In late December 2023, the Federal Communications Commission (“FCC”) published a Report and Order (“Order”) expanding the scope of the data breach notification rules (“Rules”) applicable to telecommunications carriers and interconnected VoIP (“iVoIP”) providers.  The Order makes several notable changes to the prior rules, including broadening the definitions of a reportable “breach” and “covered data,” requiring covered entities to notify the FCC in addition to federal law enforcement of breaches, and modifying certain customer notification requirements.  The Rules are expected to become effective sometime in 2024, after they are reviewed by the Office of Management and Budget and the FCC’s Wireline Competition Bureau (“Bureau”) announces the effective dates by subsequent public notice.

Changes to Definitions

The Order materially expands the definitions of “breach” and “covered data.”  It defines “breach” to include any access to, use, or disclosure of “covered data” that is not authorized or that exceeds authorization.  The Order states that this definition covers not only malicious activity, but also inadvertent unauthorized access to, use, or disclosure of covered data.  However, this expansion is paired with an important limitation.  A “breach” does not include good faith acquisition of covered data by an employee or agent of a carrier or service provider, as long as the information is not further disclosed or improperly used.  This is consistent with most U.S. state data breach notification laws, which have a similar good faith exceptions.

The definition of “covered data” for purposes of a “breach” also is intentionally broad and includes various categories of personally identifiable information (“PII”) received from or about a customer, or in connection with the customer relationship.  While the Rules previously covered only “Customer Proprietary Network Information” (“CPNI”), the Order states that the Rules now also apply to a broader set of PII, defined as “information that can be used to distinguish or trace an individual’s identity either alone or when combined with other information that is linked or reasonably linkable to a specific individual.” 

The Order specifies that the following information qualifies as PII:  (1) a first name or first initial, and last name, in combination with any government-issued identification numbers (or information issued on a government document used to verify identify of an individual) or other unique identification number used for authentication purposes; (2) username and email address in combination with a password or security answer, or any other authentication method for accessing an account; and (3) unique biometric, genetic, or medical data. 

The Order provides examples of these PII elements, citing to state law definitions of personal information, including, but not limited to, social security numbers, driver’s license numbers, financial account numbers, student identification numbers, medical identification numbers, private authentication keys, certain data that would permit access to a financial account, fingerprints, DNA profiles, and medical records.  The Order also states that dissociated data that could be linked with other data to reveal PII would be considered PII if the dissociated data and the means to link the dissociated data were accessed.  Finally, the Order states that PII could include any one of the discrete data elements listed, or any combination thereof, if those data elements could be used to commit identity theft or fraud against an individual.  The Order exempts from its definition of PII publicly available information lawfully made available to the general public from government records or widely distributed media.  The Order states that its definition of covered data is intended to harmonize the Order with U.S. state data breach notification laws.

Broader Agency Notification Requirements

Previously, the Rules required notifying only the Federal Bureau of Investigation (“FBI”) and the U.S. Secret Service (“USSS”) of a breach.  Under the Order, telecommunications carriers, iVoIP providers, and telecommunications relay service (“TRS”) providers will be required to also notify the FCC of a breach pursuant to specified affected-customer and risk-of-harm thresholds.  First, regardless of potential harm arising from a breach, covered entities must file individual, per-breach notifications for any breaches affecting 500 or more customers (or an indeterminable number of customers).  Notice must be provided within seven business days after reasonable determination of a breach.  Second, for breaches affecting fewer than 500 customers, the timing of notification depends on the risk of harm.  Notification must be provided within the same seven-business-day timeframe unless the covered entity can reasonably determine that no harm to customers is reasonably likely.  If they do make that determination, covered entities only have to report breaches affecting fewer than 500 customers in an annual summary report delivered by February 1 of the following calendar year.  To avoid duplication, covered entities can still submit breach reports at cpnireporting.gov, and the FCC will also link to the reporting portal at http://www.fcc.gov/eb/cpni or a successor URL established by the Bureau.  The Rules also require maintaining and retaining for two years a record of any discovered breach and notifications made to agencies and customers.

The required content for agency notifications is virtually unchanged.  However, the Order removes a field that previously asked covered entities whether there was an “extraordinarily urgent need” to notify affected customers before seven business days have passed, because that seven-day “waiting period” has now been eliminated.  Covered entities must still, at a minimum, report their address and contact information, a description of the breach incident, the method of compromise, the date range of the incident, the approximate number of customers affected, an estimate of the financial loss to the carrier and customers, and the types of data breached.  Given that TRS providers may have access to particularly sensitive customer information, such as call audio and transcripts, the Order further specifies that TRS providers must include a description of the customer information that was affected, including whether the content of conversations were compromised.

Changes to Customer Notification Requirements

For breach notifications to customers, the Order adopts a “harm-based trigger,” which creates a rebuttable presumption of harm that covered entities must overcome to avoid notifications.  Essentially, covered entities do not need to notify customers if they can reasonably determine that the breach is unlikely to cause harm to customers or where the breach only involved encrypted data and the covered entities have “definitive evidence” that the encryption key was not also accessed, used, or disclosed.  

