Trade Groups Urge 6th Circuit to Set Aside FCC’s Data Breach Notification Rule
The costs of complying with the FCC’s updated data breach notification rule “detract from the core work” of five trade associations' small-business members “to connect existing and new customers in hard-to-serve areas and close the digital divide,” said those trade groups in an amicus brief Wednesday in the 6th U.S. Circuit Appeals Court. Joining the brief were ACA Connects, the Competitive Carriers Association, NTCA, the Wireless ISP Association and WTA.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The groups’ brief supports the five petitioners seeking to invalidate the rule as contrary to law because it imposes certain duties on telecom carriers, VoIP providers and telecommunications relay service providers. The issue concerns unauthorized access to or disclosure of customer proprietary network information (CPNI) and personally identifiable information (PII) (see 2402210026). The petitioners are the Ohio Telecom Association (docket 24-3133); the Texas Association of Business (docket 24-3206); and CTIA, NCTA and USTelecom (docket 24-3252).
The associations’ members “generally lack access to resources and economies of scale to make it practical for them to absorb substantial regulatory changes or to comply with conflicting and overlapping rules across jurisdictions,” the brief argues. The FCC’s rule undercuts Congress’ fundamental connectivity goals “by adopting burdensome data breach reporting requirements that exceed the FCC’s legal authority,” it continued.
The associations’ members “play an essential role in delivering high-speed broadband connectivity, leveraging limited resources to invest in their communities, many of which would be overlooked” if not for the members’ “ongoing efforts and investment,” said the brief. The rule undermines congressional connectivity goals by unnecessarily and unlawfully imposing significant compliance costs on the associations’ members, it said. Most members “lack dedicated privacy teams and in-house attorneys to navigate the requirements that the FCC has stacked atop existing state and federal data breach notification laws,” it said.
The rule applies data breach reporting requirements to a “broad swath” of PII, “which the FCC is not generally empowered to regulate absent specific direction from Congress,” said the brief. Consistent with the Communications Act, the FCC has long maintained data breach requirements governing CPNI, “which is a narrower set of telecommunications-specific customer data,” it said.
Congress previously disapproved of “substantially the same regulation” under the Congressional Review Act (CRA), said the brief. Attempting to “overrule” clear congressional disapproval “is inconsistent with the CRA and thus violates the Administrative Procedure Act,” it said.
The FCC also failed to provide notice that “satisfies” the APA, the brief said. Through the CRA, Congress directed the FCC “to take a measured approach to privacy” that aligns with congressional connectivity goals, it said. The agency has “disregarded” congressional direction, and so the 6th Circuit should set aside the rule, it said.