The FCC has launched a proceeding aimed at updating rules for notifying customers and federal law enforcement of data breaches involving customer proprietary network information (CPNI).
The Notice of Proposed Rulemaking (NPRM), which was adopted unanimously, is an effort to “better align” how CPNI is handled with recent developments in federal and state data breach laws covering other sectors, the FCC said.
There are two parts to the NPRM. It formally begins the process of gathering information. It also seeks comments on FCC issues related to carriers’ data breach notification requirements.
Issues covered include proposals touching on:
- Elimination of the seven business day mandatory waiting period for notifying customers of a breach;
- Clarifying rules requiring consumer notifications by carriers of inadvertent breaches;
- Requiring notification of all reportable breaches to the FCC, FBI and U.S. Secret Service;
- Requiring customers breach notices to include specific categories of information to “help ensure” that there is actionable information that is useful to consumers.
- Making “consistent revisions” to the Commission’s telecommunications relay services (TRS) data breach reporting rule.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” FCC Chairwoman Jessica Rosenworcel said in a press release about the CPNI data breach NPRM. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
A year ago next week, Rosenworcel circulated an NPRM within the commission that was designed to start the process of strengthening the reporting requirements for CPNI breaches. Adoption of the NPRM today is the next step in the process.