Data Breach Reporting Requirements, 3953-3965 [2023-00824]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 88, Number 14 (Monday, January 23, 2023)]
[Proposed Rules]
[Pages 3953-3965]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-00824]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[WC Docket No. 22-21; FCC 22-102; FR 122866]


Data Breach Reporting Requirements

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission) begins the process to update and strengthen its data 
breach rule to provide greater protections to the public. We propose to 
expand the Commission's definition of ``breach'' to include inadvertent 
disclosures of customer information and seek comment on adopting a 
harm-based trigger for breach notifications. We also propose to require 
carriers to notify the Commission, in addition to the Secret Service 
and FBI, as soon as practicable after discovery of a breach. We also 
propose to eliminate the mandatory waiting period before notifying 
customers and instead require carriers to notify customers of CPNI 
breaches without unreasonable delay after discovery of a breach unless 
requested by law enforcement. We also propose to make changes to our 
TRS data breach reporting rule consistent with those we propose to our 
CPNI breach reporting rule.

DATES: Comments are due on or before February 22, 2023, and reply 
comments are due on or before March 24, 2023. Written comments on the 
Paperwork Reduction Act proposed information collection requirements 
must be submitted by the public, Office of Management and Budget (OMB), 
and other interested parties on or before March 24, 2023.

ADDRESSES: You may submit comments, identified by WC Docket No. 22-21, 
by any of the following methods:
    [ssquf] Federal Communications Commission's Website: https://apps.fcc.gov/ecfs/. Follow the instructions for submitting comments.
    [ssquf] People with Disabilities: Contact the FCC to request 
reasonable accommodations (accessible format documents, sign language 
interpreters, CART, etc.) by email: [email protected] or phone: 202-418-
0530 or TTY: 202-418-0432.
    For detailed instructions for submitting comments and additional 
information on the rulemaking process, see the SUPPLEMENTARY 
INFORMATION section of this document. In addition to filing comments 
with the Secretary, a copy of any comments on the Paperwork Reduction 
Act proposed information collection requirements contained herein 
should be submitted to the Federal Communications Commission via email 
to [email protected] and to Nicole On'gele, FCC, via email to 
[email protected].

FOR FURTHER INFORMATION CONTACT: Melissa Kirkel, Competition Policy 
Division, Wireline Competition Bureau, at (202) 418-7958, 
[email protected]. For additional information concerning the 
Paperwork Reduction Act information collection requirements contained 
in this document, send an email to [email protected] or contact Nicole 
On'gele at (202) 418-2991.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice 
of Proposed Rulemaking in WC Docket No. 22-21, adopted on December 29, 
2022 and released on January 6, 2023. The full text of this document is 
available at https://docs.fcc.gov/public/attachments/FCC-22-102A1.pdf. 
To request materials in accessible formats for people with disabilities 
(e.g., Braille, large print, electronic files, audio format, etc.) or 
to request reasonable accommodations (e.g., accessible format 
documents, sign language interpreters, CART, etc.), send an email to 
[email protected] or call the Consumer & Governmental Affairs Bureau at 
(202) 418-0530.
    Pursuant to Sections 1.415 and 1.419 of the Commission's rules, 47 
CFR 1.415, 1.419, interested parties may file comments and reply 
comments on or before the dates indicated on the first page of this 
document. Comments may be filed using the Commission's Electronic 
Comment Filing System (ECFS). See Electronic Filing of Documents in 
Rulemaking Proceedings, 63 FR 24121 (1998).
     Electronic Filers: Comments may be filed electronically 
using the internet by accessing the ECFS: https://apps.fcc.gov/ecfs/.
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing.
     Filings can be sent by commercial overnight courier, or by 
first-class or overnight U.S. Postal Service mail. All filings must be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission.
     Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9050 Junction Drive, 
Annapolis Junction, MD 20701. U.S. Postal Service first-class, Express, 
and Priority mail must be addressed to 45 L Street NE, Washington, DC 
20554.
     Effective March 19, 2020, and until further notice, the 
Commission no longer accepts any hand or messenger delivered filings. 
This is a temporary measure taken to help protect the health and safety 
of individuals, and to mitigate the transmission of COVID-19. See FCC 
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
    The proceeding this document initiates shall be treated as a 
``permit-but-disclose'' proceeding in accordance with the Commission's 
ex parte rules. Persons making ex parte presentations must file a copy 
of any written presentation or a memorandum summarizing any oral 
presentation within two business days after the presentation (unless a 
different deadline applicable to the Sunshine period applies). Persons 
making oral ex parte presentations are reminded that memoranda 
summarizing the presentation must (1) list all persons attending or 
otherwise participating in the meeting at which the ex parte 
presentation was made, and (2) summarize all data presented and 
arguments made during the presentation. If the presentation consisted 
in whole or in part of the presentation of data or arguments already 
reflected in the presenter's written comments, memoranda or other 
filings in the proceeding, the presenter may provide citations to such 
data or arguments in his or her prior comments, memoranda, or other 
filings (specifying the relevant page and/or paragraph numbers where 
such data or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and must 
be filed consistent with rule 1.1206(b). In proceedings governed by 
rule 1.49(f) or for which the Commission has made available a method of 
electronic filing, written ex parte presentations and memoranda 
summarizing oral ex parte presentations, and all attachments thereto, 
must be filed through the electronic comment filing system available 
for that proceeding, and must be filed in their native format (e.g., 
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding 
should familiarize

[[Page 3954]]

themselves with the Commission's ex parte rules.
    This document contains proposed information collection 
requirements. The Commission, as part of its continuing effort to 
reduce paperwork burdens, invites the general public and the Office of 
Management and Budget (OMB) to comment on the information collection 
requirements contained in this document, as required by the Paperwork 
Reduction Act of 1995, Public Law 104-13. Public and agency comments 
are due March 24, 2023.
    Comments should address: (a) whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the Commission, including whether the information shall have practical 
utility; (b) the accuracy of the Commission's burden estimates; (c) 
ways to enhance the quality, utility, and clarity of the information 
collected; (d) ways to minimize the burden of the collection of 
information on the respondents, including the use of automated 
collection techniques or other forms of information technology; and (e) 
way to further reduce the information collection burden on small 
business concerns with fewer than 25 employees. In addition, pursuant 
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, 
see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might 
further reduce the information collection burden for small business 
concerns with fewer than 25 employees.

Synopsis

I. Notice of Proposed Rulemaking

    1. To better protect telecommunications customers and ensure that 
our rules keep pace with today's challenges, we propose a number of 
updates to our rule addressing telecommunications carriers' breach 
notification duties. We seek to ensure that affected customers, the 
Commission, and other federal law enforcement agencies receive the 
information they need in a timely manner so they can mitigate and 
prevent harm due to the breach and take action to deter future 
breaches. To identify best practices and to minimize burdens, we look 
to other federal and state breach laws as potential models for our 
rules.
    2. We propose to expand the Commission's definition of ``breach'' 
to include inadvertent disclosures of customer information and seek 
comment on adopting a harm-based trigger for breach notifications. We 
also propose to require carriers to notify the Commission, in addition 
to the Secret Service and FBI, as soon as practicable after discovery 
of a breach. We also propose to eliminate the mandatory waiting period 
before notifying customers and instead require carriers to notify 
customers of CPNI breaches without unreasonable delay after discovery 
of a breach unless requested by law enforcement. We also seek comment 
on whether we should adopt minimum requirements for the content of 
customer breach notices. We also evaluate and seek comment on the 
impact of the Congressional disapproval of the 2016 Privacy Order on 
the Commission's legal authority to issue the rules proposed herein for 
telecommunications carriers. Finally, we propose to make changes to our 
TRS data breach reporting rule consistent with those we propose to our 
CPNI breach reporting rule.

