data breaches – POTs and PANs

FCC Considering New Rules for Data Breaches

Back in January of this year, the FCC issued a Notice of Proposed Rulemaking in WC Docket No. 22-21 that proposes to change the way that ISPs and carriers report data breach to the FCC and to customers. The proposed new rules would modify some of the requirements of the customer proprietary network information (CPNI) rules that were originally put into place in 2007.

Since the 2007 CPNI order, all fifty states have adopted a version of the CPNI rules as well as rules from federal agencies like the Federal Trade Commission, the Cybersecurity and Infrastructure Agency, and the Securities Exchange Commission. The FCC is hoping to strengthen the rules on reporting data breaches since it recognizes that data breaches are increasingly important and can be damaging to customers.

The FCC completed a round of initial and reply comments by the end of March 2023, but is not expected to make a final order before the end of this year.

The current FCC rules for data breaches require carriers to notify law enforcement within seven days of a breach using an FCC portal that forwards a report to the Secret Service and the FBI. After a carrier has notified law enforcement, it can opt to notify customers, although that is not mandatory. One of the reasons this docket was initiated is that carriers have kept quiet about some major data breaches. The new rules would require carriers to provide additional information to the FCC and law enforcement. The new requirements also eliminate any waiting period, and carriers would be required to notify law enforcement and customers “without unreasonable delay”. The only exception to rapid customer notification would be if law enforcement asks for a delay.

The FCC is proposing new reporting rules that it says will better protect consumers, increase security, and reduce the impact of future breaches. There was a lot of pushback from carriers in comments to the docket that centered on two primary topics – the definition of what constitutes a data breach, and the requirement of what must be told to customers.

The FCC wants to expand the definition of data breach to include the inadvertent disclosure of customer information. The FCC believes that requiring the disclosure of accidental breaches will incentivize carriers to adopt more strenuous data security practices. Carriers oppose the expanded definition since disclosure would be required even when there is no apparent harm to customers.

Carriers also oppose the quick notification requirements. Carriers argue that it takes time to understand the breadth and depth of a data breach and to determine if any customers were harmed. Carriers also need to be working immediately after discovering breach to contain and stop the problem.

Carriers are opposed to the FCC suggestions of what must be disclosed to customers. The FCC wants to make sure that customer notices include everything needed for customers to react to the breach. Carriers say that assembling the details by customer will take too long and could leave customers open to further problems. Carriers would rather make a quick blanket announcement instead of a detailed notice to specific customers.

One of the interesting nuances of the proposed rules is that there would be two types of notifications required – one for inadvertent leaks and another for what the FCC calls a harms-based notification. This would require a carrier to notify customers based on the specific harm that was caused. Carriers were generally in favor of the harms-based approach but didn’t want to confuse customers by notifying them of every inadvertent breach that doesn’t cause any harm.

Consumer advocates opposed allowing only the harm-based trigger, because it allows a carrier to decide when a breach causes harm. They fear that carriers will under-report harm-based breaches.

These rules would apply to all ISPs and carriers, regardless of size. While it might still be some months before any new rules become effective, small ISPs ought to use this impending change as a reason to review data security practices and the ability to notify customers.

The California Consumer Protection Act (CCPA)

In June 2018 California enacted a new privacy law that adopts some of the requirements of the European Union’s privacy regulations that recently went into effect. The California law goes into effect on January 1, 2020 and will affect a lot of US companies, including many not located in California. The law applies to any company that collects and processes personal information of California residents. For now, small companies that have revenues of less than $25 million per year along with non-profit entities are exempt.

The law defines personal information much more broadly than any other US privacy legislation. Personal information is defined as, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Using information that just identifies an address is a big expansion of privacy rules since prior rules only considered personal information of residents. The law includes a list of examples of personal data such as Social Security numbers, credit card numbers, and drivers’ license numbers, but goes a lot further and covers things like information captured and tracked by marketing cookies that capture information like IP addresses or information about computers or phones. While the law excludes information that is publicly available, essentially any information a company collects about customers is considered as private.

The new law provides specific rights to consumers:

Disclosure: A business must notify customers about its data collection practices. Companies must disclose the personal information that is being collected, describe how it’s being collected and used, and disclose if that data is being disclosed or sold to anybody else. This is to be provided in a publicly posted privacy notice and also needs to be made available to consumers upon request.

Opt-Out. Customers must be provided an easy-to-understand process for opting out of having their data sold to third parties. Consumers under 16 must opt-in to having data sold. Parents must provide consent for children under the age of 13. Companies must provide a “Do Not Sell My Personal Information” button on their main home page.

Information Removal: Customers must be provided the ability to have businesses delete their personal information, and companies must let customers know they have this right. If a customer chooses this option a business must not only delete the information from their own records but must ensure that the records are deleted by any third-party contractors that have been provided with the personal information.

No Discrimination: Businesses cannot discriminate against customer who elect to keep their data private. Businesses can’t charge an extra fee for a customer electing a privacy option. Interestingly though, businesses can offer an incentive for customers to make their data available, such as offering a discount for allowing the business to use the data.

In the same manner that recently happened in Europe, US companies that are covered by this law have a lot of things to put into place by the first of next year. Most companies won’t find it hard to make the needed disclosures and notices, but putting processes in place that delete customer data, including data that was passed on to somebody else can be a huge challenge. One of the hardest requirements to meet will be the one that requires companies to make all reasonable efforts to protect against data breaches.

The penalties for not complying with the law are high. A company can be charged up to $2,500 for every violation and up to $7,500 for each intentional violation (such as not deleting data after assuring a customer it was done). Companies can avoid fines by coming into compliance within 30 days of being notified by an attorney general of a violation.

The law also opens companies to litigation from customers. The law gives consumers the right to bring lawsuits if their data is disclosed due to negligence of the business. Consumers can file individual or class action lawsuits and can recover between $100 and $750 in damages per incident. This law will almost certainly spur a class-action lawsuit every time there is a big data breach.

I’ve reported on this law for a few reasons. California often leads the country on new legislation and it’s likely that some version of this law will spread elsewhere across the country. For instance, as I was writing this blog the state of Maine passes legislation that is even more stringent in a few areas. There is also a bipartisan effort in Congress looking at privacy rules and this law is certain to influence that effort.

This law doesn’t just apply to web-vendors. Parts of this law apply to anybody that collects sensitive customer data from the Internet such as ISPs and utilities. It’s a warning to every business to take steps to protect against breaches of customer information.

Share this:

Share this: