The FCC has a new Notice of Proposed Rulemaking (NPRM) concerning an update of customer proprietary network information (CPNI) rules. The FCC wants to strengthen the rules concerning notifying customers of a data breach.
CPNI rules are codified at the FCC from Section 222(a) of the Telecommunications Act of 1996. CPNI rules are intended to protect customer data. For those that haven’t read CPNI rules for a while, Section 222(a) rules state:
Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.
In plain English, this means that every telecom carrier must take steps to protect customer data that is collected as part of providing a telecommunications service.
There have been a number of well-known data breaches in the industry, and the FCC is proposing to tighten the rules related to notifying customers about data breaches. For example, the current rules give carriers seven days to notify customers of breaches of their personal data, and the NPRM will propose to drastically shorten that time frame. The FCC will also be proposing that carriers must disclose inadvertent breaches of data that were caused by the carrier, as opposed to a malicious outside party. Finally, carriers will be required to report all data breaches to the FCC, the FBI, and the U.S. Secret Service.
For those of you not familiar with the NPRM process, the FCC uses this method to notify the industry of proposed changes in regulations. An NPRM spells out the specific proposed rule changes by showing the proposed change in FCC rules. The FCC then invites comments on the proposed rule changes and often asks additional questions to get feedback. The FCC sometimes adopts the NPRM as proposed but often modifies the proposed rules based upon the comments received.
It doesn’t seem likely that the FCC will allow an opt-out of these rule changes for small carriers and these rules are likely to apply to everybody, like the current CPNI rules.
As is usual these days, there is a regulatory twist. As it sits today, the FCC no longer regulates broadband since it is not classified as a telecommunications service. The Section 222 rules only apply to telecommunications carriers and the new rules might only apply to carriers that offer traditional telephone service, cellular services, or anything else remaining under FCC jurisdiction. An ISP that only provides broadband might be exempt from CPNI rules – although you could face an expensive legal fight if the FCC sees it otherwise. An awful lot of our regulatory rules are sitting in the gray areas these days.
However, if the FCC eventually brings broadband back into the regulatory fold, as is expected, then these rules would apply to all ISPs selling broadband services.