After waiting 16 years for a call, the FCC is finally back on the line. Last month the FCC updated their 16-year-old data breach notification rule. The updated rule makes drastic changes to the previous FCC notification requirements. However, many will already be familiar with the new requirements as they merge those found in state data breach notification laws in to the FCC context. Regulators may have felt wired to make these change in light of the new SEC rules, about which we have also previously written, that went into effect last month. Regardless of their motives, the FCC determined that the line had been ringing to for too long and it was time to pick up where they had left off 16 years ago.
As with the previous rule, the update applies to providers of telecommunications, interconnected Voice over IP, and telecommunications relay services. Updates to the rule include:
- The elimination of the mandatory waiting period prior to notification.
- Breaches must be reported to the commission and law enforcement within 7 days.
- Breaches that impact less than 500 individuals and where there is no reasonable likelihood of harm to individuals may be reported annually.
- Impacted individuals must be notified without unreasonable delay after notification to the commission and law enforcement, but no later than 30 days after the determination of a breach.
- Individual notification is not required if there is no reasonable likelihood of harm or if the data was encrypted and the encryption key was not impacted.
- Expanded definition of triggering information to include all personally identifiable information, including social security numbers and financial information.
- Expanded definition of breach to include inadvertent access, use, or disclosure, but the definition includes a good faith exception similar to those found in various state data breach notification laws.
Putting it into Practice: Providers must not let this call go to voicemail. It is time stay dialed in, review the updated regulations carefully, and update policies and procedures to ensure compliance. This is one call you don’t want to miss.