WASHINGTON, March 28, 2024 – A major broadband industry group is asking a federal judge to block the Federal Communications Commission’s data breach rules.
The three major telecommunications industry associations, NCTA, CTIA, and USTelecom, jointly filed a petition for review in the D.C. Circuit Court of Appeals on March 15, but the case was transferred to the Sixth Circuit on March 20. . The same rules were integrated into the circuit earlier this month.
The group claims in their petition The agency's December data breach order “exceeds the FCC's statutory authority” and is “arbitrary, capricious and an abuse of discretion,” it said, adding that the agency's December data breach order “exceeds the FCC's statutory authority” and is “arbitrary, capricious and an abuse of discretion.” mentioned the test.
F.C.C. rules adopted in The December meeting creates more reporting requirements for providers of VoIP and TRS, voice services over the Internet, and services that allow people with hearing or speech disabilities to make phone calls.
These rules expand the definition of breach to include intentional as well as inadvertent unauthorized access to customer data, and expand the definition of covered data to include more personally identifiable information. Now it looks like this. The rule also requires companies to notify the FCC of violations in addition to law enforcement, and to notify customers sooner after enforcement. In some situations, such as when there is a low probability of harm occurring or when an employee accessed the covered data in good faith, a business is not required to notify customers.
Although the industry group's petition is short, it argues against portions of the FCC's rulemaking process.
While largely supportive of other aspects of the new rule, all three organizations objected to the Commission expanding the definition of “covered data” to include personally identifying information such as social security numbers. did.
Before adopting the new rules, the agency's data breach policy only covered “customer proprietary network information” (CPNI), or information that providers collect about their customers' calls.
group discussed in the comments The FCC says it lacks legal authority to expand that definition, both because of the 1996 Telecommunications Act and because Congress struck down a similar FCC move in 2017.
The agency acknowledged and rejected these claims in December. data breach order. “The broad scope of Section 222(a) makes it even clearer that the Commission's violation reporting rules can and must apply to all PII, not just CPNI,” the Commission said. I am writing.
This is a reference to the section's statement that telecommunications carriers must protect “confidential information” about customers, equipment manufacturers, and other carriers. Later sections of the law set out the authorities' powers to specifically regulate CPNI and other customer information.
“The Act uses that term in Section 222(a) because the provision covers information exchanged with three different types of entities: customers, telecommunications carriers, and equipment manufacturers. and that is why we use the term “CPNI”, a term that applies only to: It would not have been appropriate to treat the customer in the manner covered by Section 222(c). ”NCTA I wrote it in the comments To the agency.
group also claimed Congress' 2017 move to override data breach rules that expanded the scope of covered data because federal agencies cannot enact rules that are “substantially the same” as those repealed by Congress. , the FCC complained to the agency that it could no longer enact the same rules. Two Republican members of the FCC ultimately opposed the order on these grounds.
In its order, the agency stated that the Congressional Review Act, the law that allows Congress to intervene and override agency rules, “is substantially similar to limited portions of the disapproved rules.” “This does not preclude the adoption of rules that have been approved or have been disapproved.” Same as the individual parts of the rule that were disapproved. ”
The commission said the rules that were struck down focused primarily on broadband providers, which at the time were telecommunications carriers, and that members of Congress were concerned that the FCC's privacy requirements conflicted with FTC rules. claims. The order argues that the inclusion of expanded data breach rules as part of the rescinded order does not preclude agencies from taking similar actions now.
The rule is also challenged by the Ohio Telecommunications Association and the Texas Business Association.