Goto Section: 64.2010 | 64.2101 | Table of Contents

FCC 64.2011
Revised as of October 1, 2014
Goto Year:2013 | 2015
§ 64.2011   Notification of customer proprietary network information security
breaches.

   (a) A telecommunications carrier shall notify law enforcement of a
   breach of its customers' CPNI as provided in this section. The carrier
   shall not notify its customers or disclose the breach publicly, whether
   voluntarily or under state or local law or these rules, until it has
   completed the process of notifying law enforcement pursuant to
   paragraph (b) of this section.

   (b) As soon as practicable, and in no event later than seven (7)
   business days, after reasonable determination of the breach, the
   telecommunications carrier shall electronically notify the United
   States Secret Service (USSS) and the Federal Bureau of Investigation
   (FBI) through a central reporting facility. The Commission will
   maintain a link to the reporting facility at
   http://www.fcc.gov/eb/cpni.

   (1) Notwithstanding any state law to the contrary, the carrier shall
   not notify customers or disclose the breach to the public until 7 full
   business days have passed after notification to the USSS and the FBI
   except as provided in paragraphs (b)(2) and (b)(3) of this section.

   (2) If the carrier believes that there is an extraordinarily urgent
   need to notify any class of affected customers sooner than otherwise
   allowed under paragraph (b)(1) of this section, in order to avoid
   immediate and irreparable harm, it shall so indicate in its
   notification and may proceed to immediately notify its affected
   customers only after consultation with the relevant investigating
   agency. The carrier shall cooperate with the relevant investigating
   agency's request to minimize any adverse effects of such customer
   notification.

   (3) If the relevant investigating agency determines that public
   disclosure or notice to customers would impede or compromise an ongoing
   or potential criminal investigation or national security, such agency
   may direct the carrier not to so disclose or notify for an initial
   period of up to 30 days. Such period may be extended by the agency as
   reasonably necessary in the judgment of the agency. If such direction
   is given, the agency shall notify the carrier when it appears that
   public disclosure or notice to affected customers will no longer impede
   or compromise a criminal investigation or national security. The agency
   shall provide in writing its initial direction to the carrier, any
   subsequent extension, and any notification that notice will no longer
   impede or compromise a criminal investigation or national security and
   such writings shall be contemporaneously logged on the same reporting
   facility that contains records of notifications filed by carriers.

   (c) Customer notification. After a telecommunications carrier has
   completed the process of notifying law enforcement pursuant to
   paragraph (b) of this section, it shall notify its customers of a
   breach of those customers' CPNI.

   (d) Recordkeeping. All carriers shall maintain a record, electronically
   or in some other manner, of any breaches discovered, notifications made
   to the USSS and the FBI pursuant to paragraph (b) of this section, and
   notifications made to customers. The record must include, if available,
   dates of discovery and notification, a detailed description of the CPNI
   that was the subject of the breach, and the circumstances of the
   breach. Carriers shall retain the record for a minimum of 2 years.

   (e) Definitions. As used in this section, a "breach" has occurred when
   a person, without authorization or exceeding authorization, has
   intentionally gained access to, used, or disclosed CPNI.

   (f) This section does not supersede any statute, regulation, order, or
   interpretation in any State, except to the extent that such statute,
   regulation, order, or interpretation is inconsistent with the
   provisions of this section, and then only to the extent of the
   inconsistency.

   [ 72 FR 31963 , June 8, 2007]

   return arrow Back to Top

Subpart V--Recording, Retention and Reporting of Data on Long-Distance
Telephone Calls to Rural Areas and Reporting of Data on Long-Distance
Telephone Calls to Nonrural Areas

   Source:  78 FR 76239 , Dec. 17, 2013, unless otherwise noted.

   return arrow Back to Top


Goto Section: 64.2010 | 64.2101

Goto Year: 2013 | 2015
CiteFind - See documents on FCC website that cite this rule

Want to support this service?
Thanks!

Report errors in this rule. Since these rules are converted to HTML by machine, it's possible errors have been made. Please help us improve these rules by clicking the Report FCC Rule Errors link to report an error.
hallikainen.com
Helping make public information public