A. Defining ``Breach''

    3. Inadvertent Disclosures. We propose to expand the Commission's 
definition of ``breach'' to include inadvertent access, use, or 
disclosures of customer information and seek comment on our proposal. 
Our current rule, adopted in response to the practice of pretexting, 
defines a ``breach'' as ``when a person, without authorization or 
exceeding authorization, has intentionally gained access to, used, or 
disclosed CPNI.'' While the practice of pretexting necessarily involves 
an intent to gain access to customer information, the intervening years 
since the adoption of our existing rule have demonstrated that the 
inadvertent exposure of customer information can result in the loss and 
misuse of sensitive information by scammers and phishers, and trigger a 
need to inform the affected individuals so that they can take 
appropriate steps to protect themselves and their information. Further, 
whether or not a breach was intentional may not always be immediately 
apparent, which may lead to legal ambiguity and under-reporting. We 
also believe that it is important that the Commission and law 
enforcement be made aware of any accidental access, use, or disclosures 
so that we can (1) investigate and advise carriers on how best to avoid 
future breaches, and (2) stand ready to investigate if and when any of 
the affected information falls prey to malicious actors. We anticipate 
that requiring notification for accidental breaches will encourage 
telecommunications carriers to adopt stronger data security practices 
and will help us identify and confront systemic network 
vulnerabilities. Do commenters agree with the foregoing analysis? Are 
there other policy factors the Commission should consider in 
determining whether to require disclosure for unintentional breaches? 
What are the benefits and burdens associated with this proposal? We 
note that state data breach laws overwhelmingly do not include an 
intent limitation, and we seek comment on how state and other federal 
data breach laws should influence the policy we adopt.
    4. We seek comment on the impact of requiring reporting of 
accidental breaches on the number of reported breaches. Do commenters 
foresee a significant increase in the number of reported breaches? If 
so, how would our proposal affect reporting costs for 
telecommunications carriers and is that burden outweighed by the 
benefits to customers, who may need to take actions to protect their 
personal and financial information whether or not the breach was 
intentional? Would removing the intentionality limit potentially risk 
over-notification of data breaches to customers? What would the impacts 
of over-notification be? Would the potential benefits outweigh any 
potential harm? To help us assess the burden to both carriers and 
consumers from requiring reporting of accidental breaches, we invite 
commenters to provide estimates on the total number of breaches they 
have detected over the past few years, as well as the number of people 
affected by those breaches, and the severity of the compromised CPNI.
    5. We propose to revise our definition to define a breach as any 
instance in which a person, without authorization or exceeding 
authorization, has gained access to, used, or disclosed CPNI. We seek 
comment on this proposal and other possible definitions. Should we 
retain the intent limitation in certain contexts? If so, what contexts 
and why? With only a few exceptions, the vast majority of state 
statutes include a provision exempting from the definition of breach a 
good-faith acquisition of covered data by an employee or agent of the 
company where such information is not used improperly or further 
disclosed. Should we include such an exemption in our definition of 
``breach'' or is such a provision unnecessary or otherwise inadvisable? 
Is our proposed rule sufficient to capture all instances in which 
persons, either purposefully or inadvertently, gain access to, use, or 
disclose CPNI? If not, how should we revise our proposed rule to ensure 
that it does? We also seek comment on whether we should expand the 
definition of a breach to include situations where a telecommunications 
carrier or a third party discovers

[[Page 3955]]

conduct that could have reasonably led to exposure of customer CPNI, 
even if it has not yet determined if such exposure occurred.
    6. Harm-Based Notification Trigger. We seek comment on whether to 
forego requiring notification to customers or law enforcement of a 
breach in those instances where a telecommunications carrier can 
reasonably determine that no harm to customers is reasonably likely to 
occur as a result of the breach. Our current rule requires no showing 
of harm, instead requiring that notification be furnished in every 
instance where a breach of a carrier's customers' CPNI has occurred, 
where such breach is defined as any instance when ``a person, without 
authorization or exceeding authorization, has intentionally gained 
access to, used, or disclosed CPNI.''
    7. We seek comment on the benefits and drawbacks of adopting a 
``harm-based'' notification trigger. How would it impact consumers? 
Would it benefit consumers by avoiding confusion and ``notice fatigue'' 
with respect to breaches that are unlikely to cause harm? Recognizing 
that it is not only distressing, but time consuming and expensive, to 
deal with the fallout of a data breach, we seek comment on whether a 
harm-based notification trigger could save consumers the time, effort, 
and financial difficulty of changing their passwords, purchasing fraud 
alerts or credit monitoring, and freezing their credit in the wake of a 
breach that is not reasonably likely to result in harm. Alternatively, 
does a harm-based notification trigger risk that consumers would be 
unaware of important information regarding their CPNI? We note that a 
harm-based trigger has a basis in data breach notification frameworks 
employed by states, which generally do not require covered entities to 
notify customers of breaches when a determination is made that the 
breach is unlikely to cause harm. How should state and other data 
breach laws influence our analysis?
    8. We also seek comment on the potential impacts of adopting a 
harm-based trigger on telecommunications carriers. Would a harm-based 
trigger allow carriers to better focus their resources on data security 
and ameliorating the harms caused by data breaches? Or to the contrary, 
would a harm-based trigger require carriers to unnecessarily expend 
resources determining whether particular breaches are reasonably likely 
to cause harm instead of more efficiently providing notice?
    9. If we adopt a harm-based trigger, how should telecommunications 
carriers and the Commission determine the likelihood of misuse or harm? 
Should we identify a standard or set of factors that telecommunications 
carriers must consider to evaluate whether no harm to customers is 
reasonably likely? If so, what factors should carriers consider in 
making their evaluation? We preliminarily believe that no single factor 
on its own (e.g., basic encryption) is sufficient to make a 
determination regarding harm to customers. Do commenters agree? Do 
carriers have sufficient expertise and experience to determine whether 
a breach is likely to result in harm? Should we establish a rebuttable 
presumption of consumer harm unless and until a carrier demonstrates 
that no harm to consumers is reasonably likely to occur as a result of 
a breach?
    10. We seek comment on whether we should clarify the definition of 
``misuse'' or ``harm.'' For example, should we construe ``harm'' 
broadly to encompass not only financial, but also physical and 
emotional harm, including reputational damage, personal embarrassment, 
and loss of control over the exposure of intimate personal details? 
Should we require telecommunications carriers to consider whether other 
information about the customers that may be available combined with 
CPNI could result in harm when determining whether notification is 
required? Should any harm-based trigger apply even where the data 
breached is encrypted? What are the potential enforcement and 
compliance implications associated with this approach? Should breaches 
without such ``harm'' be reported to the Commission even if not 
reported to customers? Should we require the carrier to consult with 
federal law enforcement and/or the Commission prior to determining that 
there is no reasonable likelihood of harm or misuse? We seek comment on 
whether there are other triggers we should consider for which notice 
would be unnecessary, such as the number of affected consumers or the 
length of time exposure occurred. Are there other factors that we 
should consider before requiring breach notifications? Should we adopt 
a harm-based trigger only if we require notices of unintentional 
breaches, or should we evaluate the two issues independently? We also 
seek comment on the current notification practices in the industry. How 
do carriers currently make decisions regarding whether to notify 
customers and law enforcement of a breach?
    11. We seek comment on whether any harm-based notification trigger 
should apply to both notifications to customers and notifications to 
law enforcement. While there are legitimate reasons to consider 
eliminating notifications to customers in those instances where a 
breach is not reasonably likely to result in harm--including reducing 
confusion, stress, financial hardship, and notice fatigue--can the same 
be said of notifications to law enforcement? Are there compelling 
reasons for carriers to continue notifying law enforcement of data 
breaches even where such breaches are not reasonably likely to result 
in consumer harm? Do the benefits of notifying law enforcement of all 
breaches, regardless of whether the breach is likely to result in harm, 
outweigh the attendant costs to carriers of providing such notice?
    12. We propose that if we adopt a harm-based trigger, where a 
carrier is unable to make a determination regarding harm or is 
uncertain whether harm is likely to occur, the obligation to notify 
would remain. We seek comment on this proposal.
    13. We also recognize that telecommunications carriers possess 
proprietary information other than CPNI that customers have an interest 
in protecting from public exposure, such as Social Security Numbers and 
financial records. We seek comment on the Commission's authority to 
establish breach-reporting obligations for this type of information 
under Section 222, to the extent that this information is obtained by a 
telecommunications carrier in its activity as a common carrier. We also 
seek comment on the role of the Commission in protecting such 
information in light of the existing role of other agencies, including 
the FTC and Cybersecurity and Infrastructure Security Agency (CISA). If 
we were to require telecommunications carriers to report breaches of 
proprietary information other than CPNI under Section 222(a), how 
broadly or narrowly should we define that category of information? If 
we were to extend our data breach rule to cover such information, how 
could we minimize duplicative reporting obligations from the FTC and 
CISA?

B. Notifying the Commission and Other Federal Law Enforcement of Data 
Breaches

    14. Commission Notification. We propose to require 
telecommunications carriers to notify the Commission of breaches, in 
addition to the Secret Service and FBI, as soon as practicable, and 
seek comment on our proposal. Our proposal is consistent with other 
federal sector-specific laws, which require prompt notification to the 
relevant subject-matter agency. For example, both HIPAA and the Health 
Breach

[[Page 3956]]

