In honor of Privacy Day, Steven A. Augustino and Jack Pringle of Nelson Mullins have highlighted new security breach rules promulgated by the Federal Communications Commission (FCC). Their article begins by pointing out something also noted in the healthcare sector, where increasing concurrent jurisdiction increases the number of federal and state regulations entities must comply with or face enforcement. For those involved in telecommunications, they note:
In the privacy world, confidential information relating to the nature, amount, or use of telecommunications services has always been subject to separate rules from other types of customer data. Prior to the advent of interconnected VoIP and other types of advanced communications capabilities, these two worlds operated separately. Telecommunications carriers knew to comply with Federal Communications Commission (FCC) rules for the services they provided while non-telecommunications carriers would be subject to the general federal and state breach rules applicable to personally identifiable information. Legally, this distinction remains relevant, even while, factually, the line between a telecom and non-telecom service is blurring. As a result, service providers that incorporate a communications component into their services should pay careful attention to which regime applies to which aspect of their services. Increasingly, the answer is that service providers will have to comply with multiple sets of rules, some applicable only to a portion of their data and services.
With that caution in mind, service providers should take note of new rules from the FCC relating to data breaches involving telecommunications service information. In December 2023, the FCC significantly revised existing security breach rules (Rules) for information relating to telecommunications customers and services, including interconnected VoIP services. Accordingly, all telecommunications carriers and interconnected VOIP providers (collectively, “Service Providers”) are subject to the Rules.
This is the first time in 16 years the FCC has updated its Rules addressing security breaches, and there are significant changes of which Service Providers should be aware.
Read about the changes, which include an expanded definition of a reportable “breach” and changes in notification requirements. This site previously reported the commission’s announcement of the rules change on December 13.