The Federal Communications Commission adopted data breach rules changes Wednesday that broaden the definition of what one is and the scope of who must be notified in the event of one.
The approved order expands the definition of a breach to include “inadvertent access, use, or disclosure of customer information” and the reach of notification rules to cover all customers’ personally identifiable information held by carriers and telecommunications relay services.
“Our phones now know so much about where we go and who we are, we need rules on the books to make sure our carriers keep our information safe and cyber-secure,” said FCC Chair Jessica Rosenworcel before the 3-2 vote.
The FCC’s rules update is likely to lead to sparring with Senate Republicans, led by Sen. Ted Cruz (R-Texas), who wrote to the agency on Monday slamming the proposed changes and warning that the order, if approved, would violate a Congressional order killing expanded FCC privacy rules in 2017.
A spokesperson for Cruz did not immediately respond to a request for comment.
The two Republicans on the five-member commission also railed against the Democratic majority’s approach. Both voted against adopting the order, citing concerns the order could run afoul of congressional rules prohibiting an agency from readopting a rule struck by Congress.
“This is a sweeping theory that far exceeds the limits that the legislative branch and the executive branch have placed on agency decision making,” said Commissioner Brendan Carr.
The order’s rule changes also require that carriers and providers, in addition to notifying the FBI and Secret Service, provide the FCC notice of breaches affecting 500 or more customers “no later than seven business days after reasonable determination of a breach.” The previous requirement included a seven day waiting period.
The update adopts a harm-based trigger for the rule: breaches of fewer than 500 customers for which carriers can “reasonably determine that no harm” was likely to occur can be reported in an annual summary of breaches.
The FCC has ramped up its privacy efforts under Rosenworcel, including launching a Privacy and Data Protection Task Force that recently initiated enforcement partnerships with four state attorneys general.
Wednesday’s vote comes amid a flurry of new and updated federal data breach reporting requirements, including new safeguards introduced by the Federal Trade Commission in October and new SEC breach notification rules that go into effect Dec. 18.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.