Industry Questions FCC Standing to Issue Proposed Data Breach Rules

CTIA representatives met with staff for all the commissioners this week. The group said its concerns were in keeping with those it raised in a March Further NPRM (see 2303160061). The draft “represents an unprecedented expansion of the Commission’s breach reporting rules that is outside of the agency's authority and inconsistent with federal and state analogs,” CTIA said.

The commission lacks the authority to extend breach reporting requirements beyond customer proprietary network information (CPNI) under Sections 222 or 201(b) of the Communications Act, CTIA said: The order would be void under the Congressional Review Act “because it is substantially the same as the 2016 Privacy Order’s breach notification framework, which Congress has already resolved shall have no force or effect.”

If the FCC moves forward, it should “establish a harm trigger” for FBI, Secret Service and FCC notifications and “eliminate the annual reporting requirement for small breaches,” CTIA said. “Adjust the harm trigger to exclude incidents that do not pose a risk of actual harm” and “create an encryption safe harbor for all breach notifications,” CTIA advised.

AT&T expressed “serious concerns with respect to the legal authority on which the Draft relies.” The Communications Act doesn’t provide authority “to adopt rules requiring AT&T and other telecommunications carriers to report data breaches involving personally identifiable information (PII),” AT&T said: “To the contrary, such a reading contravenes basic tenets and longstanding canons of statutory construction.” AT&T said the draft addresses Congress’ rejection of its earlier privacy order in a way that is “nonsensical, factually inaccurate, and, if true, would permit an executive agency to ignore the clear will of Congress expressed in the 2017 Resolution of Disapproval and similar such resolutions.”

T-Mobile also questioned FCC authority to impose the data breach rules. The draft would create a "regulatory framework that is inconsistent with state laws, would impose major operational challenges on regulated entities, and would create consumer confusion,” T-Mobile warned. “It promises to impose substantial and unnecessary costs and burdens that are not justified by any agency analysis of a potential benefit to consumers,” the carrier said.

“The FCC lacks authority to apply data breach rules to information beyond CPNI,” USTelecom said. It urged the FCC to revise the draft to make clear the rules apply only to CPNI. “To the extent that the FCC inappropriately declines to do so, it should add language to the Draft Order and rule that applies the breach notification obligation only to breaches that involve ‘sensitive PII,’” USTelecom said.

“The FCC is now poised to adopt an order based on a view of its regulatory authority” under two sections of the Communications Act “that is so expansive that it bears virtually no relationship to the statutory text or, for that matter, the purposes for which Congress enacted those provisions,” said the Texas Association of Business: “The Draft, among other ill-conceived regulatory actions, would greatly expand reporting obligations of telecommunications carriers and interconnected VoIP providers and, in turn, could potentially force those businesses to notify customers, law enforcement, and regulatory agencies of many more data security events than reasonably warrant such attention.”

“Section 222 of the Communications Act does not afford the Commission authority to regulate consumer data beyond the statutory definition of CPNI,” said the Ohio Telecom Association: “Even within the realm of CPNI, the FCC may not expand the definition of that term to cover location information, particularly as reflected in the Draft.”