Who Governs what with Data Privacy Breaches – the FCC or FTC?

A question often fielded for other attorneys is which agency governs privacy, data protection and cybersecurity over the Internet – the FCC or the FTC.  Well, the Internet runs on the rails of communication data lines provided by communications providers.  The data crisscrosses those lines come to reside in physical networks and data centers of persons (real or corporate) who own, possess, or control it.  These two worlds are interfaced by end-users (real or corporate) who from a computer or device then create, input, or manipulate the content being passed over those rails to those data points, be it for commercial, private, or nefarious purposes.

The FCC governs all things transmitted over wire or radiofrequency (wireless, point-to-point and via satellite transit). The FCC equally governs all equipment that connects communications and Internet access – this is why you see the FCC label on consumer and commercial electronic equipment and devices.  If it enables access to transmit or receive voice or data via the communication (data) lines or uses radio frequency (be it an inch or a thousand miles), that equipment is governed by the FCC.  The FTC governs end-users who operate content through computers and devices for commercial purposes; be it legitimate or nefarious.  They also come into play when a private company has a breach of sensitive and identifiable consumer information that may implicate identify theft or the like, Where the activity or medium is more related to the “rails of communications” (for example unlawful robotexts), the FCC controls.

Classic FCC examples are found where carriers or providers allegedly abuse consumer marketing practices or charges for voice services – the FCC steps in with enforcement actions or referral to the DOJ for federal litigation. It starts as an administrative process and laterals court enforcement to the DOJ.  The FCC and the OIG-FCC have no direct litigation authority, so the DOJ enforces violations in the courts.  The FTC has the direct power to sue on behalf of consumers in federal court, apart from its administrative proceeding processes.  Classic FTC examples of direct litigation are found in cases going against online/e-commerce-based MLMs for fraudulent misrepresentation of claims of the goods or services or failures to abide by the FTC’s business opportunity rule.

That said, there is something interesting going on at the FCC related to consumer privacy, data protection, data breaches and national cybersecurity after enactment of the federal Secure and Trusted Communications Networks Act of 2019.  Public Law 116–124 (Mar. 12, 2020) amending 47 USC 1601 and 47 USC 1607 (“STCNA”). This slight pivot by FCC is within their authority and focus under the Comm. Act but may be showing how the FCC is going to enforce data privacy and security issues “on the rails.”

The Federal Secure and Trusted Communications Networks Act – Refreshed Role

The Act crept into existence in early 2020, and rules and enforcement organization by the FCC seems to have been minimal until 2023. STCNA addresses two areas that the FCC governs under Federal Comm. Act for the specific purpose of tightening the Protection of data and networks used for communication and internet access: 1.) Determination and Prohibition of what Equipment (Part 15 or otherwise) or Services pose National Security Risks; 2.) Reimbursement through Federal subsidies qualified Advanced Communication Service providers of 2M or less customers (woo-hoo gov’t cash back- with strings like audits and investigations attached) who remove, replace and disposal of equipment or services determined as a risk by the FCC; and 3.) Share information obtained from trusted providers of advanced communications services and their suppliers with the NIS, FBI, Department of Homeland Security, and national security agencies.

The thrust of the new powers and responsibility of the FCC focuses on threats by advanced communications providers and the equipment they use, in the event of a data breach, incursion, or a widespread DOS attach through their networks.  However, equally important is information sharing with other law enforcement agencies.

Enter CPNI Rule upgrades & The FCC’s “Privacy and Data Protection Task Force“

Against this new role backdrop, 2023 was an interesting year for the folks at the FCC. The Commish took and overall look at the network security and cybersecurity rules around breaches of Customer Proprietary Network Information (CPNI) by telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) as well as cable and satellite providers who acquire and use sensitive customer information in their operations. The last time the FCC moved on this topic was over 16 years ago where the carrier provider only had to report breaches to the FBI and Secret Service.

