On February 23, WTA responded to the FCC’s NPRM on data breach reporting requirements. In its comments, WTA recommends that the FCC reassess its rules limiting the use of CPNI for marketing purposes, with the goal of eliminating or modifying or forbearing from those that are no longer necessary or effective under current market conditions. It focused on the following recommendations:
It makes sense to have a single governmental point of contact for data breach reports and that the most effective reform that the FCC can accomplish is to coordinate its reporting format with other federal and state agencies so that the growing number of cybersecurity reporting requirements are consistent with each other to the greatest extent possible so that the relatively small staffs of its member companies are not overburdened by a variety of differing reporting formats and timeframes for the same data breach incident.
The FCC should set a threshold for the number of customers affected by a CPNI data breach before such breach is required to be reported to the FCC, FBI and USSS. A threshold of 5,000 affected customers would appear to constitute a reasonable balance between the need for government assistance to investigate and recover from significant database breaches vis-a-vis the need to prevent government resources from being bogged down by the investigation of so many small breach incidents that they are unable to respond as fully and rapidly as needed to major incidents.
The existing Section 64.2011(e) definition of “breach” as an intentional action – that is, “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI” — is more than sufficient to encompass any and all CPNI data breaches that should be reported to and investigated by the Commission, FBI and USSS. An extension of the FCC’s reporting requirements to accidental or inadvertent access, use, or disclosure of CPNI is not warranted.