EPIC Picks Up Support for Broad FCC Approach to Protecting Consumer Data
Most commenters agree the FCC doesn’t have legal authority under the Communications Act to regulate data breaches beyond customer proprietary network information (CPNI), CTIA said in reply comments on a January NPRM on revised rules for wireless carriers to report breaches (see 2301060057). Most commenters also supported a harm-based trigger for notifications. But the FCC faced increasing pressure to take bold action to protect consumer data.
The Electronic Privacy Information Center largely stood alone in initial comments in urging the commission to extend its data security protection to non-CPNI data (see 2302230038). EPIC was joined in reply comments by the Center for Democracy and Technology, the Privacy Rights Clearinghouse and Public Knowledge. Comments were posted Monday in docket 22-21.
“The cyber threat environment in 2023 is significantly worse than it was in 2016,” the EPIC-led filing said. “There are clearly systemic data security problems in this industry that demand Commission action, and we applaud the Commission for initiating this rulemaking to address them,” the groups said. They urged the FCC to also complete action on fines proposed against major carriers proposed in early 2020 (see 2212190055).
The groups urged a broad definition of the data over which the FCC has jurisdiction. “For many years … the Commission has declined to limit the scope of its privacy authority to the factors listed in Section 222(h), holding that carriers must safeguard a wider spectrum of personally identifiable information (PII) and other personal data,” they said: “A harm-based trigger inhibits the ability of consumers to protect themselves because it overlooks that unauthorized access of their data is inherently harmful and instead relies on a company’s estimation of whether that harm will result in a financial loss.”
Public interest group Just Futures Law opposed a trigger, as proposed by the FCC in the NPRM. “A proposed harm trigger rule would deprive consumers of choice in dealing with potential data breach fallout,” the group said: Carriers shouldn’t be in charge “of deciding whether there is sufficient likelihood of harm after a data breach to notify consumers. … And despite arguments to the contrary, commenters have yet to provide evidence that the current regime burdens consumers with fatigue notification.”
“The FCC clearly lacks the authority to extend its breach reporting rules to personal information like Social Security numbers and customer financial records, as such data does not constitute CPNI,” CTIA said. Congress’ 2017 Congressional Review Act disapproval of the 2016 broadband privacy order “provides further reason to limit the jurisdiction of the Commission’s Section 222 incident reporting rules to CPNI,” the group said.
CTIA said Congress should pass legislation making clear the FTC has privacy and security oversight of the carriers. “Creating a system of dual jurisdiction between the FCC and the FTC -- which already generally has authority over personal information privacy and security practices outside of the common carrier context -- would create customer confusion, competing regulatory regimes, and competition issues,” the group said.
The Wireless ISP Association disputed EPIC’s arguments “seeking to impose onerous reporting requirements on telecommunications providers that would negatively impact their ability to effectively identify risks associated with suspected data breaches and to quickly act to mitigate harm to the provider’s network and consumers.” While the “record is replete” with calls for the FCC to “maintain a balanced and practical approach to the CPNI data breach reporting requirements, EPIC’s comments sharply contrast with the more reasoned comments of other parties,” WISPA said.
The FCC should decline to use the proceeding to expand its authority to regulate information beyond CPNI, NCTA said: The record supports that “a narrow proceeding dedicated to updating the CPNI data breach notification rule is not an appropriate or effective vehicle for the Commission to consider broader changes to and reinterpretations of the Commission’s privacy authority.” NCTA said it favors a harm-based trigger to “reduce overreporting and avoid confusion, while still providing both law enforcement and customers with meaningful and timely information to act to mitigate or prevent harm from a breach.”
USTelecom saw “near unanimous support for adopting a harm-based trigger” to lower “the risks of over-notification and notice fatigue.” USTelecom said EPIC only “suggests that the Commission expand the breach definition without adopting a harm-based trigger.”
Groups representing the deaf and hard of hearing again urged a focus on telecommunications relay service providers (see 2302240049). “To ensure that TRS users have the necessary information to address the privacy harms from a TRS data breach, the record confirms that the Commission should require that breach notices contain specific content,” they said: “This includes a requirement that a TRS breach notice informs a user if data on the content of conversations, like call transcripts, were accessed during a breach.” The groups opposed a harm-based trigger and said the FCC should expand the definition of breach to include inadvertent disclosures. The filing was signed by Telecommunications for the Deaf and Hard of Hearing, Hearing Loss Association of America, National Association of the Deaf and the Rehabilitation Engineering Research Center on Technology for the Deaf and Hard of Hearing at Gallaudet University.