US Federal Communications Commission updates, and beefs up its data breach notification rules on 13 March 2024…the US is moving more in line with the EU and Australia continues to languish in this area

March 27, 2024 |

Mandatory data breach notification rules are becoming standard in most first world jurisdictions. Over time the obligations upon affected entities have tightened. That is good policy given the way that hackers operate. The US Federal Communications Commission (“FCC”) has updated Data Breach Notification Rules. These updated rules obviously do not apply in Australia.  That said they are very useful to consider because they are so much more detailed and analytical than the Australian equivalents.  It is a very useful resource when considering how to deal with data breaches and how to properly structure a notification.

The media release relevantly provides:

It has been sixteen years since the Federal Communications Commission last updated its policies to protect consumers from data breaches.  Sixteen years!  To be clear, that was before the iPhone was introduced.  There were no smart phones, there was no app store, there were no blue and green bubbles for text.  It was a long time ago.  In the intervening years a lot has changed about when, where, and how we use our phones, and what data our providers collect about us when we do.  But not the FCC’s data breach rules; they remain stuck in the analog age. 

Today we fix this problem.  We update our policies to protect consumers from digital age data breaches.  We make clear that under the Communications Act carriers have a duty to protect the privacy and security of consumer data. 

First, we modernize our data breach rules to make clear they include all personally identifiable information.  In the past, these rules have only prohibited the disclosure of information about who we call and when.  But consumers also deserve to know if their carrier has disclosed their social security number or financial data or other sensitive information that could put them in harm’s way.  We fix that today—and it is overdue. 

Second, we modernize our data breach rules to make clear they cover intentional and inadvertent disclosure of customer information.  Consumers deserve protection regardless of whether the release of their personally identifiable information was intentional or accidental.  Either way, they could find themselves in trouble, so our rules need to address both.

Third, we modernize our standards for notification.  That means in the event of a data breach, your carrier has to tell the FCC and tell you in a timely way just what happened and what personal information may be at risk.  Our old rules required carriers to wait seven business days before telling consumers what breaches had taken place.  But there is no reason why consumers should have to wait that long before learning that their personal information has been stolen or misused. 

Finally, we update reporting requirements associated with data breaches.  We also make clear our policies apply to telecommunications relay service providers, so that those with disabilities get the same protections as everyone else.

The order, at 100 pages, expands the definitions of a “breach” and “covered data.” The definition of “breach”now  includes any access to, use, or disclosure of “covered data” that is not authorized or that exceeds authorization.  The definition covers not only malicious activity, but also inadvertent unauthorized access to, use, or disclosure of covered data.  It  does not include good faith acquisition of covered data by an employee or agent of a carrier or service provider, as long as the information is not further disclosed or improperly used.  Good faith exceptions are quite common in State data breach notification laws.

The definition of “covered data” fbroad and includes various categories of personally identifiable informationreceived from or about a customer, or in connection with the customer relationship.  The Rules apply to a broader set of PII, defined as “information that can be used to distinguish or trace an individual’s identity either alone or when combined with other information that is linked or reasonably linkable to a specific individual.”

The Order specifies the following information which qualifies as PII:

(1) a first name or first initial, and last name, in combination with any government-issued identification numbers (or information issued on a government document used to verify identify of an individual) or other unique identification number used for authentication purposes;

(2) username and email address in combination with a password or security answer, or any other authentication method for accessing an account; and (3) unique biometric, genetic, or medical data.

That information would include social security numbers, driver’s license numbers, financial account numbers, student identification numbers, medical identification numbers, private authentication keys, certain data that would permit access to a financial account, fingerprints, DNA profiles, and medical records.  Dissociated data that could be linked with other data to reveal PII would be considered PII if the dissociated data and the means to link the dissociated data were accessed and  PII could include any one of the discrete data elements listed, or any combination thereof, if those data elements could be used to commit identity theft or fraud against an individual.

 Under the Order, telecommunications carriers, iVoIP providers, and telecommunications relay service (“TRS”) providers will be required to also notify the FCC of a breach pursuant to specified affected-customer and risk-of-harm thresholds.  Entities must file individual, per-breach notifications for any breaches affecting 500 or more customers (or an indeterminable number of customers) within within seven business days after reasonable determination of a breach.  For breaches affecting fewer than 500 customers, the timing of notification depends on the risk of harm.  But that means the entity must  reasonably determine that no harm to customers is reasonably likely to avoid notification.

Entities must at a minimum, report their address and contact information, a description of the breach incident, the method of compromise, the date range of the incident, the approximate number of customers affected, an estimate of the financial loss to the carrier and customers, and the types of data breached.

Breach notifications to customers involves  a “harm-based trigger,” which creates a rebuttable presumption of harm that covered entities must overcome to avoid notifications.  Entities do not need to notify customers if they can reasonably determine that the breach is unlikely to cause harm to customers or where the breach only involved encrypted data and the covered entities have “definitive evidence” that the encryption key was not also accessed, used, or disclosed.

The relevant factors when assessing the likelihood of harm to customers are:

  • the sensitivity of the information breached;
  • the nature and duration of the breach;
  • whether the information was encrypted;
  • what mitigation measures the covered entity took; and
  • whether the breach was intentional.

The Order identifies a range of harms that could require notification, including

  • financial or physical harm,
  • identity theft,
  • theft of services,
  • potential for blackmail or spam, and other similar types of dangers.

The Order tightens customer notification timelines and provides guidance on the content of required customer notifications.  Entities must notify customers without unreasonable delay after notifying federal agencies and in no case later than thirty days after reasonable determination of a breach

Notices must at a minimum convey when a breach occurred and that the breach may have affected the customer’s data.  The Order recommends these specific categories of information that may be included in a notice:

  • the estimated date of the breach;
  • a description of the customer information affected;
  • information about how customers can contact the carrier about the breach;
  • information about how to contact the FCC, Federal Trade Commission, and any relevant state regulatory agencies;
  • information about how to guard against identity theft if relevant; and
  • any other steps customers should take to mitigate risk from the breach.

Leave a Reply

Verified by MonsterInsights