FCC Adopts Updated Data Breach Notification Rules

On December 13, 2023, the Federal Communications Commission (FCC) voted to update its 16-year old data breach notification rules (the “Rules”). Pursuant to the FCC update, providers of telecommunications, Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) are now required to notify the FCC of a data breach, in addition to existing obligations to notify affected customers, the FBI and the U.S. Secret Service.

The updated Rules introduce a new customer notification timing requirement, requiring notice of a data breach to affected customers without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after the reasonable determination of a breach. The new Rules also expand the definition of “breach” to include “inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.” The updated Rules further introduce a harm threshold, whereby customer notification is not required if a carrier or TRS provider can “reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach,” or where the breach solely involves encrypted data and the encryption key was not affected.

The FCC Approves an NOI to Dive Deeper into AI and its Effects on Robocalls and Robotexts

AI is on the tip of everyone’s tongue it seems these days. The Dame brought you a recap of President Biden’s orders addressing AI at the beginning of the month. This morning at the FCC’s open meeting they were presented with a request for a Notice of Inquiry (NOI) to gather additional information about the benefits and harms of artificial intelligence and its use alongside “robocall and robotext”. The following five areas of interest are as follows:

  • First, the NOI seeks, on whether and if so how the commission should define AI technologies for purposes of the inquiry this includes particular uses of AI technologies that are relevant to the commission’s statutory response abilities under the TCPA, which protects consumers from nonemergency calls and texts using an autodialer or containing an artificial or prerecorded voice.
  • Second, the NOI seeks comment on how technologies may impact consumers who receive robocalls and robotexts including any potential benefits and risks that the emerging technologies may create. Specifically, the NOI seeks information on how these technologies may alter the functioning of the existing regulatory framework so that the commission may formulate policies that benefit consumers by ensuring they continue to receive privacy protections under the TCPA.
  • Third, the NOI seeks comment on whether it is necessary or possible to determine at this point whether future types of AI technologies may fall within the TCPA’s existing prohibitions on autodial calls or texts and artificial or prerecorded voice messages.
  • Fourth, NOI seeks comment on whether the commission should consider ways to verify the authenticity and legitimately generate AI voice or text content from trusted sources such as through the use of watermarks, certificates, labels, signatures, or other forms of labels when callers rely on AI technology to generate content. This may include, for example, emulating a human voice on a robocall or creating content in a text message.
  • Lastly, seeks comment on what next steps the commission should consider to further the inquiry.

While all the commissioners voted to approve the NOI they did share a few insightful comments. Commissioner Carr stated “ If AI can combat illegal robocalls, I’m all for it” but he also expressed that he does “…worry that the path we are heading down is going to be overly prescriptive” and suggests “…Let’s put some common-sense guardrails in place, but let’s not be so prescriptive and so heavy-handed on the front end that we end up benefiting large incumbents in the space because they can deal with the regulatory frameworks and stifling the smaller innovation to come.”

Commissioner Starks shared “I, for one, believe this intersectionality is clinical because the future of AI remains uncertain, one thing is clear — it has the potential to impact if not transform every aspect of American life, and because of that potential, each part of our government bears responsibility to better understand the risks, opportunities within its mandate, while being mindful of the limits of its expertise, experience, and authority. In this era of rapid technological change, we must collaborate, lean into our expertise across agencies to best serve our citizens and consumers.” Commissioner Starks seemed to be particularly focused on AI’s ability to facilitate bad actors in schemes like voice cloning and how the FCC can implement safeguards against this type of behavior.

“AI technologies can bring new challenges and opportunities. responsible and ethical implementation of AI technologies is crucial to strike a balance, ensuring that the benefits of AI are harnessed to protect consumers from harm rather than amplifying the risks in increasing the digital landscape” Commissioner Gomez shared.

Finally, the topic around the AI NOI wrapped up with Chairwoman Rosenworcel commenting “… I think we make a mistake if we only focus on the potential for harm. We needed to equally focus on how artificial intelligence can radically improve the tools we have today to block unwanted robocalls and robotexts. We are talking about technology that can see patterns in our network traffic, unlike anything we have today. They can lead to the development of analytic tools that are exponentially better at finding fraud before it reaches us at home. Used at scale, we cannot only stop this junk, we can use it to increase trust in our networks. We are asking how artificial intelligence is being used right now to recognize patterns in network traffic and how it can be used in the future. We know the risks this technology involves but we also want to harness the benefits.”

911 Network Reliability Deadline Approaching

Earlier this monththe FCC announced that its 2022 911 Reliability Certification System is now open for Covered 911 Service Providers to file annual reliability certifications.  The filings are due on October 17, 2022.  Failure to submit the certification may result in FCC enforcement action.

Background

In 2013, the FCC adopted rules aimed at improving the reliability and redundancy of the nation’s 911 network.  Those rules require Covered 911 Service Providers (“C9SP”) to take steps that promote reliable 911 service with respect to three network elements: circuit auditing, central-office backup power, and diverse network monitoring.  The Commission identified these three network elements as vulnerabilities following a derecho storm in 2012 that significantly impacted 911 service along the eastern seaboard.

