A Primer on Broadband Providers’ “Reasonable” and “Good Faith” Privacy and Data Security Compliance Requirements under Section 222 of the Communications Act
Following the Federal Communications Commission’s (FCC or Commission) adoption of its 2015 Open Internet Order (the Order) reclassifying broadband services as a telecommunications service subject to Title II of the Communications Act (the Act), the FCC’s Enforcement Bureau released an advisory last month on broadband providers’ obligations to protect customer privacy under Section 222 of the Act. While the advisory reminded broadband providers of their new privacy obligations as telecommunications service providers, it shed little new light on how Section 222 would actually apply in the eyes of the Enforcement Bureau and how providers can proactively ensure compliance of their existing privacy and data security practices. To gain further insight in this period of uncertainty, a broadband provider may wish to review carefully recent FCC enforcement decisions, as well as the guidance provided by other federal agencies, for a better understanding of whether additional steps are necessary for the provider to comply fully with Section 222.
The Open Internet Order and Section 222
In the 2015 Open Internet Order, the FCC reclassified broadband Internet access service (BIAS) from a Title I “information service” to a “telecommunications service” subject to common carriage-style regulation contained in Title II of the Communications Act. At the same time, the Commission exercised its forbearance authority under Section 10 of the Act and “forbore” from most of the requirements of Title II in an effort to maintain a “regulatory light-touch” on broadband services. One of the Title II requirements the FCC did apply to broadband, however, was Section 222 – the core privacy provision that has traditionally protected a telephone customer’s proprietary call-related information from disclosure or use by carriers under certain circumstances. That call-related information is defined as “customer proprietary network information,” or CPNI, by the Act. In finding that the current rules implementing Section 222 may not necessarily be well-suited to BIAS, the Commission retained the statutory provisions of Section 222 in the Order and forbore from its CPNI-based regulations promulgated under Section 222.
The Enforcement Bureau Advisory
The Enforcement Bureau advisory states that the statutory provisions of Section 222 themselves will apply to broadband providers when the Open Internet Order goes into effect and until such time as the Commission provides further guidance or adopts regulations applying Section 222 more specifically to BIAS. During this period, the Enforcement Bureau will look at whether providers are “taking reasonable, good-faith steps to comply with Section 222” rather than focusing on technical details, including “whether a provider’s acts or practices are reasonable and whether such a provider is acting in good faith to comply with Section 222.” The Enforcement Bureau also “intends that broadband providers should employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections.” Overall, the advisory reaffirms the FCC’s assertion in the Order and in recent enforcement cases that Section 222, combined with Section 201(b), requires a common carrier to take reasonable measures to protect a customer’s personal information, beyond just CPNI.
Interestingly, the advisory provides very little additional guidance on what constitutes “reasonable, good-faith” steps a broadband provider should take to comply with Section 222. It only specifies that in instances when a carrier has questions about whether its “anticipated future course of conduct” comports with the Order, a decision to seek an advisory opinion from the FCC, while not required, will tend to show good faith. The advisory opinion process thus does not apply to a broadband provider’s existing products and offerings. Furthermore, the advisory does not discuss what types of “personal and proprietary information” fall within the scope of Section 222 beyond just CPNI in the telephone context. In addition, it is not entirely clear what are the “core tenets of basic privacy protections” contemplated by the FCC and what privacy policies will be deemed “effective” in the eyes of the Enforcement Bureau. In short, the advisory raises more questions about a broadband provider’s duties under Section 222 than it answers.
Potential Sources for Additional Guidance on Section 222 Compliance
For broadband providers concerned about whether existing data security and privacy practices would run afoul of Section 222’s requirements, the Enforcement Bureau’s advisory provides little guidance on how to comply with the statutory mandate. In the absence of clear regulations or expectations, providers can seek helpful insights from the FCC’s enforcement decisions in the telephony context as well as guidelines and advice offered by other federal agencies.
First, the FCC has weighed in with its views. In two separate instances, the Commission has taken enforcement action based on its purported authority over data privacy and security found in the statutory language of Section 222. In an Order and Consent Decree with a major wireless carrier released in April, the Commission announced a new category of protected data, defined as “personal information,” which must be safeguarded by entities subject to Title II of the Communications Act. The FCC defined this newly minted term as “(1) an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (A) Social Security number; (B) driver’s license number or other government-issued identification card number; or (C) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or (2) a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
The remedial measures in that case are particularly instructive. The FCC and the major wireless carrier agreed to a compliance plan that requires the carrier to appoint a senior compliance manager who is privacy certified, conduct a privacy risk assessment, implement an information security program, prepare a compliance manual, and conduct employee training. Broadband providers subject to Title II’s requirements should carefully review the consent decree and ensure that their data security and privacy practices both (1) protect the types of data covered by the definition of “personal information” and (2) are consistent with the activities required by the compliance plan.
Second, law enforcement is also providing guidance. In April, the Cybersecurity Unit of the Computer Crime and Intellectual Property Section at the U.S. Department of Justice’s Criminal Division issued a set of best practices for organizations to prepare, respond, and manage cyber incidents. The document includes a “Cyber Incident Preparedness Checklist” that describes the steps an organization should take before, during, or after a cyberattack or intrusion, such as creating an actionable incident response plan, having procedures in place that will permit lawful network monitoring, and conducting a post-incident review to identify deficiencies in planning and execution of the incident response plan. A broadband provider’s ability to demonstrate that it has carefully reviewed and implemented the steps identified by the checklist could be helpful in demonstrating whether it has met the “reasonable and good faith” test to protect customer privacy under Section 222.
Finally, expert technical bodies are evaluating and providing tips and best practices. Among its many activities in the data security area, the National Institute of Standards and Technology (NIST) recently released a draft privacy risk management framework for federal information systems and is currently seeking public comment on the framework. Specifically, NIST has developed three privacy engineering objectives—“predictability, manageability, and disassociability”—for the purposes of “facilitating the development and operation of privacy-preserving information systems.” To help federal agencies implement the framework in a practical way, NIST has also developed the Privacy Risk Assessment Methodology (PRAM) worksheets that could be used to “frame business objectives and privacy governance, and assess system design and privacy risk.” While the framework has been designed for federal information systems, broadband providers may nevertheless wish to review and utilize the PRAM as part of their efforts to employ “effective privacy protections” that may be considered in line with “the core tenets of basic privacy protections.”
While these are not the only authorities the FCC may consult in determining if BIAS providers’ data security practices are “reasonable,” they provide a baseline for an initial review. Until further guidance—and final FCC rules—are forthcoming, BIAS providers would be well-advised to keep abreast of developments in the area of data security best practices across federal agencies.