The United States Court of Appeals for the Sixth Circuit has affirmed the new data breach notification and reporting rules established by the Federal Communications Commission (FCC). This ruling, detailed in a recent decision, will take full effect in 2024. The revised framework broadens the definition of reportable data breaches, changes the requirements for customer notifications, and mandates reporting of breaches to both federal law enforcement and the FCC. Affected entities include telecommunications service providers, telecommunications relay service (TRS) providers, wireless companies, and voice over Internet Protocol (VoIP) providers. The ruling supports the FCC’s authority to regulate these areas, countering previous challenges regarding its statutory powers and a 2017 Congressional Review Act (CRA) resolution that rejected earlier iterations of telecom privacy regulations.
In its analysis, the court examined the FCC’s jurisdiction under both Section 222 and Section 201(b) of the Communications Act. The court determined that Section 222, which pertains specifically to customer proprietary network information, does not extend to personally identifiable information affected by a data breach. However, it found that Section 201(b) provides the FCC authority to regulate practices associated with communication services, categorizing the reporting and notification of data breaches as such. This interpretation allows the FCC to apply the rules to TRS providers, ensuring functional equivalence with standard voice services.
The ruling also addresses potential conflicts with the CRA, which restricts agencies from re-implementing rules that are “substantially the same” as those previously overturned. The court reasoned that the CRA does not preclude agencies from readopting parts of a broader regulatory scheme unless Congress specifically invalidated those sections. Notably, the differences between the FCC’s earlier and current data breach rules were deemed sufficient to establish that they are not substantially identical.
The immediate consequence of this ruling is the enforcement of the 2024 data breach rules. Organizations impacted by these regulations must ensure that their incident response strategies align with the FCC’s reporting timelines and update customer notice templates to comply with the FCC’s “sufficient information” standard. Additionally, the expanded definition of breaches increases the likelihood that incidents will provoke concurrent federal and state notifications, necessitating coordinated reporting efforts.
This court decision could have broader implications for agency authority in the regulatory landscape. The expansive interpretation of Section 201(b) suggests that the FCC’s regulatory reach extends beyond direct service provision, potentializing more rigorous oversight of practices associated with providing communication services. Furthermore, the decision lends a narrow interpretation of the CRA, creating a pathway for agencies with previously dismissed rules to re-evaluate and reintroduce them with minor revisions. This case is notably the first to clarify the operational limits for agencies post-CRA resolution.
Going forward, it remains possible that further legal challenges may arise, as petitioners may seek a rehearing by the entire Sixth Circuit or escalate the matter to the U.S. Supreme Court. FCC Chairman Brendan Carr, who dissented from the original order, might pursue efforts to amend or repeal the existing rules during his tenure. Additionally, certain specifications related to the notification and reporting processes are still under review by the Office of Management and Budget, delaying their implementation.
This evolving landscape requires business owners to stay vigilant. As cyber threats escalate, understanding the implications of regulations like those of the FCC is crucial for ensuring compliance and safeguarding sensitive customer information. The ruling underlines the importance of robust data protection strategies and awareness of regulatory obligations in the dynamic sphere of cybersecurity.
[View source.]
