What’s in a Word? FCC’s Proposed Data Breach Rule Redefines Key Terms

The Federal Communications Commission is reviewing how to define key terminology that governs data reporting requirements for telecommunication companies, as part of its pending update to its data breach requirements. 

The updated rules, which have been in the works since this time last year, aim to ensure notification of data breaches within the telecommunications sector occur in a timely manner to better protect consumers. Changes proposed to the FCC’s current regulations surrounding data breach incident reporting include expanding the definition of “breach.”

“We propose to revise our definition to define a breach as any instance in which a person, without authorization or exceeding authorization, has gained access to, used or disclosed [customer proprietary network information],” the notice states. “We seek comment on this proposal and other possible definitions.”

The current FCC definition of a breach relies on an intent to gain access to such CPNI, excluding instances of accidental accesses and disclosures. The proposed definition would now include such cases.

The FCC notes that several state laws exclude the “good faith” acquisition of sensitive data from an authorized user from their definition of “breach,” primarily based on the use of the exposed data. Officials at the FCC are considering incorporating this detail into their updated definition.

The agency also called for comments on whether or not its new “breach” definition should include scenarios where a telecommunications company or third party entity uncovers conduct that could have “reasonably” led to the exposure of sensitive consumer data, even before a data leak has been proven.

In this vein, much of the feedback the agency wants centers on requiring telecommunication companies to adopt a notification standard that requires a data breach to be reported based on if consumers had been impacted. 

This notification, called a harm-based trigger, is utilized in data breach protocols across some states, which the FCC cited as examples in crafting its new reporting framework. Harm-based triggers generally don’t require entities to disclose breaches to consumers if their proprietary data is proven to have been unharmed by the attack. 

“We seek comment on whether to forego requiring notification to customers or law enforcement of a breach in those instances where a telecommunications carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach,” the notice explains.

One of the key components to adopting a harm-based trigger rule is how exactly the FCC and telecommunication entities determine whether or not there has been any harm following a data breach.

“We [FCC] preliminarily believe that no single factor on its own (e.g., basic encryption) is sufficient to make a determination regarding harm to customers,” the notice reads. And that determination of harm may have a different impact on consumers than on law enforcement.

“While there are legitimate reasons to consider eliminating notifications to customers in those instances where a breach is not reasonably likely to result in harm—including reducing confusion, stress, financial hardship and notice fatigue—can the same be said of notifications to law enforcement?” the proposed rule asks.

The agency is also examining how to accurately define “harm” in the context of a data breach, potentially augmenting the definition to encompass emotional and reputational damage.

Other agencies, including the National Institute of Standard and Technology, have taken a similarly broad approach in defining key cybersecurity terms. The current meaning for “harm” in the official NIST glossary takes into account “adverse effects that would be experienced by an individual (i.e., that may be socially, physically or financially damaging) or an organization” in the event of a data breach.

The word “breach” itself also includes more inadvertent data exposure incidents, as the FCC is currently considering. NIST defines “breach” as any loss of control of data where “a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose.”

The Cybersecurity and Infrastructure Security Agency, meanwhile, does not include “harm” in the same context necessarily, however, it defines “data breach” as “the unauthorized movement or disclosure of sensitive information to a party,” noting that unauthorized access is usually orchestrated by an entity outside of the organization. 

Another proposed layer of incident reporting protocol would require carriers to notify law enforcement agencies of a breach, namely the Secret Service and the Federal Bureau of Investigation, in addition to the FCC. 

As cyberattacks on the digital networks of critical infrastructure only stand to worsen, federal agencies are increasingly tasked with leading the charge for better nationwide cybersecurity. 

FCC Chairwoman Jessica Rosenworcel advocated in January 2023 and in 2022 to strengthen data breach reporting requirements. 

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” she said in an earlier statement on the proposed reporting change.

Following the proposed rule’s publication, the comment period is open until the end of the day on February 22, 2023, with reply comments due by March 24.