Telecom Associations Challenge FCC Data Breach Rules

WASHINGTON, March 28, 2024 – Major broadband trade groups are asking federal judges to block Federal Communications Commission data breach rules.

NCTA, CTIA, and USTelecom, three of the largest telecommunications trade associations, jointly filed a petition for review in the D.C Circuit Court of Appeals on March 15, but the case was moved to the Sixth Circuit on March 20. Two similar challenges to the same rules were consolidated in the circuit early this month.

The groups allege in their petition that the agency’s December data breach order “exceeds the FCC’s statutory authority” and is “arbitrary, capricious and an abuse of discretion,” a reference to a test courts use when reviewing federal agency rulemaking.

The FCC adopted rules at its December meeting that create more reporting requirements for providers of VoIP and TRS, voice services over the internet and services allowing people with hearing or speech disabilities to place phone calls respectively. 

Those rules expand the definition of a breach to include inadvertent, as well as intentional, access to customer data without authorization, and the definition of covered data, which now includes more personally identifiable information. The rules also require companies to notify the FCC in addition to law enforcement agencies of a breach and to notify customers sooner after law enforcement. Companies don’t have to notify customers in some circumstances, like when harm is unlikely to occur or if covered data was accessed in good faith by an employee.

The industry groups’ petition is brief, but they made arguments against parts of the rules during the FCC’s rulemaking process.

While they largely supported other aspects of the new rules, all three groups urged against the commission expanding its definition of “covered data” to include personal identifying information like social security numbers. 

Prior to adopting its new rules, the agency’s data breach policies only covered “customer proprietary network information,” or CPNI, information that providers collect about customers’ phone calls.

The groups argued in comments that the FCC lacks the legal authority to expand that definition, both because of the text of the 1996 Telecommunications Act and because Congress nullified a similar move from the agency in 2017.

The agency acknowledged and rejected those arguments in the December data breach order. “The breadth of Section 222(a) provides the additional clarity that the commission’s breach reporting rules can and must apply to all PII rather than just to CPNI,” the commission wrote.

That’s a reference to the section’s statement that telecommunications carriers must protect “proprietary information” about their customers, equipment manufacturers, and other carriers. Later sections of the law provide for the agency’s authority to regulate CPNI and other customer information specifically.

“The statute uses that term in Section 222(a) simply because the provision covers information exchanged with three different types of entities – customers, telecommunications carriers, and equipment manufacturers – and so using the term ‘CPNI,’ a term that applies solely to customers as addressed in Section 222(c), would not have been appropriate,” NCTA wrote in comments to the agency.

The groups had also argued to the agency that Congress’s 2017 move to nullify data breach rules that expanded the scope of covered data prevent the FCC from doing so again, as federal agencies can’t enact rules “substantially the same” as ones struck down by Congress. The FCC’s two Republican commissioners ultimately dissented from the order on these grounds.

In its order, the agency said the Congressional Review Act – the law allowing Congress to step in and strike down agency rules – “does not prohibit the adoption of a rule that is merely substantially similar to a limited portion of the disapproved rule or one that is the same as individual pieces of the disapproved rule.”

The nullified rules, the commission argues, focused in large part on broadband providers, who were telecommunications carriers at the time, and members of Congress were concerned about FCC privacy requirements conflicting with FTC rules. That expanded data breach rules were included as a part of the nullified order does not prevent the agency from taking similar steps now, the order argues.

The rules are also being challenged by the Ohio Telecom Association and the Texas Association of Businesses.