On October 27, 2016, the Federal Communications Commission (“FCC”) delivered a major victory to internet privacy advocates by adopting new privacy and data security rules that will require telecommunications carriers to take measures to protect the privacy of their customers.
The new rules affect all telecommunications carriers providing telecommunications services, including broadband internet service providers (“ISPs”) and interconnected voice over internet protocol (“VoIP”) services.
New Privacy and Data Security Rules Stem from Communications Act
Section 222 of Title II of the Communications Act (the “Act”) imposes certain duties on telecommunication carriers to protect the confidentiality of their customers’ proprietary information, and places certain restrictions on the use and sharing of customer proprietary network information without customer approval.
Pursuant to the Act, the FCC has adopted new privacy and data security rules to bring the activities of broadband internet service providers in line with that of traditional telecommunications carriers that have historically complied with prohibitions against the unauthorized sharing of customer proprietary network information.
The new rules reflect the FCC’s increasing interest in the privacy obligations of telecommunication carriers. Earlier this year, the FCC assessed a $1,350,000 fine against Verizon Wireless for tracking the broadband activities of their customers without obtaining their consent for the purpose of delivering targeted advertisements from Verizon and other third parties.
The New Rules
Transparency. The new rules will require, among other things, that ISPs notify their customers about the types of information they collect, how the information will be used and shared, and the types of entities with whom the ISP will share this information.
Opt-in Approval. ISPs will also be required to obtain the affirmative consent of their customers to use and share their “sensitive information” with third parties. In this regard, the rules outline the following categories of information that will be deemed to be “sensitive information”:
- Precise geo-location financial information;
- Health information
- Financial information
- Social security numbers,
- Web browsing history,
- Application usage history, and
- The content of communication;
Data Security. The new rules will impose new data security requirements on telecommunications carriers. To the extent that a carrier collects and maintains customer proprietary information (“PI”) (which includes both customer proprietary network information as well as personally identifiable information), the new rules will require ISPs and other telecommunications carriers to take reasonable measures to secure customers’ PI. Such reasonable measures should include the implementation of relevant industry best practices, appropriate accountability and oversight of security practices, robust customer authentication procedures, and disposal procedures that are consistent with the Federal Trade Commission’s best practices and the Federal Consumer Privacy Bill of Rights.
Breach Notification. Additionally, in the event of a reportable breach involving customer PI, the rules will require ISPs and other telecommunications carriers to notify affected customers no later than (30) calendar days following a carrier’s reasonable determination that a breach has occurred.
For data breaches involving more than 5,000 customers, the rules will require carriers to notify the FCC, the FBI and the Secret Service, unless the carrier is able to reasonably determine that the data breach poses no reasonable risk of harm to the affected customers. Such notice must be provided to the applicable federal agencies within seven (7) business days of when a carrier reasonably determines that a breach has occurred, and no later than three (3) days before notice is provided to customers.
For data breaches involving less than 5,000 customers, carriers will be required to notify the FCC no later than thirty (30) calendar days following the carrier’s reasonable determination that a breach has occurred.
The privacy notice and opt-in requirements will become effective approximately twelve (12) months after the publication of the FCC’s Order in the Federal Register, though small providers will be given an additional twelve (12) months to comply.
The data security requirements will become effective ninety (90) days after the publication of the FCC’s Order in the Federal Register.
The data breach notification requirements will take effect approximately six (6) months after the publication of the FCC’s Order in the Federal Register.
To learn more about the FCC’s new privacy rules, you can visit the FCC’s Public Notices.
- Hackers are Leveraging Fear during the COVID-19 Pandemic
- No Trespassing: Can Public Websites Ever Be Off Limits?
- Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator
- Cybersecurity - a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter
- Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies
- FINRA Imposes Fines Against 12 Firms for Cybersecurity Violations
- OCC Announces Long-Awaited Fintech Charter Decision
- FCC Adopts New Consumer Privacy Rules for Internet Service Providers
- New York Announces Proposed “Groundbreaking” Cybersecurity Regulation for Financial Institutions
- Cybersecurity Programs at Securities Firms under Increasing Scrutiny by the Financial Industry Regulatory Authority (FINRA)