Overshadowed by the massive news of the FCC changing the TCPA’s express consent definition to close the “lead generator loophole” was another important ruling adopted at the December open meeting concerning data breach notification requirements.
The nation’s wireless carriers and VOIP service providers are now under federal mandate to notify government officials of any data breach–no matter how small–within seven (7) days and must notify consumers “without unreasonable delay” any time the breach may result in harm (and not more than 30 days after the breach.)
The rule represent the first time such carriers were mandated to make data breach notifications at the federal level. Consequences for non-compliance can be quite dire–and the limits of the FCC’s reporting requirements are somewhat vague– so platforms, carriers VOIP service providers and telecom infrastructure companies should really be paying attention here.
What is clear is that any time data that “is linked or linkable to a specific individual” is accessed or used “without authorization or exceeding authorization” a data breach has occurred.
I am curious about when TCPA plaintiff’s issue subpoenas seeking data records of carriers now–is there a notification requirement in light of the new data breach rules? Probably not since the FCC excludes “a good-faith acquisition of covered data by an employee or agent of a carrier where such information is not used improperly or further disclosed…” but I am not so sure.
I should note the rule requires notification even in the event of a minor inadvertent disclosure–i.e. there is no good faith rule for breaches made despite following best practices (contrary to many state disclosure rules.)
You can read the entire ruling here: 2 – IN THE MATTER OF DATA BREACH REPORTING REQUIREMENTS