On January 6, 2023, the Federal Communications Commission (“FCC”) released a Notice of Proposed Rulemaking (“NPRM”) proposing to change its existing rules for notifying customers and federal law enforcement authorities of breaches of customer proprietary network information (“CPNI”).
Among other things, the FCC proposes to change the definition of “breach” to include unintentional or accidental disclosures of CPNI. The FCC is also seeking comment on whether to employ a harm-based notification trigger, which would eliminate the notification requirement in instances where a telecommunications carrier can reasonably conclude that no harm to customers is likely to occur as a result of a breach. The FCC additionally proposes that carriers be required to notify the FCC, in addition to the FBI and the US Secret Service, as soon as practicable after the discovery of a breach. With respect to notifying customers, the FCC proposes replacing the current seven business day mandatory waiting period with a requirement that carriers inform customers of CPNI breaches “without unreasonable delay” unless specifically requested to refrain from notification by law enforcement.
The FCC also seeks comment on the effect and scope of the Congressional disapproval of the FCC’s 2016 Privacy Order under the Congressional Review Act. In the 2016 Privacy Order, the FCC expanded the scope of the FCC’s CPNI rules to Internet Service Providers (“ISPs”). Congress rescinded those rules using the Congressional Review Act.