRS providers to notify customers of breaches of covered data “without unreasonable delay after notification” to the FCC and law enforcement -- no later than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement, the order said. The changes will “better protect consumers from improper use or disclosure of their customer information and harmonize our rules with new approaches to protecting the public already deployed by our partners in federal and state government,” it said.