Industry Says FCC Has Limited Ability to Regulate Data Breaches Beyond CPNI
CTIA warned the FCC its ability to regulate data breaches of information beyond customer proprietary network information (CPNI) is constrained by law. Other provider groups' filings posted Thursday struck a similar tone. But the Electronic Privacy Information Center said it's time for the FCC to get tough.
The FCC sought comment in a January NPRM on revised rules for wireless carriers to report data breaches, and comments were due Wednesday in docket 22-21 (see 2301060057). The NPRM proposed eliminating the “outdated” seven-business-day mandatory waiting period before notifying customers of a breach and requiring the reporting of inadvertent but harmful breaches to the FCC, FBI and Secret Service.
“The Commission has not been directed by Congress to establish breach reporting obligations for Social Security numbers and customer financial information under Section 222(a) of the Communications Act, because this information does not constitute CPNI,” CTIA said: “Read together, the text, structure, and legislative history of Section 222 show that CPNI is the only customer data that the FCC is directed by the statute to oversee.” The Communications Act doesn’t give the FCC jurisdiction over Social Security numbers or other financial or personal information, the group warned.
CTIA noted the work carriers are already doing to protect customer information and said it supports several of the “practical approaches” proposed in the NPRM. They include eliminating a “mandatory seven-business-day waiting period between incident notification to law enforcement and customers, a harm-based breach notification trigger, numerical thresholds for reporting to the Commission and law enforcement, and flexible reporting timelines that let carriers provide customers, the Commission, and law enforcement with the most up-to-date information about CPNI incidents,” CTIA said.
The NPRM is “an important recognition of the increasingly severe and frequent harms suffered by consumers as a result of inadequate data security practices that fail to safeguard an increasingly vulnerable network,” EPIC countered. The group “supports the Commission’s proposal to protect consumers from improper disclosure of non-CPNI data that is nonetheless still personal data and encourages the Commission to consider how legal authorities in addition to Section 222 can support this important goal.”
EPIC said it supports commission proposals to “expand the definition of breach, to extend its data security protections to non-CPNI data, and to require remediation measures in notification.” The group opposed “filtering breach notifications through a threshold harm requirement.”
The Competitive Carriers Association similarly supported some of the changes proposed, but warned against regulatory overreach. The FCC should “ensure that its rules complement those other laws and regulations, rather than imposing inconsistent or needlessly duplicative requirements on carriers,” CCA said. The agency should “continue to focus its rules on CPNI specifically, rather than a broader category of ‘proprietary information other than CPNI,’” the group said.
CCA agreed with CTIA that the FCC is limited in what it can do under Section 222. The section is “primarily focused on the relevant subsections on avoiding unauthorized use, access, or disclosure of CPNI, rather than any and all proprietary information,” CCA said: FCC rules should follow “Congress’s direction and priorities as reflected in the statute, particularly given the role other actors such as the FTC already occupy with respect to broader categories of information.”
WTA noted Section 222 was approved at a time when Congress was most concerned about the marketing advantages of “the recently divested Baby Bells and other dominant large carriers.” The world has changed since 1996, with the emergence of Google, Facebook, Amazon and other major players, WTA said. “WTA does not know what, if anything, the Commission can do about current broadband profiling practices under existing statutes and regulatory classifications,” it said: “However, it is grossly unfair that voice telecommunications carriers are subject to substantial restrictions on their use of CPNI for marketing purposes while large broadband edge service providers are free to employ a far more comprehensive and intrusive variety of CPNI-like usage data for marketing purposes without significant restriction.”
The Information Technology Industry Council stressed the importance of a harm-based trigger for notifications. A trigger “would be a welcome change from the current rule which requires telecommunication carriers and VoIP providers to report CPNI breaches regardless of whether any harm to customers has occurred or is likely to occur,” ITI said: “Federal breach notification requirements must recognize the delicate balance between over- and under-notification with respect to when notices should be sent to consumers.”
The Wireless ISP Association raised concerns about potentially burdensome rules for smaller providers. The FCC should “strike a balance between protecting CPNI and avoiding overly burdensome obligations on providers, especially smaller providers whose limited resources are best dedicated to quickly and effectively managing suspected breaches, ensuring system security, and mitigating risks to the provider network and the consumer,” WISPA said. The group warned in particular against revising the definition of breach to “inadvertent or accidental access to CPNI.”
The January NPRM followed several high-profile data breaches, most recently a 2022 T-Mobile breach that affected about 37 million customers (see 2301200047) The NPRM also discusses a 2015 AT&T breach and a 2017 Verizon breach.