In the privacy world, confidential information relating to the nature, amount, or use of telecommunications services has always been subject to separate rules from other types of customer data. Prior to the advent of interconnected VoIP and other types of advanced communications capabilities, these two worlds operated separately. Telecommunications carriers knew to comply with Federal Communications Commission (FCC) rules for the services they provided while non-telecommunications carriers would be subject to the general federal and state breach rules applicable to personally identifiable information. Legally, this distinction remains relevant, even while, factually, the line between a telecom and non-telecom service is blurring. As a result, service providers that incorporate a communications component into their services should pay careful attention to which regime applies to which aspect of their services. Increasingly, the answer is that service providers will have to comply with multiple sets of rules, some applicable only to a portion of their data and services.

With that caution in mind, service providers should take note of new rules from the FCC relating to data breaches involving telecommunications service information. In December 2023, the FCC significantly revised existing security breach rules (Rules) for information relating to telecommunications customers and services, including interconnected VoIP services. Accordingly, all telecommunications carriers and interconnected VOIP providers (collectively, “Service Providers”) are subject to the Rules.

This is the first time in 16 years the FCC has updated its Rules addressing security breaches, and there are significant changes of which Service Providers should be aware.

Expanded Definition of Data to be Protected

The previous rules required Service Providers to provide notice of breaches of customer proprietary network information (“CPNI”), but the Rules now apply to a broader set of “Covered Data” that includes Personally Identifiable Information (PII) in addition to data meeting the definition of CPNI. The definition of PII largely tracks that used in various state privacy laws, to include:

• First name or initial and last name, combined with any government-issued identification numbers or similar information used for authentication purposes
• Username or email address combined with a password or security question/answer, or any authentication method for account access
• Unique biometric, genetic, or medical data

Expanded Definition of Breach

The Rules now include inadvertent access, use, or disclosure of Covered Data within the definition of a breach, unless that information is acquired in good faith by an employee or agent of a Service Provider. The previous definition covered intentional access of CPNI by an unauthorized person. As a result, more breaches will be subject to the Rules than previously was true.

Additional Requirements to Notify Federal Agencies of a Breach

• Notification to the FCC. While the previous rules required notice to the Secret Service and the FBI, the Rules will require notification to those agencies and the FCC (the “Federal Agencies”) via the central reporting facility.
• Notification Content. The notification content to Federal Agencies has not been changed significantly.
• Timeframe for Notification. The timeframe for notice to the Federal Agencies has not changed (not later than seven business days after determination of a breach).
• Thresholds for Notification. A Service Provider does not have to notify the Federal Agencies of a breach that affects fewer than 500 customers and the Service Provider determines that “no harm to customers is reasonably likely to occur” because of the breach.

Revised Requirements to Notify Customers of a Breach

• Content. The Rules do not prescribe the contents of the customer notice but recommend categories of information to be included.
• Timing. The Rules eliminate the previous required seven-day waiting period for customer notification and replace that with the requirement to provide notice promptly.
• Exceptions. Customer notification is not required in two instances:
  • Determination of No Customer Harm. Customer notification is not required when the Service Provider determines that “no harm to customers is reasonably likely to occur.”
  • Encryption “Safe Harbor.” Customer notification is not required when the breach exclusively involves encrypted data, and the Service Provider can confirm that the encryption key was not compromised.

Recordkeeping

Service Providers must maintain records of the following for at least two years:

• Breaches Discovered. Service Providers must retain the following, if available:
  • Dates of discovery and notification
  • Detailed description of the Covered Data subject to the breach
  • Circumstances of the breach
  • Bases for any determinations regarding the number of affected customers or likelihood of harm because of the breach
• Notifications to the Federal Agencies
• Notifications to Customers

Annual Reporting of Small Breaches

An officer of the Service Provider must sign and file with the Federal Agencies, by February 1 of each year, a summary of all the breaches in the previous calendar year affecting fewer than 500 individuals and where a determination of “no harm” was made.

Effective Date

These Rules will become effective after review by the Office of Management and Budget (“OMB”) and the FCC’s Wireline Competition Bureau will announce the effective dates via subsequent public notice.

Takeaways

Companies incorporating advanced communications services should evaluate whether they are Service Providers subject to the Rules. Those Service Providers required to comply with the Rules must adapt their policies and procedures and ensure their security controls are adequate to protect Covered Data.