Applicability. The rules apply to all C9SPs, which are defined as any entity that provides 911, E911, or NG911 capabilities such as call routing, automatic location information (ALI), automatic number identification (ANI), or the functional equivalent of those capabilities, directly to a public safety answering point (PSAP).

Certification. The rules require C9SPs to certify annually that they have met the FCC’s safe harbor provisions for each of these elements or have taken reasonable alternative measures in lieu of those safe harbor protections.  The certification must be made under penalty of perjury by a corporate officer with supervisory and budgetary authority over network operations.

In 2018 and 2020, the FCC sought comment on changes to the 911 reliability certification rules, but the rules have not yet been updated as a result of those proceedings.

Enforcement Against Noncompliant Providers

Last year, the FCC entered into eight consent decrees with Covered 911 Service Providers that failed to submit their reliability certifications in 2019, 2020, or both.  A Consent Decree typically requires the recipient to admit it violated an FCC rule, pay a fine to the federal government, and implement a Compliance Plan to guard against future rule violations.  These Compliance Plans required the C9SPs to designate a compliance officer, establish new operating procedures, and develop and distribute a compliance manual to all employees.

Additionally, the providers were required to establish and implement a compliance training program, file periodic compliance reports with the FCC detailing the steps the provider has taken to comply with the 911 rules, and report any noncompliance with 911 rules within 15 days of discovering such noncompliance.

Looking Forward

C9SPs have about one month to confirm compliance with the reliability rules and submit a required certification.  Based on the FCC’s enforcement efforts last year, C9SPs would be well-advised to work diligently to meet this upcoming deadline.

© 2022 Keller and Heckman LLP

FCC to Issue Net Neutrality Rules–Federal Communications Commission

Armstrong Teasdale Law firm

In February, Federal Communications Commission Chairman Tom Wheelerwill circulate a draft order regarding Net Neutrality to his four fellow commissioners. The Net Neutrality rules will govern whether Internet service providers (ISPs), such as Comcast or Verizon, can block access to websites or give preferential treatment to traffic from websites that pay for such treatment. To sustain the rules, the commission may change the regulatory classification of broadband service, subjecting it to rules, known as Title II, that apply to traditional phone service, rather than the less restrictive Title I rules that currently cover broadband. 47 U.S.C. §§ 153–621.

This will be the FCC’s third attempt at imposing Net Neutrality obligations. The U. S. Circuit Court reversed the commission’s first two attempts, finding that the rules were inconsistent with the classification of broadband as a Title I service. Comcast Corp. v. FCC, 600 F.3d 642 (D.C. Cir. 2010); Verizon v. FCC, 740 F.3d 623 (D.C. Cir. 2014). In the most recent opinion, the court struck down two rules, one prohibiting ISPs from blocking access to websites and one prohibiting them from unreasonably discriminating against traffic from websites or applications.

In response, the FCC published a proposal to reinstate the rules with small changes to address the Court’s concerns. The proposal was roundly criticized by Net Neutrality proponents, because it did not flatly outlaw discrimination. President Obama weighed in with a statement in favor of Net Neutrality rules. Recently, Chairman Wheeler has strongly indicated that the new proposal will reclassify broadband as a Title II service and include a rule banning unreasonable discrimination. The Chairman plans to circulate a draft order to the other commissioners, giving them a chance to comment on the draft and vote on the proposal at the FCC’s open meeting on February 26.

The effect of the rules is uncertain. Rules banning discrimination have been in place for only three of the 12 years since Net Neutrality was first proposed. Even though discrimination was allowed for more than nine years of that time, ISPs have not been able to convince content providers to pay for priority treatment. The new rules may outlaw activities that the ISPs do not have the market power to engage in anyway. But the rules will give content providers comfort that the ISPs will not be able to charge them for priority service in the future.

The bigger (and more uncertain) impact will arise if the FCC reclassifies broadband as a Title II service. If this happens, the Commission will probably forbear from applying most sections of Title II to broadband.  But the FCC’s authority to forbear from applying the statute in these circumstances is uncertain. Such a  decision  will be challenged on each section of Title II and the myriad of regulations under it. Litigation will last for years. If the FCC’s decision to forbear is reversed, the ISPs may be subject to some very onerous Title II regulations, such as obligations to resell their services, obligations to sell out of tariffs, and price restrictions. The outcome could be a messy hodge-podge of regulations that apply to some services and providers but not others.

ARTICLE BY

FCC: The New Data Security Sheriff In Town

Proskauer Law firm

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly – it assessed a $10 million fine on two telecommunications companies for failing to adequately safeguard customers’ personal information.

The companies, TerraCom, Inc. and YourTel America, Inc., provide telecommunications services to qualifying low-income consumers for a reduced charge.  The FCC found that the companies collected the names, addresses, Social Security numbers, driver’s licenses, and other personal information of over 300,000 consumers.  The data was stored on Internet servers without password protection or encryption, allowing public access to the data through Internet search engines.  This, the FCC found, exposed consumers to “an unacceptable risk of identity theft.”