The Order directs covered entities to consider the following factors when assessing the likelihood of harm to customers: (1) the sensitivity of the information breached; (2) the nature and duration of the breach; (3) whether the information was encrypted; (4) what mitigation measures the covered entity took; and (5) whether the breach was intentional.  The Order identifies a range of harms that could require notification, including financial or physical harm, identity theft, theft of services, potential for blackmail or spam, and other similar types of dangers.  In addition, the Order notes that where call content hosted by a TRS provider has been compromised, the provider cannot overcome the presumption of harm and must notify customers due to the particular sensitivity of such data.

The Order also amends customer notification timelines and provides guidance on the content of required customer notifications.  Specifically, the Order requires covered entities to notify customers without unreasonable delay after notifying federal agencies and in no case later than thirty days after reasonable determination of a breach, eliminating the Rules’ previous seven-day waiting period before customers could be notified.  While the Order is not prescriptive regarding the content of a customer notice or the method of delivery, notices must at a minimum convey when a breach occurred and that the breach may have affected the customer’s data.  However, the Order does adopt as recommendations specific categories of information that may be included in a notice: (1) the estimated date of the breach; (2) a description of the customer information affected; (3) information about how customers can contact the carrier about the breach; (4) information about how to contact the FCC, Federal Trade Commission, and any relevant state regulatory agencies; (5) information about how to guard against identity theft if relevant; and (6) any other steps customers should take to mitigate risk from the breach.  For TRS providers, the FCC recommends that the notice also include whether the breach compromised contents of conversations.

This Order follows recent activity from the FCC’s Privacy and Data Protection Task Force, including the announcement last month of a partnership between the FCC and state attorneys general on data privacy enforcement.

Photo of Yaron Dori Yaron Dori

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the…

Yaron Dori has over 25 years of experience advising technology, telecommunications, media, life sciences, and other types of companies on their most pressing business challenges. He is a former chair of the firm’s technology, communications and media practices and currently serves on the firm’s eight-person Management Committee.

Yaron’s practice advises clients on strategic planning, policy development, transactions, investigations and enforcement, and regulatory compliance.

Early in his career, Yaron advised telecommunications companies and investors on regulatory policy and frameworks that led to the development of broadband networks. When those networks became bidirectional and enabled companies to collect consumer data, he advised those companies on their data privacy and consumer protection obligations. Today, as new technologies such as Artificial Intelligence (AI) are being used to enhance the applications and services offered by such companies, he advises them on associated legal and regulatory obligations and risks. It is this varied background – which tracks the evolution of the technology industry – that enables Yaron to provide clients with a holistic, 360-degree view of technology policy, regulation, compliance, and enforcement.

Yaron represents clients before federal regulatory agencies—including the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), and the Department of Commerce (DOC)—and the U.S. Congress in connection with a range of issues under the Communications Act, the Federal Trade Commission Act, and similar statutes. He also represents clients on state regulatory and enforcement matters, including those that pertain to telecommunications, data privacy, and consumer protection regulation. His deep experience in each of these areas enables him to advise clients on a wide range of technology regulations and key business issues in which these areas intersect.

With respect to technology and telecommunications matters, Yaron advises clients on a broad range of business, policy and consumer-facing issues, including:

  • Artificial Intelligence and the Internet of Things;
  • Broadband deployment and regulation;
  • IP-enabled applications, services and content;
  • Section 230 and digital safety considerations;
  • Equipment and device authorization procedures;
  • The Communications Assistance for Law Enforcement Act (CALEA);
  • Customer Proprietary Network Information (CPNI) requirements;
  • The Cable Privacy Act
  • Net Neutrality; and
  • Local competition, universal service, and intercarrier compensation.

Yaron also has extensive experience in structuring transactions and securing regulatory approvals at both the federal and state levels for mergers, asset acquisitions and similar transactions involving large and small FCC and state communication licensees.

With respect to privacy and consumer protection matters, Yaron advises clients on a range of business, strategic, policy and compliance issues, including those that pertain to:

  • The FTC Act and related agency guidance and regulations;
  • State privacy laws, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act;
  • The Electronic Communications Privacy Act (ECPA);
  • Location-based services that use WiFi, beacons or similar technologies;
  • Digital advertising practices, including native advertising and endorsements and testimonials; and
  • The application of federal and state telemarketing, commercial fax, and other consumer protection laws, such as the Telephone Consumer Protection Act (TCPA), to voice, text, and video transmissions.

Yaron also has experience advising companies on congressional, FCC, FTC and state attorney general investigations into various consumer protection and communications matters, including those pertaining to social media influencers, digital disclosures, product discontinuance, and advertising claims.

Photo of Conor Kane Conor Kane

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in…

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in digital advertising helping teams develop large consumer data collection and analytics platforms. He uses this experience to advise clients on matters related to digital advertising and advertising technology.

Photo of John Webster Leslie John Webster Leslie

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, critical infrastructure, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, cyber and data security incidents, healthcare…

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, critical infrastructure, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, cyber and data security incidents, healthcare privacy and security, cross-border privacy law, and government investigations, and helps clients navigate complex policy matters related to cybersecurity, national security, and critical infrastructure protection.

In addition to his regular practice, Web also counsels pro bono clients on technology, immigration, and criminal law matters.

Web previously served in government in various roles at the Department of Homeland Security, including at the Cybersecurity and Infrastructure Security Agency (CISA), where he specialized in cybersecurity and critical infrastructure, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.