Rosenworcel Moves to Update Data Breach Reporting Requirements Under CPNI Rules

Yesterday, FCC Chairwoman Jessica Rosenworcel circulated a Notice of Proposed Rulemaking ("NPRM") with her colleagues on the Commission to update the agency’s rules for notifying customers and federal law enforcement of breaches involving customer proprietary network information ("CPNI"). According to a press release, the proposed “updates would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors.”

The Chairwoman’s proposal is significant because it signals a potentially more active FCC in consumer protection as the Democrats solidify control of the agency following the Presidential transition and Chairwoman Rosenworcel’s elevation from Acting Chair to Chair. The scope of the proposal appears to be fairly narrow (based on the limited information currently available) but represents the second CPNI-related action proposed in the past three months. Once a fifth commissioner is confirmed, Chairwoman Rosenworcel may be able to press a broader consumer protection agenda for the agency.

At this time, little is known of the draft NPRM, because the draft of the proposal has not been released. The press release provides the best indication of what we can expect to see in the proceeding, if and when it is adopted. The FCC’s announcement explains that the proposal will:

  • Eliminate the current seven business day mandatory waiting period for notifying customers of a breach;
  • Require notification of inadvertent breaches; and
  • Require carriers to notify the FCC of all reportable breaches, in addition to the FBI and U.S. Secret Service.
The NPRM also is expected to seek comment on whether the FCC should require customer breach notices to include specific categories of information, which would give consumers “actionable information” to address the breach.

The move to update the CPNI rules may be motivated in part by T-Mobile's August 2021 disclosure that names, Social Security numbers, and other personal information belonging to more than 48 million current, former, and prospective customers had been compromised.

With the Commission still evenly split while awaiting confirmation of a third Democratic commissioner, Chairwoman Rosenworcel will need the support of at least one of the two Republican commissioners to adopt the NPRM. The proposed changes may be innocuous enough to garner such support.

The NPRM comes on the heels of an FCC proposal in October 2021 to update the CPNI rules to address SIM swap and port-out fraud, which did garner support from the Republican commissioners. The FCC also has yet to take final action on the Notices of Apparent Liability it issued to major wireless carriers in March 2020 proposing over $200 million in fines for allegedly selling access to their customers’ location information in violation of the CPNI rules. Together, these three actions signal that the FCC may be renewing its focus on privacy issues in telecommunications. In 2017, Congress used the Congressional Review Act to rescind the Commission’s 2016 broadband privacy rules. That action restricts the FCC’s ability to adopt substantially similar rules if it reclassifies broadband providers back to Title II telecommunications services.