Current through September 30, 2024
Section 64.5111 - [Effective on an indefinitely delayed date an indefinitely delayed date] Notification of security breaches(a)Commission and Federal law enforcement notification. Except as provided in paragraph (a)(3) of this section, as soon as practicable, but not later than seven business days, after reasonable determination of a breach, a TRS provider shall electronically notify the Disability Rights Office of the Federal Communications Commission's (Commission) Consumer and Governmental Affairs Bureau, the United States Secret Service (Secret Service), and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility on its website. (1) A TRS provider shall, at a minimum, include in its notification to the Commission, Secret Service, and FBI: (i) The TRS provider's address and contact information;(ii) A description of the breach incident;(iii) A description of the customer information that was used, disclosed, or accessed;(iv) The method of compromise;(v) The date range of the incident;(vi) The approximate number of customers affected;(vii) An estimate of financial loss to the provider and customers, if any; and(viii) The types of data breached.(2) If the Commission, or a law enforcement or national security agency notifies the TRS provider that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, such agency may direct the TRS provider not to so disclose or notify for an initial period of up to 30 days. Such period may be extended by the agency as reasonably necessary in the judgment of the agency. If such direction is given, the agency shall notify the TRS provider when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. The agency shall provide in writing its initial direction to the TRS provider, any subsequent extension, and any notification that notice will no longer impede or compromise a criminal investigation or national security and such writings shall be contemporaneously logged on the same reporting facility that contains records of notifications filed by TRS providers.(3) A TRS provider is exempt from the requirement to provide notification to the Commission and law enforcement pursuant to paragraph (a) of this section of a breach that affects fewer than 500 customers and the carrier reasonably determines that no harm to customers is reasonably likely to occur as a result of the breach. In circumstances where a carrier initially determined that it qualified for an exemption under this paragraph (a)(3), but later discovers information such that this exemption no longer applies, the carrier must report the breach to Federal agencies as soon as practicable, but not later than within seven business days of this discovery, as required in this paragraph (a).(b)Customer Notification. Except as provided in paragraph (a)(2) of this section, a TRS provider shall notify affected customers of breaches of covered data without unreasonable delay after notification to the Commission and law enforcement as described in paragraph (a) of this section, and no later than 30 days after reasonable determination of a breach. This notification shall include sufficient information so as to make a reasonable customer aware that a breach occurred on a certain date, or within a certain estimated timeframe, and that such a breach affected or may have affected that customer's data. Notwithstanding the foregoing, customer notification shall not be required where a TRS provider reasonably determines that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the provider has definitive evidence that the encryption key was not also accessed, used, or disclosed.(c)Recordkeeping. A TRS provider shall maintain a record, electronically or in some other manner, of any breaches discovered, notifications made to the Commission, Secret Service, and the FBI pursuant to paragraph (a) of this section, and notifications made to customers pursuant to paragraph (b) of this section. The record shall include, if available, the dates of discovery and notification, a detailed description of the covered data that was the subject of the breach, the circumstances of the breach, and the bases of any determinations regarding the number of affected customers or likelihood of harm as a result of the breach. TRS providers shall retain the record for a minimum of 2 years.(d)Annual reporting of certain small breaches. A TRS provider shall have an officer, as an agent of the provider, sign and file with the Commission, Secret Service, and FBI, a summary of all breaches occurring in the previous calendar year affecting fewer than 500 individuals and where the provider could reasonably determine that no harm to customers was reasonably likely to occur as a result of the breach. This filing shall be made annually, on or before February 1 of each year, through the central reporting facility, for data pertaining to the previous calendar year.(e)Definitions.(1) As used in this section, a "breach" occurs when a person, without authorization or exceeding authorization, gains access to, uses, or discloses covered data. A "breach" shall not include a good-faith acquisition of covered data by an employee or agent of a TRS provider where such information is not used improperly or further disclosed.(2) As used in this section, "covered data" includes:(i) A customer's CPNI, as defined by section 64.5103 ;(ii) Personally identifiable information, as defined by section 64.2011(e)(5) ; and(iii) The content of any relayed conversation within the meaning of § 64.604(a)(2)(i) .(3) As used in this section, "encrypted data" means covered data that has been transformed through the use of an algorithmic process into a form that is unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.(4) As used in this section, "encryption key" means the confidential key or process designed to render encrypted data useable, readable, or decipherable.(f) This section does not supersede any statute, regulation, order, or interpretation in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only to the extent of the inconsistency.78 FR 40613, July 5, 2013 89 FR 10003, effective date to be determined Effective Date Note: At 78 FR 40613, July 5, 2013, § 64.5111 was added. This section contain information collection and recordkeeping requirements and will not become effective until approval has been given by the Office of Management and Budget.