Executive Summary
Communications service providers, including telecommunications carriers, interconnected Voice Over Internet Protocol providers, and telecommunications relay service ("TRS") providers, collect many types of sensitive customer data, including Customer Proprietary Network Information (CPNI) and personally identifiable information (PII). Improper use or disclosure of sensitive customer data, following a cyberattack or otherwise, can be harmful to consumers.
On August 13, 2025, the Sixth Circuit Court of Appeals issued an Opinion upholding the Federal Communications Commission's 2024 revisions to its data breach reporting and customer notification rules ("Revised Rules").
The FCC's order issuing the Revised Rules directs the FCC's Wireline Competition Bureau to publish notice of the effective date of the Revised Rules in the Federal Register. Accordingly, covered communications service providers should take steps, including a review and update of their security practices, in order to prepare to comply with the Revised Rules.
Background
In 2007, the FCC promulgated a breach notification rule requiring telecommunications carriers to provide notification to law enforcement and to customers of security breaches involving CPNI. The FCC then adopted rules to protect the CPNI of TRS providers.
In 2016, the FCC revised the breach notification rules as part of a proceeding addressing privacy requirements for broadband internet access service providers. In 2017, Congress nullified those rule revisions under the Congressional Review Act (CRA).
In 2024, following a Notice of Proposed Rulemaking (NOPR), the FCC adopted the Revised Rules in an order (the "2024 Order"). The Revised Rules:
- Expand the scope of the rules to include PII in addition to CPNI;
- Expand the definition of breach to include inadvertent access, use or disclosure of customer information (subject to exceptions);
- Require telecommunications carriers to notify the FCC (in addition to the Secret Service and the FBI) following a breach;
- Remove the requirement to notify customers of a data breach where a) a carrier can reasonably determine that no harm to customers is reasonably likely to occur; or b) the breach exclusively involves encrypted data, and the carrier can confirm that the encryption key was not compromised; and
- Eliminate the previous waiting period for customer notification and replace it with the requirement to provide notice promptly.
Various parties sought review of the FCC's 2024 Order in several circuit courts of appeals, and the petitions for review were consolidated and transferred to the Sixth Circuit for review.
The FCC Has Authority to Issue the Revised Rules
The challenging parties claimed that the 2024 Order exceeded the FCC's statutory authority and violated the CRA.
Judge Stranch, writing for the majority, concluded that 47 U.S.C. § 201(b) of the Communications Act gives the FCC authority to impose the Revised Rule. Section 201(b) provides that any "charge, practice, classification, or regulation" "in connection with [a] communication service" that is "unjust or unreasonable" shall be "declared . . . unlawful," and provides the FCC with the authority to "prescribe such rules and regulations as may be necessary" to carry out those provisions.
The FCC contended that "inadequate data breach reporting" is an unjust or unreasonable "practice" "in connection with" a communications service. The challengers argued that Section 201(b) gives the FCC only limited authority to regulate "practices" representing "carrier conduct that is an inherent or necessary aspect of providing a communications service to customers – e.g. setting rates and classifying services," and that therefore a carrier's handling of data breaches involving PII is not a "practice" under the statute.
The Opinion concluded that "a carrier's failure or refusal to notify customers and government entities of a data breach involving customer PII is among those practices" covered by Section 201(b). In support of its conclusion, the Opinion cited several "practices" that the FCC has regulated under Section 201(b) (refusal to pay payphone operator compensation; failure to follow settlement practices; deceptive marketing; and formation of exclusive contracts with commercial building owners) and rejected the challengers' narrow reading.
The Opinion also determined that the 2024 Order did not violate the CRA.
Key Takeaways
Using its authority to regulate unjust and unreasonable practices, the FCC has the authority to regulate the security practices of communications service providers. Covered communications service providers need to prepare to comply with the Revised Rules, including a consideration of appropriate security practices to protect CPNI and PII. Carriers should consider the implementation of appropriate encryption for the protection of CPNI and PII and update their incident response programs consistent with the Revised Rules.
Need help understanding and developing a practical approach to data security and compliance with the Revised Rules? Please contact us or your regular Nelson Mullins contact for further information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
