Court of Appeals Upholds FCC Data Breach Reporting and Notification Rules

The US Court of Appeals for the Sixth Circuit released its decision on the appeal of the Federal Communications Commission (FCC) data breach notification and reporting rules. The FCC order, which largely became effective in 2024, revised the definition of reportable data breaches, modified the requirements for customer notifications of breaches and required breaches to be reported to federal law enforcement and the FCC. The general effect of these changes was to broaden the scope of data breaches that required notification and reporting. The order covers providers of telecommunications services, telecommunications relay service (TRS) providers, wireless companies and voice over IP (VoIP) providers. The decision upholds the rules, rejecting challenges based on the FCC’s statutory authority and a 2017 Congressional Review Act (CRA) resolution rejecting previous revisions to the FCC’s telecom privacy rules. As a result, the rules remain in effect, except for some requirements that still are being reviewed by the Office of Management and Budget (OMB).

In deciding whether the FCC had the authority to adopt the rules, the court considered both Section 222 of the Communications Act, which governs customer privacy, and Section 201(b) of the Communications Act, which is a more general grant of authority. The court concluded the FCC did not have authority under Section 222 because the relevant portion of that section covers only a specific category of information known as customer proprietary network information – not personally identifiable information, such as names and addresses, that would be affected by data breaches. However, the court held that the FCC did have authority to adopt the rules under Section 201(b) because that section gives the FCC the authority to regulate “practice[s] … in connection with communication service,” and reporting and notification of data breaches qualifies as a practice. The court held that the rules also can be applied to providers of TRS because the Communications Act gives the FCC the authority to ensure that TRS is functionally equivalent to standard voice service.

The court considered whether a 2017 resolution under the CRA overturning earlier privacy rules prevented the FCC from adopting the new rules on notification and reporting of data breaches because the CRA prohibits adopting rules that are “substantially the same” as the rules that were rejected. The court concluded that the CRA does not prohibit an agency from readopting a portion of a larger set of rules if Congress did not specifically overturn the individual rules being readopted. The court also concluded that there were enough differences between the original data breach rules and the 2024 data breach rules that the two sets of rules were not substantially the same.

The immediate effect of this decision is to leave the 2024 data breach rules in place. Companies that are subject to the rules should ensure incident response plans meet the FCC’s reporting timelines and update customer notice templates to satisfy the FCC’s “sufficient information” standard. In addition, the FCC’s expanded breach definition raises the likelihood that a single incident will trigger both federal and state notifications, so it will be important to coordinate federal and state reporting.

This decision also may have a broader impact. The decision’s expansive reading of Section 201(b) suggests that the FCC’s power extends beyond the actual provision of service to cover all “practices” in support of providing the service, which could lead to more aggressive regulation in the future. The decision also endorses a fairly narrow view of the CRA, which would give agencies that had rules overturned an incentive to revisit their earlier decisions and readopt portions of rules that had been rejected, or to readopt the old rules with a small number of changes. It is particularly significant because it is the first case to consider what agencies can do following a CRA resolution.

It is likely that there may be further activity on these rules. The petitioners could seek further review by the entire Sixth Circuit or the US Supreme Court. In addition, FCC Chairman Brendan Carr dissented from the original order, and he could seek to repeal the rules during his term. Finally, the portions of the rules concerning the specifics of the notification and reporting process are still under review by the OMB and have not yet taken effect.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as "Cooley"). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. When advising companies, our attorney-client relationship is with the company, not with any individual. This content may have been generated with the assistance of artificial intelligence (Al) in accordance with our Al Principles, may be considered Attorney Advertising and is subject to our legal notices.