Notification Rule require notice to the department of Health and Human 
Services (HHS) and the FTC respectively. We seek comment on the 
benefits and costs of requiring notification to the Commission in 
addition to notifying the Secret Service and the FBI, as our existing 
rules require.
    15. As discussed above, the Commission adopted its existing data 
breach rule to address concerns regarding pretexting practices. The 
Commission found that notifying law enforcement of CPNI breaches is 
consistent with the goal of protecting CPNI because it enables law 
enforcement to investigate the breach, ``which could result in legal 
action against the perpetrators, thus ensuring that they do not 
continue to breach CPNI.'' Moreover, the Commission anticipated that 
law enforcement investigations into how breaches occurred would enable 
law enforcement to advise the carrier and the Commission to take steps 
to prevent future breaches of that kind. However, as we have seen in 
the years since our data breach rule was initially adopted, not all 
breaches of customer data are the result of criminal pretexting, which 
was Commission's sole focus in 2007. Large-scale security breaches can 
also be the result of lax or inadequate data security practices and 
employee training. Thus, we tentatively conclude that notification of 
breaches will provide Commission staff important information about data 
security vulnerabilities that Commission staff can help address and 
remediate. We anticipate that breach notification to the Commission 
will also shed light on carriers' ongoing compliance with our rules. We 
seek comment on these tentative conclusions. How much of an incremental 
burden is associated with notifying the Commission of data breaches as 
compared to the existing data breach notification requirement for the 
Secret Service and FBI? Are there any other government entities to 
which we should require data breach reporting, such as the FTC? What 
would be the benefits and burdens of doing so?
    16. Method of Notification. We propose that the Commission create 
and maintain a centralized portal for reporting breaches to the 
Commission and other federal law enforcement agencies, and we seek 
comment on our proposal. Our current breach notification rule requires 
that telecommunications carriers notify the FBI and Secret Service 
``through a central reporting facility'' to which the Commission 
maintains a link on its website. We believe that the creation and 
operation by the Commission of a centralized reporting facility for 
reporting of breaches to the Commission, Secret Service, and FBI will 
streamline the notification process and improve federal coordination. 
Do commenters agree? Are there alternative mechanisms for breach 
reporting to the Commission and other federal law enforcement that we 
should consider instead, such as leveraging the existing central 
reporting facility? Are there existing notification resources that we 
can leverage? For example, could we leverage the CISA Incident 
Reporting System to minimize burdens on carriers?
    17. We seek comment on how we can minimize data breach reporting 
burdens for telecommunications carriers. The recently-passed Cyber 
Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) 
requires covered entities to notify CISA of cyber security incidents 
and establishes an interagency Cyber Incident Reporting Council 
intended to streamline interagency cyber incident reporting. When 
implemented, CIRCIA will require covered entities to report 
cybersecurity incidents to CISA, except where covered entities ``by 
law, regulation, or contract'' are already required to report 
``substantially similar information to another Federal agency within a 
substantially similar timeframe,'' in which case the other agency will 
report the incident to CISA. To the extent that a breach of CPNI is a 
result of a cyber incident, we seek comment on whether there are any 
modifications to our proposed rules that would minimize potential 
duplicate reporting of such breaches.
    18. Contents. We seek comment on applying our existing requirements 
regarding the contents of the data breach notification to federal law 
enforcement agencies to breaches reported to the Commission. Generally, 
the central reporting facility requires carriers to report information 
relevant to the breach, including carrier contact information; a 
description of the breach incident; the method of compromise; the date 
range of the incident, approximate number of customers affected; an 
estimate of financial loss to the carriers and customers, if any; types 
of data breached; and the addresses of affected customers. We believe 
that the information currently submitted through the FBI/Secret Service 
reporting facility is largely sufficient, and that generally the same 
information should be reported under the rule we propose here. Do 
commenters agree? Are there any additional or alternative categories of 
information that should be included in these disclosures? For example, 
should we require telecommunications carriers to report, at a minimum, 
the information required under CIRCIA with the aim of minimizing 
potentially duplicate reporting requirements? Should we curtail or 
streamline any of the existing content requirements? For example, 
should we eliminate the requirement that carriers report the addresses 
of affected individuals to law enforcement and the Commission, to 
minimize the personal information reported to the Commission and law 
enforcement?
    19. Timeframe. We seek comment on the appropriate timeframe for 
notifying the Commission and other federal law enforcement of a breach. 
Our current rule requires telecommunications carriers to notify the 
Secret Service and the FBI of all breaches of CPNI no later than seven 
business days after reasonable determination of the breach. We propose 
to require carriers to notify the Commission of a reportable breach 
contemporaneously with notification to other law enforcement agencies 
as soon as practicable after discovery of a breach. We believe that 
requiring carriers to notify the Commission, Secret Service, and FBI at 
the same time will minimize burdens on carriers, eliminate confusion 
regarding obligations, and streamline the reporting process, allowing 
carriers to free up resources that can be used to address the breach 
and prevent further harm. We seek comment on our proposal. Is ``as soon 
as practicable after discovery of a breach'' an appropriate timeframe 
for notifying law enforcement after reasonable determination of a CPNI 
breach? Or, should we maintain the current ``no later than seven 
business days'' standard? Is there an alternative timeframe we should 
adopt for reporting CPNI breaches to the Commission and other federal 
law enforcement such as 24 hours or 72 hours as has been proposed in 
other contexts, or should we consider adopting a graduated timeframe? 
We also seek comment on whether we should clarify when a carrier should 
be treated as having ``reasonably determined'' that a breach has 
occurred. Should a carrier be held to have ``reasonably determined'' a 
breach has occurred when it has information indicating that it is more 
likely than not that there was a breach? Should we publish guidance on 
what constitutes a reasonable determination? Should we adopt a more 
definite standard?
    20. Threshold Trigger. We seek comment on whether it is appropriate 
to set a threshold for the number of customers affected to require a 
breach report to the Commission, Secret

[[Page 3957]]

Service, and/or FBI. We observe that breaches affecting smaller numbers 
of customers may not necessitate the same law enforcement attention as 
larger breaches because they may be less likely to reflect coordinated 
attacks on CPNI. Under our current rule, telecommunications carriers 
must notify federal law enforcement of all reportable breaches, 
regardless of the number of customers affected. Setting a threshold for 
the number of customers affected for breach reporting to the Secret 
Service and FBI could reduce the administrative burdens on carriers and 
law enforcement agencies from excessive reporting, and is consistent 
with many state statutes requiring notice to state law enforcement 
authorities, which require law enforcement notification of large 
breaches.
    21. At the same time, establishing a threshold may limit our and 
our federal partners' abilities to remediate, investigate, and deter 
smaller breaches. Further, as the Commission has previously found, 
notification of all breaches could allow the Commission and federal law 
enforcement to be ``better positioned than individual carriers to 
develop expertise about the methods and motives associated with CPNI 
breaches.'' Is this still the case, given the development of data 
breach law and practices since 2007? Should we adopt a threshold for 
reporting to federal law enforcement? If so, should the threshold be 
the same for the Commission as for federal law enforcement? If not, how 
should the threshold differ? What would be an appropriate threshold for 
reporting? Most states that adopt a threshold for reporting to law 
enforcement or government agencies require reporting at 250, 500, or 
1000 individuals affected. What reporting threshold would meet the 
needs of law enforcement and provide adequate safeguards? What are the 
benefits and drawbacks of setting a threshold, particularly for small 
carriers? If we adopt a threshold trigger, should we require carriers 
to maintain a record of smaller breaches that fall below the threshold 
and report such small breaches to the Commission in a report at the end 
of the year? What are the benefits and drawbacks to such an approach? 
Rather than a numerical threshold, should we instead consider requiring 
carriers to report only intentional breaches to law enforcement, but to 
report all breaches, whether intentional or inadvertent, to the 
Commission?

C. Customer Notification

    22. Notifying Customers of Data Breaches without Unreasonable 
Delay. We propose to require telecommunications carriers to notify 
customers of CPNI breaches without unreasonable delay after discovery 
of a breach and notification to law enforcement, unless law enforcement 
requests a delay. We seek comment on our proposal. Our existing data 
breach rule prohibits telecommunications carriers from notifying 
customers or disclosing the breach to the public until at least seven 
full business days after notification to the Secret Service and FBI. In 
cases where a carrier believes that there is an extraordinarily urgent 
need to notify affected customers in order to avoid immediate and 
irreparable harm, our rules permit carriers to notify affected 
customers after consultation with relevant investigating agencies. In 
adopting the existing rule, the Commission concluded that once 
customers have been notified, a breach may become public knowledge, 
``thereby impeding law enforcement's ability to investigate the breach, 
identify the perpetrators, and determine how the breach occurred.'' In 
short, the Commission found, ``immediate customer notification may 
compromise all the benefits of requiring carriers to notify law 
enforcement of CPNI breaches,'' and therefore a short delay was 
warranted.
    23. We tentatively conclude that this existing approach is out-of-
step with current approaches regarding the urgency of notifying victims 
about breaches of their personal information. We tentatively conclude 
that our proposal better serves the public interest than our current 
rule because it increases the speed at which customers may receive the 
important information contained in a notice, except in those specific 
circumstances when law enforcement officials specifically request 
otherwise. We seek comment on our tentative conclusion. What are the 
benefits and drawbacks to such an approach? Is there any reason to 
maintain our current absolute bar to customer notification for a set 
period? Does our proposal to eliminate the seven business-day waiting 
period before notifying customers appropriately balance legitimate law 
enforcement needs with the customers' need to take action to timely 
protect their information after a breach? We seek comment on whether a 
``without unreasonable delay'' notification requirement would allow 
carriers enough time to determine the scope and impact of a breach. 
Would prompt customer notification compromise a carrier's ability to 
discover the source of the breach, mitigate the loss of data, and 
ensure further data is not compromised?
    24. Our proposed requirement is consistent with many existing data 
breach notification laws that require expedited notice but refrain from 
requiring a specific timeframe. For example, the GLBA requires customer 
notification ``as soon as possible'' after a determination that 
customer information has been misused. California law requires 
notification ``be made in the most expedient time possible and without 
unreasonable delay, consistent with the legitimate needs of law 
enforcement.'' Similarly, many state data breach statutes impose an 
``expeditiously as practicable'' or ``without unreasonable delay'' 
standard instead of a set time limit for reporting. In addition, FTC 
guidance on addressing data breaches explains that ``if you quickly 
notify people that their personal information has been compromised, 
they can take steps to reduce the chance that their information will be 
misused.'' How should state and other federal law influence the 
approach we adopt?
    25. We seek comment on whether requiring notice to customers 
``without unreasonable delay'' after discovery of a breach provides 
sufficient guidance as to the required timeframe to notify customers. 
Should we adopt a different approach, such as a fixed number of days 
for notification, and if so what should we adopt? If we were to adopt a 
``without unreasonable delay'' standard, we seek comment on whether we 
should provide guidance on a specific time period that would be 
considered ``reasonable'' for notification. For example, HIPAA requires 
notification to individuals ``without unreasonable delay and in no case 
later than 60 calendar days after discovery of a breach.'' The Health 
Breach Notification Rule also requires notification to individuals 
``without unreasonable delay and in no case later than 60 days after 
the discovery of a breach of security.'' Most states that impose an 
outside limit on when consumers must be notified of a breach require 
notification to affected consumers no later than 30, 45, or 60 days 
after discovery of a breach. What are the benefits and drawbacks to 
setting a definite time limit on notification while requiring 
notification without unreasonable delay?
    26. We also seek comment on whether the same notification deadline 
should be applied to all carriers. Are there unique concerns or 
compliance barriers for small carriers that make prompt

