Communications Litigation Today was a Warren News publication.
'Arbitrary' and 'Capricious'

Texas Business Group Seeks 5th Circuit Review of FCC Data Breach Rules

The Texas Association of Business (TAB) petitioned the 5th U.S. Circuit Appeals Court for review of the FCC’s updated data breach notification rules. The rules were adopted Dec. 13, released Dec. 21 and published in the Federal Register Feb. 12, said TAB's Thursday filing (docket 24-60085). They are effective March 13 (see 2402090035).

The order (docket 23-111) imposes certain duties on telecom carriers, VoIP providers and telecommunications relay service (TRS) providers. These duties cover unauthorized access to or disclosure of customer proprietary network information (CPNI) and personally identifiable information (PII).

“[R]epresenting businesses of “every size and industry,” including telecom and VoIP service providers affected by the FCC order, TAB seeks review on grounds that the order “exceeds the FCC’s statutory authority, is arbitrary, capricious, and an abuse of discretion within the meaning of the Administrative Procedure Act,” said the petition. The association requests that the 5th Circuit hold unlawful, vacate, enjoin and set aside the order and grant additional relief as appropriate, said the filing.

The Texas group’s filing follows a similar petition from the Ohio Telecom Association (OTA) filed Tuesday in the 6th U.S. Circuit Appeals Court (see 2402210026). Representing more than 40 telecom providers directly affected by the order, the OTA also said the measure “exceeds the FCC’s statutory authority,” and is “arbitrary, capricious, and an abuse of discretion” as described in the Administrative Procedure Act.

The FCC expanded the scope of its breach notification rules owing to concerns that consumers “may be harmed by the improper use or disclosure of sensitive customer data other than CPNI,” such as PII, it said. In addition, telecom providers “may be particularly vulnerable” to such cyberattacks, it said.

The updated order expands the definition of a data breach for carriers and TRS providers to include “inadvertent disclosures” of customer information, except in cases where the information is “acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” It requires that carriers and TRS providers notify the FCC of breaches, as well as the U.S. Secret Service and FBI. Notification must occur “as soon as practicable” and not later than seven business days “after reasonable determination of the breach," the order said.

To limit potential burden on carriers, TRS providers and consumers from breach notifications that are unlikely to require protective action, the FCC eliminated the requirement of notifying customers of a breach when carriers or TRS providers “reasonably determine that no harm to consumers is reasonably likely to occur,” the order said.

For instances following a breach in which there is a risk of consumer harm, the commission eliminated the mandatory waiting period for carriers to notify customers. Instead, it requires that carriers and TRS providers notify customers of breaches of covered data “without unreasonable delay after notification” to the FCC and law enforcement -- not later than 30 days after reasonable determination of a breach, unless law enforcement requests a delay, the order said. The changes will “better protect consumers from improper use or disclosure of their customer information and harmonize our rules with new approaches to protecting the public already deployed by our partners in federal and state government,” it said.