PII, PHI, GIPA, HIPAA, GDPR, CCPA, CPRA, PIPL, PIPEDA…there are many acronyms in data privacy regulation and customer privacy. The latest data privacy acronym in the news is CPNI – Customer Proprietary Network Information. What is CPNI? CPNI includes customer data collected by telecommunications providers, including what services subscribers use and the amount and type of usage. The Federal Communications Commission (FCC) is proposing stricter reporting requirements for telecomm. companies to better protect CPNI and maintain CPNI compliance. This will strengthen the FCC’s rules for notifying customers as well as federal enforcement of breaches.
With the increased frequency and severity of security breaches involving customer information, the FCC’s proposed updates will better align with recent developments in federal and state data breach laws covering other sectors, according to the FCC press release announcing the new requirements.
“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers,” states FCC chairwoman, Jessica Rosenworcel.
What customer information is protected under CPNI?
CPNI includes sensitive personal information that carriers and providers have about their customers, including who a customer made calls to and when, where those calls were made, customers’ billing account name, phone number, account number, and information about their plan, according to the FCC.
If this proposal passes, telecommunications carriers would have to follow new FCC CPNI rules about how they notify customers and the government following a data breach. The proposal outlines several updates to current FCC rules addressing telecommunications carriers’ breach notification requirements:
- Eliminating the current seven business day mandatory waiting period for notifying customers of a breach
- Expanding customer protections by requiring notification of inadvertent breaches
- Requiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service
According to the FCC, these new proposed rules will further advance the FCC’s efforts to ensure they keep pace to protect consumers amid evolving cybersecurity threats.
The proposal aims to ensure that the FCC and other federal law enforcement agencies “receive the information they need in a timely manner so they can mitigate and prevent harm due to the breach and take action to reduce the likelihood of future incidents.”
This proposal is just the beginning of the rule-changing process, according to The Verge. Just last September, the FTC issued a Policy Statement clarifying its Health Breach Notification Rule, which exists to, “ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) nevertheless face accountability when consumers’ sensitive health information is compromised.”
Staying ahead or privacy laws and regulations
Privacy and security professionals know that data breach notification laws and data privacy regulations are constantly in flux; keeping up with the ever-evolving landscape can be challenging.
In a recent installment of The Privacy Collective, Kelly Matoney, executive director of privacy at Vista Consulting Group, discussed global privacy and the biggest trends in privacy regulatory enforcement with Lauren Wallace, RadarFirst’s chief privacy officer and general counsel.
With so much to monitor and track, Matoney says, “it’s just nearly impossible to do this work without leveraging technology.”
Privacy pros can stay current with existing and proposed legislation with Breach Law Library, a free, global data breach notification law library that is always one step ahead with up-to-date overviews of global data breach notification laws and privacy regulations within all 50 U.S. states.
While data privacy laws are complicated, data breach notification doesn’t have to be. Radar provides privacy incident response in half the time, with built-in decision support guidance for all of the data breach notification laws.