Court Finds FCC Data Breach Rules Not Blocked by Congressional Review Act

WASHINGTON, August 15, 2025 – Federal judges upheld Federal Communications Commission data breach rules on Wednesday, ruling the agency did not exceed its authority and did not violate the Congressional Review Act.

“We have determined that the FCC has the statutory authority to impose the 2024 data breach reporting rule on telecommunications carriers,” Circuit Judge Jane B. Stranch wrote, later adding “the FCC’s issuance of the 2024 Order did not violate the CRA.”

The rules expand data breach reporting requirements for telecom providers. They expanded the definition of “covered data,” which now includes more personally identifiable information in addition to network information collected by carriers, and the definition of a breach to include inadvertent, as well as intentional, access to customer data without authorization.

There's a whole community behind your FREE membership...

Join the Community!

They also require companies to notify the FCC in addition to law enforcement agencies of a breach and to notify customers sooner after law enforcement. Companies don’t have to notify customers in some circumstances, like when harm is unlikely to occur or if covered data was accessed in good faith by an employee.

Several trade groups had sued to toss the rules last year, including NCTA, CTIA, USTelecom. The industry argued the rules were too similar to ones that Congress nullified through a CRA resolution in 2017. The law bars agencies for enacting rules again after Congress axes them.

The FCC had countered the rule was only similar to part of a larger package aimed at overhauling privacy rules for broadband providers, which were classified as telecom providers at the time. The agency said it wasn’t barred from reissuing every single provision in the nixed rule, just from reinstituting something with the same main goal.

A majority of the three judges in the U.S. Court of Appeals for the Sixth Circuit that heard the case agreed. Stranch and Circuit Judge Andre Mathis sided with the FCC, while Circuit Judge Richard Griffin concurred in part but dissented on the major issues.

Stranch noted courts hadn’t yet weighed in on whether agencies could bring back parts of rules nullified under the CRA.

“If Congress intended to prohibit an agency from issuing a new rule that is substantially the same as any part of a prior rule nullified by a disapproval resolution, it could have said so,” the court wrote. “That is not the language it chose.”

FCC Chairman Brendan Carr, a commissioner at the time, dissented when the agency adopted the rules. He made similar arguments to those raised by the industry groups that challenged the rules.

“This plainly violates the law,” he wrote at the time. “Indeed, if the FCC’s theory were correct, then agencies could insulate any one of their rules from the CRA (no matter how strongly the House, the Senate, and the President felt about the rule) simply by packaging that one rule together with other rules in a single document.”

Given Carr’s opposition, CRA nullification being less expansive might be a bigger loss than the rules remaining in place, said Richard Halm, a cybersecurity attorney at Clark Hill.

“The rules being on the books, honestly, I don’t think matters that much,” he said. “I couldn’t see a scenario where a telecom company doesn’t follow these rules and then the FCC launches an investigation. I just don’t see that happening in this administration.”

He said many states have laws that have similar requirements and definitions of covered data.

Carr is fighting to preserve the agency’s ability to levy civil fines when it does investigate telecom providers. The major mobile carriers have argued the FCC’s forfeiture process is invalid under recent Supreme Court precedent, which the agency has fought under Carr.

The D.C. Circuit upheld the agency’s process on Friday, setting up a split with the Fifth Circuit, which had found it invalid.

CTIA did not immediately respond to a request for comment.