Goto Section: 64.2010 | 64.2301 | Table of Contents
FCC 64.2011
Revised as of October 1, 2007
Goto Year:2006 |
2008
Sec. 64.2011 Notification of customer proprietary network information security
breaches.
(a) A telecommunications carrier shall notify law enforcement of a breach of
its customers' CPNI as provided in this section. The carrier shall not
notify its customers or disclose the breach publicly, whether voluntarily or
under state or local law or these rules, until it has completed the process
of notifying law enforcement pursuant to paragraph (b) of this section.
(b) As soon as practicable, and in no event later than seven (7) business
days, after reasonable determination of the breach, the telecommunications
carrier shall electronically notify the United States Secret Service (USSS)
and the Federal Bureau of Investigation (FBI) through a central reporting
facility. The Commission will maintain a link to the reporting facility at
http://www.fcc.gov/eb/cpni.
(1) Notwithstanding any state law to the contrary, the carrier shall not
notify customers or disclose the breach to the public until 7 full business
days have passed after notification to the USSS and the FBI except as
provided in paragraphs (b)(2) and (b)(3) of this section.
(2) If the carrier believes that there is an extraordinarily urgent need to
notify any class of affected customers sooner than otherwise allowed under
paragraph (b)(1) of this section, in order to avoid immediate and
irreparable harm, it shall so indicate in its notification and may proceed
to immediately notify its affected customers only after consultation with
the relevant investigating agency. The carrier shall cooperate with the
relevant investigating agency's request to minimize any adverse effects of
such customer notification.
(3) If the relevant investigating agency determines that public disclosure
or notice to customers would impede or compromise an ongoing or potential
criminal investigation or national security, such agency may direct the
carrier not to so disclose or notify for an initial period of up to 30 days.
Such period may be extended by the agency as reasonably necessary in the
judgment of the agency. If such direction is given, the agency shall notify
the carrier when it appears that public disclosure or notice to affected
customers will no longer impede or compromise a criminal investigation or
national security. The agency shall provide in writing its initial direction
to the carrier, any subsequent extension, and any notification that notice
will no longer impede or compromise a criminal investigation or national
security and such writings shall be contemporaneously logged on the same
reporting facility that contains records of notifications filed by carriers.
(c) Customer notification. After a telecommunications carrier has completed
the process of notifying law enforcement pursuant to paragraph (b) of this
section, it shall notify its customers of a breach of those customers' CPNI.
(d) Recordkeeping. All carriers shall maintain a record, electronically or
in some other manner, of any breaches discovered, notifications made to the
USSS and the FBI pursuant to paragraph (b) of this section, and
notifications made to customers. The record must include, if available,
dates of discovery and notification, a detailed description of the CPNI that
was the subject of the breach, and the circumstances of the breach. Carriers
shall retain the record for a minimum of 2 years.
(e) Definitions. As used in this section, a “breach” has occurred when a
person, without authorization or exceeding authorization, has intentionally
gained access to, used, or disclosed CPNI.
(f) This section does not supersede any statute, regulation, order, or
interpretation in any State, except to the extent that such statute,
regulation, order, or interpretation is inconsistent with the provisions of
this section, and then only to the extent of the inconsistency.
[ 72 FR 31963 , June 8, 2007]
Effective Date Note: At 72 FR 31962 , June 8, 2007, Sec. 64.2011 was added to
subpart U. This text contains information collection and recordkeeping
requirements and will not become effective until approval has been given by
the Office of Management and Budget (OMB).
Subpart V [Reserved]
Subpart W [Reserved]
Subpart X—Subscriber List Information
Source: 64 FR 53947 , Oct. 5, 2000, unless otherwise noted.
Goto Section: 64.2010 | 64.2301
Goto Year: 2006 |
2008
CiteFind - See documents on FCC website that
cite this rule
Want to support this service?
Thanks!
Report errors in
this rule. Since these rules are converted to HTML by machine, it's possible errors have been made. Please
help us improve these rules by clicking the Report FCC Rule Errors link to report an error.
hallikainen.com
Helping make public information public