New FCC Data Breach Rules Draw Criticism For Problems Beyond the CRA
There has been a lot of coverage about the Federal Communications Commission’s (FCC and Commission) new and expansive data breach notification Order, approved on a 3-2 vote at the Commission’s December 13 Open Meeting. Much of this coverage has focused on the Congressional Review Act (CRA), a topic that commenters raised in response to the Notice of Proposed Rulemaking and that Commissioners Carr and Simington cited as a major legal barrier to the new rules in their dissents. But while the CRA is an important part of the discussion of the new rules’ legality (and will come up again as the Commission considers its renewed push for net neutrality), focusing only on the CRA can obscure more fundamental legal and policy issues with the new rules that were raised by commenters and also highlighted in dissents. As Commissioner Carr observed, “even if the CRA never passed, the FCC’s decision would exceed the Commission’s authority.”
Below, we explain the CRA concerns at a high level, and highlight the other claimed problems, in law and policy, with the new data breach notification rules.
Commenters’ CRA Concerns, Explained.
As mentioned above, much ink has been—and will continue to be—spilled regarding the FCC’s latest data breach notification rules and the CRA. A letter from Congressional leaders—sent to the FCC the day before the Commission voted to approve the new rules—explains the CRA issue well. As the letter describes, already, in 2016, the FCC pursued “legally suspect privacy and data security rules” that Congress voted to disapprove, so under the CRA—which prohibits an agency from re-issuing a rule that is substantially the same as on that has been disapproved—the FCC cannot now “resurrect a portion of the 2016 Broadband Privacy Order pertaining to data security.”
In short, Congress in 2017 used the CRA to disapprove of the FCC’s broad data breach notification rules that the agency promulgated in 2016, meaning that the Commission is prohibited from adopting rules that are substantially the same as those rules. And many have argued that the Order would implement rules that are substantially the same as the rules that Congress rejected in its 2017 CRA.
The Record Reveals a Number of Other Serious Policy and Legal Issues.
The new breach notification Order has drawn criticism beyond the CRA. These substantive concerns with the final rules are not a surprise. The agency heard these issues loud and clear from a variety of stakeholders throughout the duration of this proceeding, including in comments, reply comments, and the flurry of ex parte filings made after the draft Order was released on November 22 and before the Commissioners voted on December 13. For example, an array of filings by several associations (here, here, here, and here) and wireless carriers (here, here, and here) pointed out serious operational and legal issues with the Commission’s approach.
Where does the record show that the new rules go wrong? The below examples illustrate some of the substantive concerns that were raised in the record, which are entirely distinct from the CRA arguments:
- Commenters warned the FCC that it was vastly exceeding the agency’s authority by regulating data that Congress did not direct it to regulate. Congress directed the agency in 47 U.S.C. § 222 to regulate “customer proprietary network information,” which is a defined and specific term that applies to information derived from the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service. Instead, the Order expands the FCC’s reach to regulate “personally identifiable information,” defined far more broadly than just CPNI.
- Several commenters raised concerns about the agency’s failure to provide adequate notice to regulated entities regarding how it was going to draft the final rules.
- Commenters pointed out serious operational problems that would stem from the rules, including that the Commission’s rules would be difficult to apply and would lead to over-notification and create enormous compliance burdens to track and report on non-events or harmless and inadvertent incidents.
- Several commenters told the Commission that its final rule was inconsistent with state data breach laws with respect to, among other things, what would trigger customer and agency notification obligations; the harm-based standards for companies to make those determinations; and a “safe harbor” for incidents involving encrypted data (commenters argued that there can be no harm to consumers from access to encrypted data unless the keys were compromised).
- Commenters pointed out that the FCC was moving away from the harmonization that Congress and the Biden Administration have been promoting for cyber and data breach notifications, adding more complexity and burdens to an already fragmenting area of law. The new data that the FCC regulates (Social Security numbers, financial data and more) is already subject to regulation under other incident reporting frameworks that abound, with 50-plus state breach notice laws, several federal regimes, and emerging reporting obligations from the Department of Homeland Security, the Federal Trade Commission, and the Securities and Exchange Commission, to name just a few.
The FCC, after receiving this additional input, had a chance to make changes to address concerns. While the FCC made a few modest changes, it did not rectify the core problems identified by commenters.
- The agency did not return its focus to CPNI, which is what Congress directed it to regulate.
- Prior to the release of the final Order, it remains to be seen if the FCC meaningfully corrected the looseness in the “harm standard” that it created in the draft Order, which commenters pointed out would be difficult to apply because of its inclusion of considerations that are not knowable or ascertainable to regulated entities and which are not currently cognizable harms.
- The agency purported to expand the safe harbor for encrypted data, but made it highly impractical because in order to rely on it, companies must have “definitive evidence that the encryption key was not also accessed, used, or disclosed.” This requirement to “prove the negative” does not reflect real world forensics and incident management. If a carrier sees no evidence of compromise, it may still lack “definitive evidence”, leading to unnecessary incident notifications. Companies should be able to rely on data encryption unless there is an indication that the keys were compromised.
In adopting the final rules, the agency hewed to its proposed expansion of regulatory obligations well beyond the Congress’s specific direction to oversee CPNI. In sum, while commenters certainly believe the CRA precluded this action, they also have identified fundamental flaws that make the new regime problematic and unlawful, even if Congress had taken no action under the CRA to disapprove the 2016 Broadband Privacy Order.
Wiley’s TMT Practice and its Privacy, Cyber and Data Governance Practice have been advising on CPNI and data security for decades, including in this proceeding. Feel free to reach out to the team to discuss this item and any other data security questions you may have.