[[Page 3958]]

response unfeasible, such as resource availability or reliance on 
third-party cybersecurity services for breach detection? Should we 
adopt different notification requirements for small carriers? If so, 
what threshold should we establish for small carriers? Should we 
consider establishing any other exceptions to this proposed 
requirement? We also seek comment on whether we should take into 
consideration the scope of the breach, e.g., how many customers are 
affected, the type of information breach, in determining the 
appropriate timeframe for customer breach reporting.
    27. We seek comment on how best to coordinate the timing of 
customer notification and federal law enforcement notification. Our 
current rule, providing for consecutive rather than simultaneous 
notification of federal law enforcement and customers, was adopted at 
the request of federal law enforcement. Is such an approach still 
necessary? Are there circumstances where it would be acceptable for 
carriers to notify customers and law enforcement simultaneously in 
certain instances? Given that nearly all, if not all, state data breach 
statutes subject the timing of customer notification to legitimate law 
enforcement needs, we seek comment on whether it is necessary to 
provide any further guidance to help coordinate the timing of notice to 
customers with notice to the Commission and other federal law 
enforcement.
    28. In addition, consistent with our current rules implementing 
Section 222, our proposed rules would allow a federal agency to direct 
a carrier to delay customer notification for an initial period of up to 
30 days if such notification would interfere with a criminal 
investigation or national security. In circumstances when a carrier 
reasonably decides to consult with law enforcement, a short delay 
pending such consultation would likely be reasonable for purposes of a 
``without unreasonable delay'' standard for customer notification. We 
seek comment on this proposal. We observe that HIPAA, the GLBA, and the 
Health Breach Notification Rules allow for a delay of customer 
notification if law enforcement determines notification to customers 
would ``impede a criminal investigation or cause damage to national 
security,'' but only if law enforcement officials request such a delay. 
Both HIPAA and the Health Breach Notification Rule allow notification 
delays of up to 30 days if requested by law enforcement. Similarly, 
GLBA allows that ``customer notice may be delayed if an appropriate law 
enforcement agency determines that notification will interfere with a 
criminal investigation and provides the institution with a written 
request for a delay.'' Likewise, most, if not all, states permit delays 
in notifying affected consumers for legitimate law enforcement needs. 
We tentatively conclude that our proposal strikes an appropriate 
balance between the needs of law enforcement to have time to 
investigate criminal activity and the needs of customers to be notified 
of data breaches. Do commenters agree? We also observe that these other 
regimes appear to allow non-federal law enforcement to request a delay, 
whereas the Commission's rule currently allows only federal agencies to 
so request. Should our rule also allow carriers to delay notification 
upon request of non-federal law enforcement?
    29. Contents of Customer Breach Notification. We seek comment on 
whether we should require customer breach notifications to include 
specific minimum categories of information. Our current rules specify 
when and to whom breach notifications must be made, but do not address 
the content of such notifications. In adopting the current breach 
notification rules, the Commission declined to specify the precise 
content of the notice that must be provided to customers in the event 
of a security breach of CPNI, ``leav[ing] carriers the discretion to 
tailor the language and method of notification to the circumstances.'' 
Nearly 15 years later, we now seek comment on whether it is appropriate 
to require a minimum amount of information to ensure that such data 
breach notifications contain actionable information that is useful to 
the consumer. We seek comment on the benefits to customers and carriers 
of requiring carriers to include minimum categories of information in 
customer data breach notices. Will having minimum consistent fields of 
information assist consumers in understanding the circumstances and 
nature of the breach and streamline notice practices for carriers? What 
are the drawbacks to doing so? Are there any legal barriers to adopting 
a rule that prescribes the minimum categories of information in these 
breach notices?
    30. To so identify possible categories of information to require, 
we look to numerous state data breach statutes as well as existing 
federal guidance regarding data breach notices. All 50 states, the 
District of Columbia, Guam, Puerto Rico, and the Virgin Islands have 
laws requiring private or governmental entities to notify individuals 
of breaches involving their personal information. Of these, many impose 
minimum content requirements on the notifications that must be 
transmitted to affected individuals in the wake of a data breach, 
including: the name and contact information for the entity reporting 
the breach; the date, estimated date, or estimated date range of the 
breach; a description of the breach incident; a description of the 
personally identifiable information that was used, disclosed, or 
accessed, or reasonably believed to have been used, disclosed, or 
accessed; any actions the entity is taking to remedy the situation and/
or protect affected individuals; a brief list of steps that affected 
consumers can take to protect themselves and their information, such as 
contacting credit bureaus to ask that fraud alerts or credit freezes be 
placed on their credit reports; and contact information for the FTC and 
any federal agency that assists consumers with matters of identity 
theft. Similarly, both the HIPAA Breach Notification Rule and guidance 
issued by the Federal Deposit Insurance Corporation (FDIC) in response 
to the GLBA impose minimum content requirements on data breach 
notifications. In its Data Breach Response Guide, the FTC advises 
companies on specific information that should be included in their 
breach notices to individuals, including describing what the company 
knows about the breach (how it happened, what information was taken, 
how the thieves have used the information (if known), what actions the 
company has taken to remedy the situation, what actions the company is 
taking to protect individuals, how to reach the relevant contact in the 
organization); the steps individuals can take, given the type of 
information exposed, and provide relevant contact information; current 
information about how to recover from identity theft; information about 
the law enforcement agency working on the case, if the law enforcement 
agency agrees that would help; encouraging people who discover that 
their information has been misused to report it to the FTC; and 
describing how the company will contact consumers in the future to help 
victims avoid phishing scams.
    31. We seek comment on adapting these models to telecommunications 
carriers and requiring carriers to include, at a minimum, the following 
information in security breach notices to customers: (1) the date of 
the breach; (2) a description of the customer information that was 
used, disclosed, or accessed; (3) information on how customers, 
including customers with disabilities, can contact the carrier to

[[Page 3959]]

inquire about the breach; (4) information about how to contact the 
Commission, FTC, and any state regulatory agencies relevant to the 
customer and the service; (5) if the breach creates a risk of identity 
theft, information about national credit reporting agencies and the 
steps customers can take to guard against identity theft, including any 
credit monitoring, credit reporting, or credit freezes the carrier is 
offering to affected customers; and (6) what other steps customers 
should take to mitigate their risk based on the specific categories of 
information exposed in the breach. Are the identified categories the 
correct information to be included in data breach notices? Should we 
consider requiring any additional or alternative categories of 
information that carriers must include in customer breach notices? For 
example, would it be helpful to include a statement of whether the 
notification was delayed due to reporting requirements to law 
enforcement or a law enforcement investigation, and if so, the length 
of the delay to help explain to customers the time lapse between 
discovery of the breach and customer notification? Should we require 
notifications to include a list of the law enforcement and government 
entities that have been notified of the breach? Should we require 
carriers to include a brief description of how the carrier will contact 
consumers in the future regarding the breach to help consumers avoid 
phishing scams related to breaches? What are best practices for 
providing consumers with actionable information in a breach 
notification? We seek comment on what minimum required information 
appropriately balances empowering consumers to take the necessary steps 
to protect themselves and their information in the wake of a data 
breach and appropriately limiting burdens on telecommunications 
carriers. We also seek comment on whether adopting or adapting a set of 
existing notification contents requirements will help to create a 
measure of consistency across breach notifications and will benefit 
both consumers and carriers, particularly smaller carriers, by 
streamlining the manner and content of their response in the event of a 
data breach.
    32. Method of Customer Breach Notification. We observe that many 
state regulations specify the form that notifications to customers may 
take, whether by physical mail, email, or telephone. We seek comment on 
whether we should adopt a similar requirement and, if so, on what form 
notifications to consumers should take. Is there a method or methods of 
notification that would make the most sense or be most beneficial to 
consumers? What are the benefits and burdens of imposing such a 
requirement?