Those Rules did need a bit of dusting off and timeliness added with regard to data breaches. The old Rules required carriers and providers to give notice of the breach to the FBI and Secret Services, but not the Commission. The old Rules also did not require consumer notification like similar data breach laws and rules for those regulated outside the Federal Communications Act (“CSA”).  Then came 2022 and 2023.  Those saw a number of U.S. VoIP providers crippled by Ransomware attacks and other types of security incursions. something that had not been seen by those providers for years. The personal information at risk in those attacks – CPNI.

Now the FCC regulated carriers and providers have long had certain CPNI obligations. Section 222 of the CSA (and subsequent FCC Orders and Rules) confers on “[e]very telecommunications carrier” a “duty to protect the confidentiality of proprietary information” of “customers.”  is the It also limits the circumstances under which either a provider or carrier may use, disclose, or permit access to” certain customer information called CPNI. See, 47 U.S.C. §§ 222(a), (c).; 222(h)(1) and 47 CFR § 64.2003(o) [as applied to VoIP].

Problem is that other than reporting to other agencies and a once-a-year certification that there were or were not data breaches of CPNI, The FCC was relatively toothless on the front-end of CPNI breaches.  Carriers and providers generally might get slapped with an after the fact fine (forfeiture) as a result of a data breach.  Likewise, neither the CSA, nor the Commish’s Rules really defined what a data breach is until after the STCNA.

On January 6, 2023, the FCC launched a Notice or Proposed Rulemaking on CPNI and data breaches that was more aligned with federal and state data breach laws covering other industries and sectors. Chief among the Rule upgrades was the scope of what is considered a reportable breach and when the FCC must be notified.  First the scope of breach notification was expanded beyond prior concepts of CPNI.  This aligned with other federal laws on personally identifiable information of consumers/subscribers.  Breach under the CSA was defined along similar lines but now includes inadvertent access, use or disclosure of such information by not only providers and employees, but also their outsourced agents and suppliers of tertiary services.  The only exception to this is where the information was acquired in good faith and such information was not improperly used or disclosed. Basically, where there is a technical access violation but no improper use or disclosure.  This was the first time in 16 years where the Commission’s Rules aligned with modern concepts of data breach and improper disclosure.

Here is where the Task Force at the FCC Enforcement Bureau (EB) comes in the picture. This “internal working group” at the FCC was formed mid-June of 2023.  Its purpose is to investigate and enforce violations of the Commission’s privacy and data protection laws and rules as well as CPNI data breaches as well as coordination and enforcement of the STCNA.  This team has been amped up a bit with increased staffers with data protection, and national security experience and TS/SCI clearances in order to review classified information and better coordinate with law enforcement and national security peers. 

This is not something new for some of us who have interacted with the EB in recent years.  FCC practitioners should not be surprised by the makeup of the Task Force.  Before the pandemic shutdowns, an array of newbies entered the EB that were either new hire attorney advisors or lateraled from Dept of Homeland Security or the DOJ. It seemed  to some of us at the time like a waste of talent placing them on typical FCC investigations and NALs.. Looks like the Commish was lining them up all along to target data privacy, CPNI security and supplier/equipment chains from a national security perspective.

Part of the “ongoing mission” for the crew of the FCC’s Privacy and Data Protection Task Force is also seems to be information collection, processing, sharing and coordination when it comes to regulated carriers and providers and their equipment and outsourced service providers when a data breach occurs.  This information sharing seems to be more than just being advised of risks and sharing things for national security interest.  On December 6, 2023, the FCC announced the Task Force’s MOU partnership with the Attorney Generals of four (4) states. [Not sure how a bunch of staffers in an internal working group at the FCC distinctively enter into a written MOU, but to escape a legal conundrum let’s just assume it’s really just the Commish – because it is.] The partnership highlights information sharing and investigation cooperation.

