On April 1, the Federal Communications Commission issued a notice of proposed rulemaking (“NPRM”) that would require Internet service providers (“ISPs”) to clearly disclose how customer data is being used, take reasonable steps to protect that information, and notify affected customers within 10 days of discovering a data breach. The NPRM — formally approved by a 3-2 Democratic majority of FCC commissioners on March 31 — would require ISPs to follow the sort of regulations that currently apply to common carriers under the Communications Act.
By way of background, the FCC gained authority to set privacy rules on ISPs after it issued its controversial Open Internet order last year. The Open Internet order reclassified broadband Internet access service as a telecommunications service subject to Title II of the Communications Act. This effectively gave the FCC authority to be privacy regulator of broadband providers.
Under the Open Internet order, ISPs must comply with new privacy obligations, including those in 47 U.S.C. § 222 governing proprietary information and customer proprietary network information (“CPNI”). Existing regulations under Section 222 mandate that telecommunications providers have a duty to protect customer confidential information. The FCC’s NPRM proposes to supplement Section 222 to require more expansive privacy and data protection standards for Internet service.
Notable features of the NPRM include:
- Defining personal information: The NPRM first proposes to broadly define personal information to include both CPNI – or information that relates to the quantity, technical configuration, type, destination, location, and usage information – and personally identifiable information (“PII”) collected by the broadband providers.
- Opt-in and opt-out provisions: Under the NPRM, consumers would be able to opt out of programs that let ISPs use the data they collect to offer other services themselves. At the same time, ISP companies would require explicit opt-in consent for data to be shared with third parties, mirroring the structure in place with the Gramm-Leach-Bliley Act and similar regulations. Companies subject to the NPRM will be required to keep records of all disclosures of PII to third parties, as well as of all customer notices and consents.
- Restrictions on use of aggregate customer information: The regulations will restrict uses of aggregate customer information, and there will be limited exemptions for de-identified forms of personal information and CPNI. Aggregate information can only be used and disclosed if: (1) it is not reasonably linkable to a specific individual or device; (2) the provider publicly commits to use it in a non-identifiable manner, and to not attempt to re-identify it; (3) third parties that receive or access it are contractually prohibited from attempting to re-identify it; and (4) the broadband provider has reasonable monitoring of third-party compliance with contracts pertaining to aggregate data.
- Data security requirements: Providers will be required to maintain data security programs for PII that must include: (1) routine risk assessments and prompt remediation of weaknesses; (2) employee, contractor, and affiliate training on data security procedures; (3) appointment of a senior official to oversee data security procedures; (4) adoption of robust customer authentication procedures for access to PII, and (5) oversee and monitor third parties that receive PII.
- Strict breach notification obligations: The proposed regulations include strict breach reporting obligations that will require notification to individuals within 10 days of the breach, and to the FCC (and potentially the FBI and Secret Service) within seven days of the breach. Breaches are broadly defined to include even unintentional unauthorized access, use, or disclosure of PII, and there are no exceptions for access by a provider employee or agent, or for incidents that do not involve risk of harm to the customer. Like many other regulations or guidelines, the FCC’s NPRM provides no real direction on what constitutes sound information security controls. What is needed more than regulation and exposure is a safe harbor. Like existing schemes, even well-intentioned companies have no assurance that what they implement will not nonetheless be later deemed insufficient following an event. The alternative for other agencies (such as the FTC) has been to issue bulletins and guidelines, although for the FTC that was only after more than ten years of enforcement actions. While companies cannot eliminate this uncertainty, it is important that the correct choice be made between business functionality and cyber security controls. Sound information governance with proper documentation can help mitigate the risks in a now closely regulated industry.
- Is the FCC ready to become ISPs’ chief regulator of cyber security issues? A recent CBS 60 Minutes segment that aired on April 17 suggests that it may not be. The program highlighted a Signal System 7 (“SS7”) flaw that allowed a hacker to intercept a call and listen to the contents of the conversation. The 60 Minutes segment spurred the FCC into action with David Simpson, head of the FCC’s Public Safety Bureau, saying he has tasked his staff with looking into the SS7 allegations. This reaction, however, raised concerns about the FCC’s familiarity with modern cyber security issues given that the SS7 flaw itself has been public knowledge since 2014 when Karsten Nohl, the German researcher featured on 60 Minutes, first publicized the issue.
- Internet service providers have voiced strong opposition to the NPRM, arguing that it puts them on an unequal footing with other Internet companies that collect data on users which are only overseen by the Federal Trade Commission and thus only limited by representations made in privacy policies or other consumer-facing promises.