D. TRS Breach Reporting

    33. In 2013, the Commission adopted CPNI rules applicable to all 
forms of Telecommunications Relay Services (TRS), as well as to point-
to-point video calls handled over the video relay services (VRS) 
network. The Commission found that ``for TRS to be functionally 
equivalent to voice telephone services, consumers with disabilities who 
use TRS are entitled to have the same assurances of privacy as do 
consumers without disabilities for voice telephone services.'' The CPNI 
rules for TRS include a breach notification rule that is equivalent to 
Sec.  64.2011 in terms of the substantive protection provided to TRS 
users. The texts of the two provisions are virtually identical, except 
for the substitution of the term ``TRS provider'' for 
``telecommunications carrier'' in Sec.  64.5111. The only substantive 
difference is that under the TRS rule, after a TRS provider notifies 
law enforcement of a breach, it ``shall file a copy of the notification 
with the Disability Rights Office of the Consumer and Governmental 
Affairs Bureau at the same time as when the TRS provider notifies the 
customers.''
    34. To maintain functional equivalency for TRS users, we propose to 
amend Sec.  64.5111 so that it continues to provide equivalent privacy 
protection for TRS users. The amendments we propose for Sec.  64.5111 
are thus essentially the same as those proposed for users of 
telecommunications and interconnected VoIP services. That is, we 
propose: (1) to expand the Commission's definition of ``breach'' to 
include inadvertent disclosures of customer information; (2) to require 
TRS providers to notify the Commission, in addition to the Secret 
Service and FBI, as soon as practicable after discovery of a breach; 
and (3) to eliminate the mandatory waiting period to notify customers, 
instead requiring TRS providers to notify customers of CPNI breaches 
without unreasonable delay after discovery of a breach unless law 
enforcement requests a delay. Further, we seek comment on the following 
additional issues, raised above regarding Sec.  64.2011, as they relate 
to TRS providers: (1) whether to adopt a harm-based trigger for breach 
notifications; (2) whether we should adopt minimum requirements for the 
content of customer breach notices; and (3) whether our rules should 
address breaches of sensitive personal information.
    35. We seek comment on each of these proposals and their costs and 
benefits. Should updated data breach requirements for TRS providers be 
identical to those we adopt for providers of telecommunications and 
interconnected VoIP services, or are there circumstances unique to TRS 
providers that warrant differences in their obligations regarding data 
breaches? Are any additional notification requirements necessary to 
ensure TRS users receive functionally equivalent privacy protection? If 
we adopt the proposed requirement that service providers notify the 
Commission of breaches via a centralized portal, is there any need to 
retain the current requirement that TRS providers submit a copy of any 
breach notification to the Disability Rights Office of the Consumer and 
Governmental Affairs Bureau? Finally, would TRS providers incur costs 
or other compliance burdens under the proposed amendments that are 
disproportionately greater than those incurred by providers of 
telecommunications and interconnected VoIP services, and if so, would 
the extent of such costs or burdens justify the application of 
different breach notification requirements to TRS?
    36. Legal Authority. Section 225 of the Act directs the Commission 
to ensure that TRS are available to enable communication in a manner 
that is functionally equivalent to voice telephone services. In 2013, 
the Commission found that applying the privacy protections of the 
Commission's CPNI regulations to TRS users advances the functional 
equivalency of TRS. The Commission concluded further that the specific 
mandate of Section 225 to establish ``functional requirements, 
guidelines, and operations procedures for TRS'' authorizes the 
Commission to make the privacy protections of the Commission's CPNI 
regulations applicable to TRS users. In addition, the Commission found 
that extending the CPNI regulations to TRS users is ancillary to its 
responsibilities under Section 222 of the Act to telecommunications 
service subscribers that place calls to or receive calls from TRS 
users, because TRS call records include call detail information 
concerning all calling and called parties. Finally, the Commission 
determined that applying CPNI requirements to point-to-point video 
services provided by VRS providers is ancillary to its

[[Page 3960]]

responsibilities under Sections 222 and 225.
    37. We tentatively conclude that, for the same reasons cited in the 
2013 VRS Reform Order, these sources of authority for establishing the 
current CPNI rules for TRS authorize the Commission to amend those 
rules to ensure that TRS users receive privacy protections equivalent 
to those proposed for users of telecommunications and VoIP services. We 
seek comment on this tentative conclusion.

E. Legal Authority

    38. Section 222. We believe that Section 222 provides authority to 
adopt the breach notification rules for which we seek comment in this 
Notice of Proposed Rulemaking. We also tentatively conclude that we 
have authority to apply the rules proposed in this Notice of Proposed 
Rulemaking to interconnected VoIP providers. We seek comment on these 
tentative conclusions.
    39. Section 222 of the Act governs telecommunications carriers in 
their use, disclosure, and protection of proprietary information that 
they obtain in the course of providing telecommunications services. 
Section 222(a) imposes a duty on carriers to ``protect the 
confidentiality of proprietary information of, and relating to'' 
customers, fellow carriers, and equipment manufacturers. Section 222(c) 
imposes more specific requirements on carriers as to the protection and 
confidentiality of CPNI. We tentatively conclude that both subsections 
provide us authority to adopt rules requiring telecommunications 
carriers and interconnected VoIP providers to address breaches of CPNI.
    40. The Commission has long required carriers to report data 
breaches as part of their duty to protect the confidentiality of 
customers' information. We believe that the proposed revisions to the 
Commission's data breach reporting rule reinforce carriers' duty to 
protect the confidentiality of their customers' information. Data 
breach reporting requirements also reinforce our other rules addressing 
the protection of CPNI. For example, data breach notifications can 
meaningfully inform customer decisions regarding whether to give, 
withhold, or retract their approval to use or disclose their 
information. Similarly, we believe that requiring carriers to notify 
the Commission in the event of a data breach will better enable the 
Commission to identify and confront systemic network vulnerabilities 
and help investigate and advise carriers on how best to avoid future 
breaches, also helping carriers to fulfill their duty under Section 
222(a) to protect the confidentiality of their customers' information. 
We seek comment on this analysis.
    41. Interconnected VoIP. We believe that we have authority under 
Section 222 and our ancillary jurisdiction to apply the rules we 
propose today to interconnected VoIP providers. In 2007, the Commission 
exercised ancillary jurisdiction to extend its Part 64 CPNI rules to 
interconnected VoIP services. Since then, interconnected VoIP providers 
have operated under these rules. Interconnected VoIP services remain 
within the Commission's subject matter jurisdiction and we believe that 
the application of customer privacy requirements to these services is 
``reasonably ancillary to the effective performance'' of our statutory 
responsibility under Section 222. As the Commission explained in 2007, 
``American consumers [can reasonably] expect that their telephone calls 
are private irrespective of whether the call is made using the service 
of a wireline carrier, a wireless carrier, or an interconnected VoIP 
provider.'' Now, as then, extending Section 222's protections to 
interconnected VoIP service customers is also ``necessary to protect 
the privacy of wireline or wireless customers that place calls to or 
receive calls from interconnected VoIP providers.'' In addition, in 
2008, Congress ratified the Commission's decision to apply Section 
222's requirements to interconnected VoIP services by adding language 
to Section 222 that expressly covers ``IP-enabled voice service,'' 
defined expressly to incorporate the Commission's definition of 
``interconnected VoIP service.'' The 2008 revisions to Section 222 
would not make sense if the privacy-related duties of subsections (a) 
and (c) did not apply to interconnected VoIP providers. We seek comment 
on this analysis.
    42. We seek comment on whether there are other bases of authority 
on which we can rely to adopt the rules we propose and seek comment on 
today.

F. Impact of the Congressional Disapproval of the 2016 Privacy Order

    43. As noted above, in 2016, the Commission acted to revise its 
breach notification rule as part of a larger proceeding addressing 
privacy requirements for broadband internet access service providers 
(ISPs). The rules the Commission adopted in the 2016 Privacy Order 
applied to telecommunications carriers and interconnected VoIP 
providers in addition to ISPs, which had been classified as providers 
of telecommunications services in 2015. In 2017, however, Congress 
nullified those 2016 revisions to the Commission's CPNI rules under the 
Congressional Review Act.
    44. As a threshold matter, we seek comment on the effect of the 
Congressional disapproval of the 2016 Privacy Order under the 
Congressional Review Act. While we seek comment on a range of proposals 
in this item, we clarify that, in light of the Congressional resolution 
of disapproval, we are not seeking comment on ``reissu[ing] . . . in 
substantially the same form,'' or on issuing ``a new rule that is 
substantially the same as,'' the rule disapproved by Congress. More 
generally, though, we seek comment here on the effect and scope of the 
Congressional disapproval of the 2016 Privacy Order for purposes of 
adopting rules that apply to telecommunications carriers.

G. Digital Equity Considerations

    45. The Commission, as part of its continuing effort to advance 
digital equity for all, including people of color and others who have 
been historically underserved, marginalized, and adversely affected by 
persistent poverty and inequality, invites comment on any equity-
related considerations and benefits (if any) that may be associated 
with the proposals and issues discussed herein. Specifically, we seek 
comment on how our proposals may promote or inhibit advances in 
diversity, equity, inclusion, and accessibility.

