A federal court has upheld the Federal Communications Commission’s authority to impose stricter data breach notification regulations on the telecom sector, including requirements that the industry notifies customers when their personally identifiable information is exposed in a hack.
In a 2-1 decision, the U.S. Sixth Circuit Court of Appeals concluded that the FCC did not overstep its statutory authority last year when it updated existing data breach notification requirements to require telecoms to report on any customer PII lost during a data breach.
In its opinion, the majority wrote that “based on the statutory text, context, and structure, [existing law] gives the FCC the authority to impose reporting requirements in the event of a data breach of customer PII.”
In 2024, the FCC under the Biden administration updated federal regulations on the telecom sector when reporting on the impact of a data breach.
Under previous rules, telecoms were only required to report to the government when a breach exposed customer proprietary network information, which includes any customer information concerning the quantity, technical configuration, type, destination, location and amount of use of a telecommunication service.
The 2024 order concluded that telecoms are also responsible for safeguarding customer PII — a customer’s name, address, date of birth, etc. — along with “any information that is linked or reasonably linkable to an individual or device.”
The expanded regulations were quickly challenged in court by trade groups representing telecommunications firms, including the Ohio Telecom Association, the Texas Association of Business and USTelecom.
In a consolidated case before the Sixth Circuit, the groups argued that the FCC lacked authority under the two laws they cited to include customer PII in data breach reporting requirements. They further argued that the 2024 order violated the Congressional Review Act, as Congress had formally moved to block a larger set of FCC Net Neutrality rules in 2016 that included a similar section on data breach notification.
In its decision, the court’s majority disagreed with the telecom group’s argument that the FCC lacked the legal power to regulate poor data privacy practices or to make rules that go beyond information specified by Congress in the Communications Act.
But the court concluded that Congress clearly intended for the federal government, and specifically the FCC, to regulate telecoms’ data privacy. Laws like the Federal Trade Commission Act not only give the FTC similar authority to regulate inadequate data privacy among other industries, they also specifically exempt telecommunications carriers because that industry’s data privacy regulation falls under FCC jurisdiction.
“Contrary to Petitioners’ assertions, this is not a situation in which an agency has “claim[ed] to discover in a long-extant statute an unheralded power to regulate ‘a significant portion of the American economy,’” the majority wrote. “Rather, it is part of the FCC’s longstanding, flexible, and incremental application of [existing law] to data regulation in the evolving environment of data collection and retention.”
Former FCC officials and legal experts told CyberScoop that while the ultimate fate of the regulation is still uncertain, the Sixth Circuit’s decision is a clear win for the agency’s authority to regulate cybersecurity and data privacy.
In an interview with CyberScoop, Loyaan Egal, former chief of the FCC’s enforcement bureau, said he believes “most people thought this new expansion of data breach notification requirements was more than likely probably going to be rejected by the court, and surprisingly it wasn’t.”
Telecom groups could appeal the ruling to the Supreme Court. Current FCC Chair Brendan Carr was one of two commissioners to vote against the data breach notification rules last year. However, after taking the gavel this year, Carr has not moved to rescind the rules, and the FCC continues to vigorously defend their validity in court.
Over the past year, policymakers have been dealing with fallout from Chinese hackers that have systematically compromised U.S. telecommunications infrastructure.
Several sources told CyberScoop that the emergence of the Salt Typhoon and Volt Typhoon campaigns over the past year, as well as the revelation that hacking groups maintained access to telecom networks by exploiting widespread cybersecurity vulnerabilities, may have upended attempts to kill cybersecurity-related regulations like the FCC data breach rules.
Rick Halm, a cybersecurity attorney at law firm Clark Hill, said the FCC’s authority to regulate cybersecurity and data privacy has to be viewed through the lens of the persistent threats the sector is facing from hackers and foreign spies.
“I see this ruling against the backdrop of the looming national cybersecurity threat of Chinese infiltration of critical infrastructure in preparation to inflict damage if an actual conflict erupts,” Halm said.
Chevron’s dead, but cybersecurity regulations live on
In reaching its conclusion, the court cited Loper Bright Enterprises vs. Raimondo — a 2024 Supreme Court case that said, courts, not federal agencies, have the authority to interpret congressional laws — at least 15 times.
When the Supreme Court ended the practice of automatically deferring to agencies’ interpretations of laws, many worried the shift could jeopardize the legality of cybersecurity regulations. That’s because many rules, like the FCC’s data breach regulations, depend on applying old laws to new technologies, which might not meet stricter legal scrutiny.
But in this instance, the Sixth Circuit used its independent authority to agree with the FCC: regulating how firms handle and protect PII is a core part of the agency’s responsibilities.
Peter Hyun, a former chief of staff and acting enforcement chief at the FCC, told CyberScoop that “as a substantive matter, this was a clear signal that the FCC did not overreach here.”
“In other words it is in its rightful lane, looking at the practices of these telecom carriers in order to ensure they were protecting customer information and PII,” he said.
However, other observers think future cybersecurity regulations will now face tougher standards.
“I think that this opinion is a warning shot to both the FCC and other federal agencies that you better be able to firmly tie any data privacy or cybersecurity rules directly to a clear statutory premise,” Halm said.
The court also determined that the agency did not violate the Congressional Review Act by proposing “substantially similar” regulation to data privacy regulations that had been formally blocked by Congress in 2016.
While the blocked 2016 order did include similar data breach notification requirements, the court determined it was “far more expansive, imposing a broad array of privacy rules on broadband Internet access services” than the FCC’s 2024 rule.
“The data breach notification requirements were a mere subset of the broader compendium of privacy rules in [the 2016] Order,” the majority wrote. “The 2024 Order, by contrast, addresses only data breach reporting requirements. The two rules are not substantially the same.”
The Sixth Circuit’s ruling appears to reaffirm “a narrower reading of the CRA than some companies would have liked,” Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals, told CyberScoop.
The majority’s conclusion earned a rebuke from Judge Richard Griffin, who wrote in his dissent that “our interpretation of the [Congressional Review Act] ought to elevate the will of Congress over that of an administrative agency.”
Source link
