A recent court decision by the United States Sixth Circuit has upheld the Federal Communications Commission's (FCC) rules on data breach reporting, marking a significant development for the cybersecurity landscape.
The ruling means that telecommunications carriers are now explicitly required to report breaches involving both Customer Proprietary Network Information (CPNI) and Personally Identifiable Information (PII). The decision stems from a legal challenge brought by several industry groups, including the Ohio Telecom Association and CTIA, which argued that the FCC overstepped its statutory authority.
The court's opinion, delivered by Judge Jane B. Stranch, determined that the FCC has the authority to regulate data breach reporting under two sections of the Communications Act: Section 201(b) and Section 222(a). While Section 222(a) mandates carriers to protect "proprietary information" of customers, the court found that the term "proprietary information" is broad enough to include PII. Furthermore, the court ruled that inadequate data breach reporting is an "unjust or unreasonable" practice under Section 201(b), a provision granting the FCC broad regulatory power.
The court also addressed a previous Congressional disapproval of a similar 2016 FCC rule. The Sixth Circuit concluded that the new 2024 rule is not "substantially the same" as the one Congress disapproved of, as the new rule is less prescriptive and only focuses on data breach reporting, whereas the 2016 rule was a broader privacy order.
The decision clarifies and reinforces the regulatory obligations for companies within the FCC's jurisdiction. Cybersecurity professionals in these sectors now face heightened scrutiny and clear, mandatory reporting requirements for a wider range of data.
The decision broadens the scope of reportable breaches beyond CPNI to include PII. PII is defined as any information linked to an individual or device, such as a name, email address, date of birth, or Social Security number. For cybersecurity and GRC teams, this means incident response plans must now comprehensively cover the identification, containment, and reporting of PII breaches in addition to CPNI.
The rules eliminate the mandatory seven-day waiting period for customer notification and instead require carriers to notify customers without "unreasonable delay." This change demands that cybersecurity teams have robust and rapid incident response and communication protocols in place to meet these expedited timelines.
With the court's stamp of approval, the FCC is empowered to enforce these rules, meaning a failure to comply could result in significant fines and penalties. Cybersecurity professionals must ensure their breach response procedures align with the new regulations to mitigate legal and financial risk.
The court's decision most directly affects telecommunications carriers, which include broadband internet service providers. The FCC's authority and the rules in question are specific to "telecommunications services" and the companies that provide them. While the ruling's legal precedent may influence future decisions in other sectors, its immediate impact is concentrated on the telecom industry.
Attack vectors such as the Chinese-backed Salt Typhoon and Volt Typhoon campaigns in recent months, and the continual assault on telecom companies by hacking groups, certainly helped thwart attempts to stop cybersecurity-related regulations like the FCC data breach rules.
Other U.S. federal agencies, like the FTC and CISA, have their own data breach reporting requirements that apply to different industries. The ruling solidifies the FCC's specific role in policing data breaches within the telecommunications and broadband sectors, ensuring a specific regulatory framework for those service providers.