II. Procedural Matters

    46. Initial Regulatory Flexibility Analysis. As required by the 
Regulatory Flexibility Act, the Commission has prepared an Initial 
Regulatory Flexibility Analysis (IRFA) of the possible significant 
economic impact on small entities of the policies and rules addressed 
in this document. The IRFA is set forth in Appendix B. Written public 
comments are requested on the IRFA. Comments must be filed by the 
deadlines for comments on the Notice of Proposed Rulemaking indicated 
on the first page of this document and must have a separate and 
distinct heading designating them as responses to the IRFA. The 
Commission's Consumer and Governmental Affairs Bureau, Reference 
Information Center, will send a copy of this Notice of Proposed 
Rulemaking, including the IRFA, to the Chief Counsel for Advocacy of 
the SBA.
    47. People with Disabilities. To request materials in accessible 
formats for people with disabilities (braille, large print, electronic 
files, audio format), send an email to [email protected]

[[Page 3961]]

or call the Consumer & Governmental Affairs Bureau at 202-418-0530 
(voice).

III. Initial Regulatory Flexibility Analysis

    1. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), the Commission has prepared this Initial Regulatory 
Flexibility Analysis (IRFA) of the possible significant economic impact 
on small entities by the policies and rules proposed in this Notice of 
Proposed Rulemaking. The Commission requests written public comments on 
this IRFA. Comments must be identified as responses to the IRFA and 
must be filed by the deadlines for comments provided on the first page 
of the Notice of Proposed Rulemaking. The Commission will send a copy 
of the Notice of Proposed Rulemaking, including this IRFA, to the Chief 
Counsel for Advocacy of the Small Business Administration (SBA). In 
addition, the Notice of Proposed Rulemaking and IRFA (or summaries 
thereof) will be published in the Federal Register.

A. Need for, and Objectives of, the Proposed Rules

    2. The Commission first adopted a rule in 2007 requiring 
telecommunications carriers and interconnected Voice over internet 
Protocol (VoIP) providers to notify customers and federal law 
enforcement of breaches of customer proprietary network information 
(CPNI) in the carriers' possession. In the almost decade and a half 
since that time, data breaches nationwide have increased in both 
frequency and severity in all industries. In the telecommunications 
industry, the public has suffered an increasing number of security 
breaches of customer information in recent years. Federal and state 
data breach laws covering other areas have evolved since 2007. Those 
developments combined with our specific experience suggest 
opportunities for improvement in our own breach notification rule. 
Today, we begin the process to update and strengthen our data breach 
rule to provide greater protections to the public.
    3. The Commission adopted the data breach rule, like the rest of 
the privacy safeguards adopted in the 2007 CPNI Order, to address the 
problem of ``pretexting,'' the practice of pretending to be a 
particular customer or other authorized person in order to obtain 
access to that customer's call detail or other private communications 
records. In the almost 15 years since, it has become clear that 
breaches of customer information in many contexts extend far beyond 
pretexting in general or the specific type of pretexting addressed at 
that time and are increasing in scale and evolving in methodology. The 
increasing severity and diversifying methods of security breaches 
involving customer information can have lasting detrimental impacts on 
customers whose information has been breached.
    4. To better protect telecommunications customers and ensure that 
our rules keep pace with today's challenges, we propose a number of 
updates to our rule addressing telecommunications carriers' breach 
notification duties. We seek to ensure that affected customers, the 
Commission, and other federal law enforcement agencies receive the 
information they need in a timely manner so they can mitigate and 
prevent harm due to the breach and take action to deter future 
breaches. To identify best practices and to minimize burdens, we look 
to other federal and state breach laws as potential models for our 
rules.
    5. In this document, we propose to expand the Commission's 
definition of ``breach'' to include inadvertent disclosures of customer 
information and seek comment on adopting a harm-based trigger for 
breach notifications. We also propose to require carriers to notify the 
Commission, in addition to the Secret Service and FBI, as soon as 
practicable after discovery of a breach. We also propose to eliminate 
the mandatory waiting period before notifying customers and instead 
require carriers to notify customers of CPNI breaches without 
unreasonable delay after discovery of a breach unless law enforcement 
requests a delay. We also seek comment on whether we should adopt 
minimum requirements for the content of customer breach notices, and we 
seek comment on whether our rules should address breaches of other 
types of sensitive personal information beyond CPNI. Finally, we 
propose to make changes to our TRS data breach reporting rule 
consistent with those we propose to our CPNI breach reporting rule.

B. Legal Basis

    6. The legal basis for any action that may be taken pursuant to 
this Notice of Proposed Rulemaking is contained in Sections 1, 4(i), 
4(j), 201, 202, 222, 225, 303(r), and 332 of the Communications Act of 
1934, as amended, 47 U.S.C. 151, 154, 201, 202, 222, 225, 303(r), 332.

C. Description and Estimate of the Number of Small Entities to Which 
the Proposed Rules Will Apply

    7. The RFA directs agencies to provide a description of and, where 
feasible, an estimate of the number of small entities that may be 
affected by the proposed rules and by the rule revisions on which the 
Notice of Proposed Rulemaking seeks comment, if adopted. The RFA 
generally defines the term ``small entity'' as having the same meaning 
as the terms ``small business,'' ``small organization,'' and ``small 
governmental jurisdiction.'' In addition, the term ``small business'' 
has the same meaning as the term ``small-business concern'' under the 
Small Business Act. A ``small-business concern'' is one which: (1) is 
independently owned and operated; (2) is not dominant in its field of 
operation; and (3) satisfies any additional criteria established by the 
SBA.
    8. Small Businesses, Small Organizations, Small Governmental 
Jurisdictions. Our actions, over time, may affect small entities that 
are not easily categorized at present. We therefore describe here, at 
the outset, three broad groups of small entities that could be directly 
affected herein. First, while there are industry specific size 
standards for small businesses that are used in the regulatory 
flexibility analysis, according to data from the Small Business 
Administration's (SBA) Office of Advocacy, in general a small business 
is an independent business having fewer than 500 employees. These types 
of small businesses represent 99.9 percent of all businesses in the 
United States, which translates to 32.5 million businesses.
    9. Next, the type of small entity described as a ``small 
organization'' is generally ``any not-for-profit enterprise which is 
independently owned and operated and is not dominant in its field.'' 
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 
or less to delineate its annual electronic filing requirements for 
small exempt organizations. Nationwide, for tax year 2018, there were 
approximately 571,709 small exempt organizations in the U.S. reporting 
revenues of $50,000 or less according to the registration and tax data 
for exempt organizations available from the IRS.
    10. Finally, the small entity described as a ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts, with a population of less than fifty thousand.'' U.S. Census 
Bureau data from the 2017 Census of

[[Page 3962]]

Governments indicate that there were 90,075 local governmental 
jurisdictions consisting of general purpose governments and special 
purpose governments in the United States. Of this number there were 
36,931 general purpose governments (county, municipal and town or 
township) with populations of less than 50,000 and 12,040 special 
purpose governments--independent school districts with enrollment 
populations of less than 50,000. Accordingly, based on the 2017 U.S. 
Census of Governments data, we estimate that at least 48,971 entities 
fall into the category of ``small governmental jurisdictions.''
1. Wireline Carriers
    11. Wired Telecommunications Carriers. The U.S. Census Bureau 
defines this industry as establishments primarily engaged in operating 
and/or providing access to transmission facilities and infrastructure 
that they own and/or lease for the transmission of voice, data, text, 
sound, and video using wired communications networks. Transmission 
facilities may be based on a single technology or a combination of 
technologies. Establishments in this industry use the wired 
telecommunications network facilities that they operate to provide a 
variety of services, such as wired telephony services, including VoIP 
services, wired (cable) audio and video programming distribution, and 
wired broadband internet services. By exception, establishments 
providing satellite television distribution services using facilities 
and infrastructure that they operate are included in this industry. 
Wired Telecommunications Carriers are also referred to as wireline 
carriers or fixed local service providers.
    12. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms that operated in this industry for the entire year. Of 
this number, 2,964 firms operated with fewer than 250 employees. 
Additionally, based on Commission data in the 2021 Universal Service 
Monitoring Report, as of December 31, 2020, there were 5,183 providers 
that reported they were engaged in the provision of fixed local 
services. Of these providers, the Commission estimates that 4,737 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    13. Local Exchange Carriers (LECs). Neither the Commission nor the 
SBA has developed a size standard for small businesses specifically 
applicable to local exchange services. Providers of these services 
include both incumbent and competitive local exchange service 
providers. Wired Telecommunications Carriers is the closest industry 
with an SBA small business size standard. Wired Telecommunications 
Carriers are also referred to as wireline carriers or fixed local 
service providers. The SBA small business size standard for Wired 
Telecommunications Carriers classifies firms having 1,500 or fewer 
employees as small. U.S. Census Bureau data for 2017 show that there 
were 3,054 firms that operated in this industry for the entire year. Of 
this number, 2,964 firms operated with fewer than 250 employees. 
Additionally, based on Commission data in the 2021 Universal Service 
Monitoring Report, as of December 31, 2020, there were 5,183 providers 
that reported they were fixed local exchange service providers. Of 
these providers, the Commission estimates that 4,737 providers have 
1,500 or fewer employees. Consequently, using the SBA's small business 
size standard, most of these providers can be considered small 
entities.
    14. Incumbent LECs. Neither the Commission nor the SBA has 
developed a small business size standard specifically for incumbent 
local exchange services. Wired Telecommunications Carriers is the 
closest industry with an SBA small business size standard. The SBA 
small business size standard for Wired Telecommunications Carriers 
classifies firms having 1,500 or fewer employees as small. U.S. Census 
Bureau data for 2017 show that there were 3,054 firms in this industry 
that operated for the entire year. Of this number, 2,964 firms operated 
with fewer than 250 employees. Additionally, based on Commission data 
in the 2021 Universal Service Monitoring Report, as of December 31, 
2020, there were 1,227 providers that reported they were incumbent 
local exchange service providers. Of these providers, the Commission 
estimates that 929 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, the 
Commission estimates that the majority of incumbent local exchange 
carriers can be considered small entities.
    15. Competitive Local Exchange Carriers (Competitive LECs). Neither 
the Commission nor the SBA has developed a size standard for small 
businesses specifically applicable to local exchange services. 
Providers of these services include several types of competitive local 
exchange service providers. Wired Telecommunications Carriers is the 
closest industry with a SBA small business size standard. The SBA small 
business size standard for Wired Telecommunications Carriers classifies 
firms having 1,500 or fewer employees as small. U.S. Census Bureau data 
for 2017 show that there were 3,054 firms that operated in this 
industry for the entire year. Of this number, 2,964 firms operated with 
fewer than 250 employees. Additionally, based on Commission data in the 
2021 Universal Service Monitoring Report, as of December 31, 2020, 
there were 3,956 providers that reported they were competitive local 
exchange service providers. Of these providers, the Commission 
estimates that 3,808 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, most of 
these providers can be considered small entities.
    16. Interexchange Carriers (IXCs). Neither the Commission nor the 
SBA has developed a small business size standard specifically for 
Interexchange Carriers. Wired Telecommunications Carriers is the 
closest industry with a SBA small business size standard. The SBA small 
business size standard for Wired Telecommunications Carriers classifies 
firms having 1,500 or fewer employees as small. U.S. Census Bureau data 
for 2017 show that there were 3,054 firms that operated in this 
industry for the entire year. Of this number, 2,964 firms operated with 
fewer than 250 employees. Additionally, based on Commission data in the 
2021 Universal Service Monitoring Report, as of December 31, 2020, 
there were 151 providers that reported they were engaged in the 
provision of interexchange services. Of these providers, the Commission 
estimates that 131 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, the 
Commission estimates that the majority of providers in this industry 
can be considered small entities.
    17. Cable System Operators (Telecom Act Standard). The 
Communications Act of 1934, as amended (the Act), also contains a size 
standard for small cable system operators, which is ``a cable operator 
that, directly or through an affiliate, serves in the aggregate fewer 
than one percent of all subscribers in the United States and is not 
affiliated with any entity or entities whose gross annual revenues in 
the aggregate exceed $250,000,000.'' For purposes of the Telecom Act 
Standard, the Commission

