6th Circuit Ruling Adds Level of Complication for Carriers: Davis Wright
The 6th U.S. Circuit Appeals Court’s recent decision upholding the FCC’s 2024 data breach notification rules (see 2508130068) will likely prove significant for regulated companies, lawyers at Davis Wright wrote in a blog post Thursday. “The most immediate implication is the introduction of yet another requirement to notify individuals and authorities of data breaches and other cybersecurity incidents.” As the dissent by Judge Richard Griffin noted, carriers are already “subject to multiple cyber incident reporting requirements at the federal level,” they said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The FCC’s data breach order “covers a broader range of personal data than many state laws, requires notification to yet another government authority -- the FCC -- and requires notification within 30 days -- a timeline shorter than under most state laws,” the lawyers wrote. “Data breaches can be complex events, and the Data Breach Order adds yet another layer of complexity by adding to the numerous notification requirements that telecom carriers must analyze and follow.”
The panel of judges also had “a narrow reading” of the Congressional Review Act, the lawyers said. Congress invoked the CRA in 2017 “to reject data breach notification requirements that were part of a larger set of data privacy and security rules issued by the FCC in 2016,” they noted. “The court's narrow reading of the CRA could significantly limit the law's usefulness as a congressional check on agency rulemaking authority.”