The FCC charged the companies with violation of Section 222(a) of the Communications Act, which it interpreted to impose a duty on telecommunications carriers to protect customers’ “private information that customers have an interest in protecting from public exposure,” whether for economic or personal reasons.  Additionally, the companies were charged with violation of Section 201(b), which requires carriers to treat such information in a “just and reasonable” manner.

The companies were determined to have violated Sections 201(b) and 222(a) by failing to employ “even the most basic and readily available technologies and securities features.”  The companies further violated Section 201(b), the FCC found, by misrepresenting in their privacy policies and statements on their websites that they employ reasonable and updated security measures, and by failing to notify all of the affected customers of the data breach.

Commissioners Ajit Pai and Michael O’Rielly dissented, arguing that, among other things, the FCC had not before interpreted the Communications Act to impose an enforceable duty to employ data security measures and notify customers in the event of a breach.  Though now that the FCC has so-interpreted the Act, we can expect the FCC to keep its eye on data security.

The FCC made clear that protection of consumer information is “a fundamental obligation of all telecommunications carriers.”  Friday’s decision also makes clear that the FCC will enforce notification duties in the event of a breach, and will look closely at carriers’ privacy policies and online statements regarding data security.

OF

Gaga for Gigabit: The FCC (Federal Communications Commission) Liberates 100 MHz of Spectrum for Unlicensed Wi-Fi

Sheppard Mullin 2012

On April 1, the FCC took steps to remedy a small but growing annoyance of modern life:  poor Wi-Fi connectivity.  Removing restrictions that had been in place to protect the mobile satellite service uplinks of Globalstar, and by unanimous vote, the FCC’s First Report and Order on U-NII will free devices for both (i) outdoor operations; and (ii) operation at higher power levels in the 5.15 – 5.25 GHz band (also called the U-NII-1 band).The Report and Order also requires manufacturers to take steps to prevent unauthorized software changes to equipment in the U-NII bands, as well as to impose measures protecting weather and other radar systems in the band.

The practical impact of these rule changes is difficult to overstate.  By removing the operating restrictions in the U-NII-1 band, the FCC essentially doubled the amount of unlicensed spectrum in the 5 GHz band available to consumers.  In the near future, use of this spectrum will help to alleviate congestion on existing Wi-Fi networks, especially outdoor “hotspots” typically used at large public places like airports, stadiums, hotels and convention centers.  Two less-obvious, longer-term benefits also are worth watching.

First, the new IEEE 802.11ac standard for Wi-Fi was finalized in January 2014.  This next generation Wi-Fi standard is capable of delivering vast increases in raw throughput capacity to end-users, often approaching the holy grail of transfer speeds: 1 gigabit.  To achieve those speeds, wide channels of operation are required – channels that simply were not available to Wi-Fi devices.  Now that the U-NII-1 band has been unleashed for Wi-Fi usage, there should be little impediment to the near-term rollout of 802.11ac compatible devices.

This new standard will offer marked improvements in download speeds and streaming quality, and be a boon to consumers who increasingly rely on mobile devices for bandwidth intensive applications such as HD video.  Unsurprisingly, cable operators in particular are excited by the possibilities of this technology; on the day the Report and Order was released, Comcast Chief Technology Officer Tony Werner authored a lengthy blog post touting the possibilities of Comcast offering Gigabit Wi-Fi to its customers utilizing the U-NII-1 band.[2]

Second, in addition to the untempered enthusiasm of the MSOs, wireless carriers also have a stake in this unlicensed spectrum.  Specifically, as use of licensed mobile spectrum continues to expand exponentially, the wireless carriers will increasingly encourage wireless offloading as a means of addressing congestion and capacity issues on macro cellular networks.  For example, Cisco Systems estimates that 45% of global mobile data traffic was offloaded onto the fixed network through Wi-Fi or small cells in 2013.[3]

This transformation of 100 MHz of spectrum in the U-NII-1 band marks one part of a renewed focus on consumer broadband at the FCC.  In addition to unlicensed Wi-Fi, the FCC is also in the middle of a proceeding – covered in an earlier FCC Law Blog post[4] – to streamline rules for wireless infrastructure.  Taken together with the FCC’s release earlier this week of auction rules for 65 MHz of AWS-3 spectrum later this year, it becomes clear that although it is early yet, the Wheeler Commission is gaga for broadband.


[1] U-NII is the acronym for “Unlicensed National Information Infrastructure devices”, unintentional radiators which facilitate broadband access and wireless local area networking, including Wi-Fi.  A copy of the First Report and Order is available here.

[2] See Tony Werner’s blog post here.

[3] See Global Mobile Data Traffic Forecast Update, 2013-2018.

[4] See Sleeper “Small” Cells: The Battle Over The FCC’s Wireless Infrastructure Proceeding.