[[Page 3963]]

determined that a cable system operator that serves fewer than 677,000 
subscribers, either directly or through affiliates, will meet the 
definition of a small cable operator based on the cable subscriber 
count established in a 2001 Public Notice. Based on industry data, only 
six cable system operators have more than 677,000 subscribers. 
Accordingly, the Commission estimates that the majority of cable system 
operators are small under this size standard. We note however, that the 
Commission neither requests nor collects information on whether cable 
system operators are affiliated with entities whose gross annual 
revenues exceed $250 million. Therefore, we are unable at this time to 
estimate with greater precision the number of cable system operators 
that would qualify as small cable operators under the definition in the 
Communications Act.
    18. Other Toll Carriers. Neither the Commission nor the SBA has 
developed a size standard for small businesses specifically applicable 
to other toll carriers. This category includes toll carriers that do 
not fall within the categories of interexchange carriers, operator 
service providers, prepaid calling card providers, satellite service 
carriers, or toll resellers. Wired Telecommunications Carriers is the 
closest industry with a SBA small business size standard. The SBA small 
business size standard for Wired Telecommunications Carriers classifies 
firms having 1,500 or fewer employees as small. U.S. Census Bureau data 
for 2017 show that there were 3,054 firms in this industry that 
operated for the entire year. Of this number, 2,964 firms operated with 
fewer than 250 employees. Additionally, based on Commission data in the 
2021 Universal Service Monitoring Report, as of December 31, 2020, 
there were 115 providers that reported they were engaged in the 
provision of other toll services. Of these providers, the Commission 
estimates that 113 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, most of 
these providers can be considered small entities.
2. Wireless Carriers
    19. Wireless Telecommunications Carriers (except Satellite). This 
industry comprises establishments engaged in operating and maintaining 
switching and transmission facilities to provide communications via the 
airwaves. Establishments in this industry have spectrum licenses and 
provide services using that spectrum, such as cellular services, paging 
services, wireless internet access, and wireless video services. The 
SBA size standard for this industry classifies a business as small if 
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show 
that there were 2,893 firms in this industry that operated for the 
entire year. Of that number, 2,837 firms employed fewer than 250 
employees. Additionally, based on Commission data in the 2021 Universal 
Service Monitoring Report, as of December 31, 2020, there were 797 
providers that reported they were engaged in the provision of wireless 
services. Of these providers, the Commission estimates that 715 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    20. Satellite Telecommunications. This category comprises firms 
``primarily engaged in providing telecommunications services to other 
establishments in the telecommunications and broadcasting industries by 
forwarding and receiving communications signals via a system of 
satellites or reselling satellite telecommunications.'' Satellite 
telecommunications service providers include satellite and earth 
station operators. The SBA small business size standard for this 
industry classifies a business with $38.5 million or less in annual 
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms 
in this industry operated for the entire year. Of this number, 242 
firms had revenue of less than $25 million. Additionally, based on 
Commission data in the 2021 Universal Service Monitoring Report, as of 
December 31, 2020, there were 71 providers that reported they were 
engaged in the provision of satellite telecommunications services. Of 
these providers, the Commission estimates that approximately 48 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, a little more than of these providers can 
be considered small entities.
3. Resellers
    21. Local Resellers. Neither the Commission nor the SBA have 
developed a small business size standard specifically for Local 
Resellers. Telecommunications Resellers is the closest industry with a 
SBA small business size standard. The Telecommunications Resellers 
industry comprises establishments engaged in purchasing access and 
network capacity from owners and operators of telecommunications 
networks and reselling wired and wireless telecommunications services 
(except satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. Mobile virtual network operators (MVNOs) 
are included in this industry. The SBA small business size standard for 
Telecommunications Resellers classifies a business as small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 
1,386 firms in this industry provided resale services for the entire 
year. Of that number, 1,375 firms operated with fewer than 250 
employees. Additionally, based on Commission data in the 2021 Universal 
Service Monitoring Report, as of December 31, 2020, there were 293 
providers that reported they were engaged in the provision of local 
resale services. Of these providers, the Commission estimates that 289 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard, most of these providers can be considered 
small entities.
    22. Toll Resellers. Neither the Commission nor the SBA have 
developed a small business size standard specifically for Toll 
Resellers. Telecommunications Resellers is the closest industry with a 
SBA small business size standard. The Telecommunications Resellers 
industry comprises establishments engaged in purchasing access and 
network capacity from owners and operators of telecommunications 
networks and reselling wired and wireless telecommunications services 
(except satellite) to businesses and households. Establishments in this 
industry resell telecommunications; they do not operate transmission 
facilities and infrastructure. Mobile virtual network operators (MVNOs) 
are included in this industry. The SBA small business size standard for 
Telecommunications Resellers classifies a business as small if it has 
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that 
1,386 firms in this industry provided resale services for the entire 
year. Of that number, 1,375 firms operated with fewer than 250 
employees. Additionally, based on Commission data in the 2021 Universal 
Service Monitoring Report, as of December 31, 2020, there were 518 
providers that reported they were engaged in the provision of toll 
services. Of these providers, the Commission estimates that 495 
providers have 1,500 or fewer employees. Consequently, using the SBA's 
small business size standard,

[[Page 3964]]

most of these providers can be considered small entities.
    23. Prepaid Calling Card Providers. Neither the Commission nor the 
SBA has developed a small business definition specifically for prepaid 
calling card providers. Telecommunications Resellers is the closest 
industry with a SBA small business size standard. The 
Telecommunications Resellers industry comprises establishments engaged 
in purchasing access and network capacity from owners and operators of 
telecommunications networks and reselling wired and wireless 
telecommunications services (except satellite) to businesses and 
households. Establishments in this industry resell telecommunications; 
they do not operate transmission facilities and infrastructure. Mobile 
virtual network operators (MVNOs) are included in this industry. The 
SBA small business size standard for Telecommunications Resellers 
classifies a business as small if it has 1,500 or fewer employees. U.S. 
Census Bureau data for 2017 show that 1,386 firms in this industry 
provided resale services for the entire year. Of that number, 1,375 
firms operated with fewer than 250 employees. Additionally, based on 
Commission data in the 2021 Universal Service Monitoring Report, as of 
December 31, 2020, there were 58 providers that reported they were 
engaged in the provision of payphone services. Of these providers, the 
Commission estimates that 57 providers have 1,500 or fewer employees. 
Consequently, using the SBA's small business size standard, most of 
these providers can be considered small entities.
4. Other Entities
    24. All Other Telecommunications. This industry is comprised of 
establishments primarily engaged in providing specialized 
telecommunications services, such as satellite tracking, communications 
telemetry, and radar station operation. This industry also includes 
establishments primarily engaged in providing satellite terminal 
stations and associated facilities connected with one or more 
terrestrial systems and capable of transmitting telecommunications to, 
and receiving telecommunications from, satellite systems. Providers of 
internet services (e.g. dial-up ISPs) or voice over internet protocol 
(VoIP) services, via client-supplied telecommunications connections are 
also included in this industry. The SBA small business size standard 
for this industry classifies firms with annual receipts of $35 million 
or less as small. U.S. Census Bureau data for 2017 show that there were 
1,079 firms in this industry that operated for the entire year. Of 
those firms, 1,039 had revenue of less than $25 million. Based on this 
data, the Commission estimates that the majority of ``All Other 
Telecommunications'' firms can be considered small.

D. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities

    25. In this document, we propose to expand the Commission's 
definition of ``breach'' to include inadvertent disclosures of customer 
information and seek comment on adopting a harm-based trigger for 
breach notifications. We also propose to require carriers to notify the 
Commission, in addition to the Secret Service and FBI, as soon as 
practicable after discovery of a breach. We also propose to eliminate 
the mandatory waiting period before notifying customers and instead 
require carriers to notify customers of CPNI breaches without 
unreasonable delay after discovery of a breach unless law enforcement 
requests a delay. We also seek comment on whether we should adopt 
minimum requirements for the content of customer breach notices, and we 
seek comment on whether our rules should address breaches of other 
types of sensitive personal information beyond CPNI. Finally, we 
propose to make changes to our TRS data breach reporting rule 
consistent with those we propose to our CPNI breach reporting rule.
    26. Should the Commission decide to modify existing rules or adopt 
new rules to strengthen our data breach reporting rule, such action 
could potentially result in increased, reduced, or otherwise modified 
recordkeeping, reporting, or other compliance requirements for affected 
providers of service. We seek comment on the effect of any proposals on 
small entities. Entities, especially small businesses, are encouraged 
to quantify the costs and benefits of any reporting, recordkeeping, or 
compliance requirement that may be established in this proceeding.

E. Steps Taken To Minimize the Significant Economic Impact on Small 
Entities, and Significant Alternatives Considered

    27. The RFA requires an agency to describe any significant 
alternatives that it has considered in reaching its proposed approach, 
which may include the following four alternatives (among others): (1) 
the establishment of differing compliance or reporting requirements or 
timetables that take into account the resources available to small 
entities; (2) the clarification, consolidation, or simplification of 
compliance and reporting requirements under the rules for such small 
entities; (3) the use of performance rather than design standards; and 
(4) an exemption from coverage of the rule, or any part thereof, for 
such small entities.
    28. The document seeks comment on the particular impacts that the 
proposed rules may have on small entities. Specifically, the document 
seeks comment on whether there are unique concerns or compliance 
barriers for small carriers that make notice to customers without 
unreasonable delay unfeasible; if there should be different 
notification requirements for small carriers; if streamlining notice 
requirements will benefit small providers; if a centralized reporting 
portal would reduce compliance barriers for small providers; and if a 
threshold trigger would benefit small providers.

F. Federal Rules That May Duplicate, Overlap, or Conflict With the 
Proposed Rules

    29. None.

IV. Ordering Clauses

    30. Accordingly, it is ordered that, pursuant to Sections 1, 2, 
4(i), 4(j), 201, 202, 222, 225, 303(b), 303(r), 332 of the 
Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154(i), 
154(j), 201, 202, 222, 225, 303(b), 303(r), 332, this Notice of 
Proposed Rulemaking is adopted.
    31. It is further ordered, that the Commission's Consumer and 
Governmental Affairs Bureau, Reference Information Center, shall send a 
copy of this Notice of Proposed Rulemaking, including the Initial 
Regulatory Flexibility Analysis (IRFA), to the Chief Counsel for 
Advocacy of the Small Business Administration.

List of Subjects in 47 CFR Part 64

    Communications, Communications common carriers, Communications 
equipment, Individuals with disabilities, Reporting and recordkeeping 
requirements, Security measures, Telecommunications, Telephone.

Federal Communications Commission.
Marlene Dortch,
Secretary.

Proposed Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission proposes to amend 47 part 64 as follows:

[[Page 3965]]

PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

0
1. The authority citation for part 64 continues to read as follows:

    Authority:  47 U.S.C. 151, 152, 154, 201, 202, 217, 218, 220, 
222, 225, 226, 227, 227b, 228, 251(a), 251(e), 254(k), 255, 262, 
276, 403(b)(2)(B), (c), 616, 617, 620, 1401-1473, unless otherwise 
noted; Pub. L. 115-141, Div. P, sec. 503, 132 Stat. 348, 1091.

Subpart U--Customer Proprietary Network Information

0
2. Amend Sec.  64.2011 by revising paragraphs (a) through (e) to read 
as follows:


Sec.  64.2011   Notification of customer proprietary network 
information security breaches.

    (a) A telecommunications carrier shall notify affected customers, 
the Federal Communications Commission (Commission), and other federal 
law enforcement of a breach of its customers' CPNI as provided in this 
section.
    (b)(1) As soon as practicable after reasonable determination of a 
breach, a telecommunications carrier shall electronically notify the 
Commission, the United States Secret Service (USSS), and the Federal 
Bureau of Investigation (FBI) through a central reporting facility 
maintained by the Commission and made available on its website.
    (2) If a law enforcement or national security agency notifies the 
carrier that public disclosure or notice to customers would impede or 
compromise an ongoing or potential criminal investigation or national 
security, such agency may direct the carrier not to so disclose or 
notify for an initial period of up to 30 days. Such period may be 
extended by the agency as reasonably necessary in the judgment of the 
agency. If such direction is given, the agency shall notify the carrier 
when it appears that public disclosure or notice to affected customers 
will no longer impede or compromise a criminal investigation or 
national security. The agency shall provide in writing its initial 
direction to the carrier, any subsequent extension, and any 
notification that notice will no longer impede or compromise a criminal 
investigation or national security.
    (c) Customer Notification. A telecommunications carrier shall 
notify affected customers of covered breaches of CPNI without 
unreasonable delay after discovery of the breach after notification to 
the Commission and law enforcement as described in paragraph (b) of 
this section.
    (d) Recordkeeping. All carriers shall maintain a record, 
electronically or in some other manner, of any breaches discovered, 
notifications made to the Federal Communications Commission, USSS, and 
the FBI pursuant to paragraph (b) of this section, and notifications 
made to customers. The record must include, if available, dates of 
discovery and notification, a detailed description of the CPNI that was 
the subject of the breach, and the circumstances of the breach. 
Carriers shall retain the record for a minimum of 2 years.
    (e) Definitions. As used in this section, a ``breach'' has occurred 
when a person, without authorization or exceeding authorization, has 
gained access to, used, or disclosed CPNI.
* * * * *
0
3. Amend Sec.  64.5111 by revising paragraphs (a) through (e) to read 
as follows:


Sec.  64.5111   Notification of customer proprietary network 
information security breaches.

    (a) A TRS provider shall notify affected customers, the Federal 
Communications Commission (Commission), and other federal law 
enforcement of a breach of its customers' CPNI as provided in this 
section.
    (b)(1) As soon as practicable after reasonable determination of a 
breach, a TRS provider shall electronically notify the Commission, the 
United States Secret Service (USSS), and the Federal Bureau of 
Investigation (FBI) through a central reporting facility maintained by 
the Commission and made available on its website.
    (2) If a law enforcement or national security agency notifies the 
TRS provider that public disclosure or notice to customers would impede 
or compromise an ongoing or potential criminal investigation or 
national security, such agency may direct the TRS provider not to so 
disclose or notify for an initial period of up to 30 days. Such period 
may be extended by the agency as reasonably necessary in the judgment 
of the agency. If such direction is given, the agency shall notify the 
TRS provider when it appears that public disclosure or notice to 
affected customers will no longer impede or compromise a criminal 
investigation or national security. The agency shall provide in writing 
its initial direction to the TRS provider, any subsequent extension, 
and any notification that notice will no longer impede or compromise a 
criminal investigation or national security and such writings shall be 
contemporaneously logged on the same reporting facility that contains 
records of notifications filed by TRS provider.
    (c) Customer Notification. A TRS provider shall notify affected 
customers of covered breaches of CPNI without unreasonable delay after 
discovery of the breach after notification to the Commission and law 
enforcement as described in paragraph (b) of this section.
    (d) Recordkeeping. All TRS provider shall maintain a record, 
electronically or in some other manner, of any breaches discovered, 
notifications made to the Federal Communications Commission, USSS, and 
the FBI pursuant to paragraph (b) of this section, and notifications 
made to customers. The record must include, if available, dates of 
discovery and notification, a detailed description of the CPNI that was 
the subject of the breach, and the circumstances of the breach. TRS 
providers shall retain the record for a minimum of 2 years.
    (e) Definitions. As used in this section, a ``breach'' has occurred 
when a person, without authorization or exceeding authorization, has 
gained access to, used, or disclosed CPNI.
* * * * *
[FR Doc. 2023-00824 Filed 1-20-23; 8:45 am]
BILLING CODE 6712-01-P