This is a similar strategy that the FCC employed with its efforts to mitigate robocalls and consumer complaints. The Commission laterally referred down the enforcement violations against intermediate providers to the state attorney generals. One of the major actions in this was in Indiana, until a state law change scuttled a federal lawsuit again state provider.  A similar MOU strategy may now be under way for data privacy protection and data breaches against carriers and advanced communication providers. Time and how the Task Force moves next will tell on this.

Why Address Mobile Data Privacy First?

The Commish has correctly noted in its recent Rule and enforcement moves on data privacy that 97% of current communication and data users are mobile phone users. This includes ACP mobile devices funded by traditional Low-Cost Subsidies (Obama Phones), ACP devices as well as commercially subscribed phones, tablets, devices (apple watches & etc.) and prepaid MVNO SIM Cards for national and international calling. A mentor of mine once said something relatively prophetic about new laws and regs. “Regulations ratchet up, not down, until the law or the rule is outdated – Problem is technology innovations usually outpace the promulgated rule about six months after it takes effect.” One area of the industry that has been more stable in recent, ergo the growth, is wireless services and access.  The ordinary American today, old or young, is a slave to their smartphone. They are connected 24/7. Mobile apps for accessing life’s necessities, social media uploads and downloads, short for videos, mobile marketing, it’s all converged on the smart mobile device (a minicomputer) and wireless access account.

Mobile and International Mobile is clearly on the minds of the folks over at the Commish.  Simply look at the timeline of its Rule updates, enforcement actions and reporting requirements in 2023 on advanced communications providers and carriers. The focus is clearly Mobile data protection first:

January 6, 2023 – FCC Proposes Updated Data Breach Reporting Requirements 

April 25, 2023 – FCC Proposes Periodic Reviews of International Telecom Authorizations 

June 14, 2023 – FCC Launches Privacy and Data Protection Task Force 

July 11, 2023 – FCC Proposes Rules to Protect Consumers’ Cell Phone Accounts 

July 28, 2023 – FCC Proposes $20M Fine for Apparently Failing to Protect Consumer Data

August 10, 2023 – FCC Proposes Cybersecurity Labeling Program for Smart Devices

December 6, 2023 – FCC Launches First-Ever Enforcement Partnerships with State Attorneys General

December 11, 2023 – FCC Reminds Carriers of SIM Fraud Prevention Obligations 

December 21, 2023 – FCC Adopts Updated Data Breach Notification Rules to Protect Consumers

Busy little beavers weren’t they in 2023. Must be an election year coming up.

Early Enforcement Agendas

Two immediate issues regarding Mobile Data Privacy high in the priority of the folks at the FCC are issues of privacy protection around government subsidies and outright criminal fraud. This can be seen in the July 2023 NAL against South Florida MVNO Q Link Wireless LLC and Hello Mobile Telecom LLC.  Those of you in South Florida may remember a few years back when a federal raid occurred at the offices of a local wireless reseller in the Fort Lauderdale area.  TV cameras captured various federal law enforcement agents seizing documents and computers in relation to a subpoena. It appears that the subpoena likely came from the FCC’s OIG and the EB in relation to subsidy and CPNI investigation.  Then all things went quiet on that until July 28 2023. The FCC announced $20 million NAL for CPNI violations.  Not really clear if all those subpoenas were really about the CPIN violations, but in the end the Task Force got the credit even though it was more likely the FCC’s OIG that was behind that investigation.  

Subsequently, the FCC issued a warning on SIM swapping.  It appears to be the next target of enforcement and rightfully so. Perpetrators typically swap SIMs to either defraud or commit other crimes.  Basically, it is like stealing a subscribers identity and mobile access to either impersonate that subscriber and defraud them of money or to use the service to mask some other fraudulent or illegal activity.  Even within the notice the FCC cites numerous criminal cases as a predicate.  I repost these here just to give a flavor.

