by Aaron Burstein (Los Angeles) and Alexander Schneider (Los Angeles)

The Federal Communications Commission ("FCC" or "Commission") is
seeking comments on a Notice of Proposed Rulemaking (NPRM) to refresh
its customer proprietary network information ("CPNI") data breach
reporting requirements (the "Rule"). Adopted earlier this month by a
unanimous 4-0 vote of the Commission, the NPRM solicits comments on
rule revisions that would expand the scope of notification obligations
and accelerate the timeframe to notify customers after a data breach
involving telephone call detail records and other CPNI. The FCC cites
"an increasing number of security breaches of customer information" in
the telecommunications industry in recent years and the need to "keep
pace with today's challenges" and best practices that have emerged
under other federal and state notification standards as reasons to
update the Rule.

According to the current Rule, a "breach" means that a person "without
authorization or exceeding authorization, has intentionally gained
access to, used, or disclosed CPNI." As summarized in the NPRM, CPNI
includes "phone numbers called by a consumer, the frequency, duration,
and timing of such calls, the location of a mobile device when it is
in active mode (i.e., able to signal its location to nearby network
facilities), and any services purchased by the consumer, such as call
waiting." (The NPRM does not propose any changes to the definition of
CPNI.)

https://www.mondaq.com/article/news/1275504?q=1803232&n=684&tp=17&tlk=2&lk=68

--
(Please remove QRM for direct replies)