Appeals Court Upholds FCC Data Breach Rules for Hacked Telecoms

p Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 pp Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 ppA federal appeals court delivered a victory to the Federal Communications Commission on Wednesday by upholding new and controversial data breach reporting requirements for telecommunications companies targeted in cyberattacksppThe court rejected consolidated challenges 2 to 1 from trade groups including the Ohio Telecom Association Texas Association of Business and USTelecom They argued the rules exceed the agencys authority and violated congressional restrictions Circuit Judge Jane Stranch found that the Communications Act of 1934s prohibition on unjust or unreasonable practices provided adequate authority for the breach notification requirements by allowing the agency to prescribe regulations as necessaryppThere is a direct connection between a carriers failure to disclose breaches of customers identifying information and its role in providing communication services read the opinion for the US Court of Appeals for the Sixth CircuitppThe disputed 2024 rule authorized during the Biden administration requires providers to notify the FCC of data breaches involving 500 or more customers personal data within seven business days The policy represents a major expansion from previous requirements that were limited in scope covering call records and billing data The new rule now covers personally identifiable information including Social Security numbers email addresses and biometric datappThe FCC has repeatedly imposed penalties and reached settlements with targeted mobile carriers In September 2024 the agency reached a 13 million deal with ATT Inc to resolve their dispute over a January 2023 data breach which lost some 9 million customers data Its reached similar deals with Verizon Communications Inc and TMobile US IncppThe rules opponents mounted a multipronged legal attack against the proposal arguing that Congress had rejected a similar rule in 2017 They also claimed that key sections of the law didnt provide sufficient authority for regulating PII The telecommunications industry warned that the expanded requirements would impose burdensome compliance costs while creating bureaucratic formalities for law enforcement agencies forced to account for each qualifying breach ppThe court found that carriers failure to notify customers and authorities about data breaches constituted practices in connection with communication services It rejected industry and dissenting arguments that this interpretation would grant the FCC unlimited regulatory scope ppJudge Raymond Griffin authored a fiery dissent first arguing that Congress and President Donald Trump in 2017 both rejected a similar rule after the FCC issued data breach requirements a year earlier under President Barack Obama Griffin also warned that the majoritys decision would allow agencies to circumvent Congressional disapproval through minor modifications since Congress had already rejected a similar 2016 order ppThe case is Ohio Telecom Association v Federal Communications Commission 6th Cir 2403133 81325ppTo contact the reporter on this story Kartikay Mehrotra at kmehrotrabloombergindustrycomppTo contact the editor responsible for this story Adam Ramirez at aramirezbloombergindustrycompp AIpowered legal analytics workflow tools and premium legal business news pp Log in to keep reading or access research tools p