Press Release, U.S. Dep’t of Justice, San Antonio Pair Plead Guilty to SIM Swap Scheme (Oct. 12, 2022), https://www.justice.gov/usao-wdtx/pr/san-antonio-pair-plead-guilty-sim-swap-scheme;

Press Release, U.S. Dep’t of Justice, California Resident Pleads Guilty for His Role in Sim Swap Scam Targeting at Least 40 People, Including New Orleans Resident (May 18, 2022), https://www.justice.gov/usao-edla/pr/california-resident-pleads-guilty-his-role-sim-swap-scam-targeting-least-40-people;

Alina Machado, Woman Loses Life Savings in SIM Swap Scam, NBC Miami (Aug. 26, 2022), https://www.nbcmiami.com/responds/woman-loses-life-savings-in-sim-swap-scam/2845044/;

Press Release, U.S. Dep’t of Justice, Two Men Facing Federal Indictment in Maryland for Scheme to Steal Digital Currency and Social Media Accounts Through Phishing and “Sim-Swapping” (Oct. 28, 2020), https://www.justice.gov/usao-md/pr/two-men-facing-federal-indictment-maryland-scheme-steal-digital-currency-and-social-media;

Press Release, U.S. Dep’t of Justice, Nine Individuals Connected to a Hacking Group Charged With Online Identity Theft and Other Related Charges, (May 9, 2019), https://www.justice.gov/usao-edmi/pr/nine-individuals-connected-hacking-group-charged-online-identity-theft-and-other;

Lorenzo Franceschi-Bicchierai, Hacker Who Stole $5 Million By SIM Swapping Gets 10 Years in Prison, Vice (Feb. 1, 2019), https://www.vice.com/en/article/gyaqnb/hacker-joel-ortiz-sim-swapping-10-years-in-prison.

This priority makes sense for the Task Force.  It encompasses a trifecta under the Commission’s revised powers under STCNA, CPNI enforcement and Mobile Services.

Watch And Wait

I hate to say it… but the best takeaway from all of the recent activity is simply to watch and wait. If I were to speculate, I would say that the next thrust of enforcement of Data Privacy Protection from the task force will continue to focus on mobile services and providers on a more expanded basis (and possibly tertiary outsourced providers to this group) while simultaneously beginning review of an array of equipment used to access the Internet and voice services.  It’s also clear that SIM swapping will continue to be a high priority for The Task Force in the coming days.  While criminals are individually responsible for the crimes they commit via SIM swapping, carriers can mitigate occurrences if they know their SIM cards are popular mediums for these criminals. We may actually see another set of rulemaking come out from the FCC in regard to this aspect before a major SIM Swapping crackdown. Absent something like that, any enforcement Bureau action and Commission Forfeiture Order on provider liability for SIM Swapping would have some substantial legal speed bumps in the federal courts. However, one thing is clear. The Commission is now focused on data privacy issues and breaches whether it causes risk to national security interests, violates modern concepts of data protection, or is enabled by providers using equipment that’s prohibited under STCNA or criminals. 

From a practitioner’s perspective, as much as the rules tighten up so should carrier and provider compliance review and measures. Wireless providers, resellers, MVNOs and SIM-based prepaid providers should be keenly aware right now. It also seems like the long-term role of the Task Force is still settling itself.  It’s an internal team at the EB for now. This, however, could evolve into something more along the lines of a clearinghouse of information and enforcement efforts, apart from the ones that the EB cherry picks as clear example of a violator.  I myself believe that it is best practitioners simply pause and watch what’s going on over the next 12 months to really have a good picture of how FCC enforcement of data privacy will develop. No matter which way it goes it will clearly involve CPNI and It will clearly involve the equipment used by providers and MVNOs.

No matter what position you take on this topic as a Digital Jurist, it is definitely a good idea to be aware of how it’s developing.  I encourage you to give your thoughts and comments to this post as a practitioner. It’s only going to get more interesting from here and out. Let’s figure things out together.