§ 64.2011   Notification of customer proprietary network information security
breaches.

   (a) A telecommunications carrier shall notify law enforcement of a breach of
   its customers' CPNI as provided in this section. The carrier shall not
   notify its customers or disclose the breach publicly, whether voluntarily or
   under state or local law or these rules, until it has completed the process
   of notifying law enforcement pursuant to paragraph (b) of this section.

   (b) As soon as practicable, and in no event later than seven (7) business
   days, after reasonable determination of the breach, the telecommunications
   carrier shall electronically notify the United States Secret Service (USSS)
   and the Federal Bureau of Investigation (FBI) through a central reporting
   facility. The Commission will maintain a link to the reporting facility at
   http://www.fcc.gov/eb/cpni.

   (1) Notwithstanding any state law to the contrary, the carrier shall not
   notify customers or disclose the breach to the public until 7 full business
   days  have passed after notification to the USSS and the FBI except as
   provided in paragraphs (b)(2) and (b)(3) of this section.

   (2) If the carrier believes that there is an extraordinarily urgent need to
   notify any class of affected customers sooner than otherwise allowed under
   paragraph  (b)(1)  of  this  section,  in order to avoid immediate and
   irreparable harm, it shall so indicate in its notification and may proceed
   to immediately notify its affected customers only after consultation with
   the relevant investigating agency. The carrier shall cooperate with the
   relevant investigating agency's request to minimize any adverse effects of
   such customer notification.

   (3) If the relevant investigating agency determines that public disclosure
   or notice to customers would impede or compromise an ongoing or potential
   criminal investigation or national security, such agency may direct the
   carrier not to so disclose or notify for an initial period of up to 30 days.
   Such period may be extended by the agency as reasonably necessary in the
   judgment of the agency. If such direction is given, the agency shall notify
   the carrier when it appears that public disclosure or notice to affected
   customers will no longer impede or compromise a criminal investigation or
   national security. The agency shall provide in writing its initial direction
   to the carrier, any subsequent extension, and any notification that notice
   will no longer impede or compromise a criminal investigation or national
   security and such writings shall be contemporaneously logged on the same
   reporting facility that contains records of notifications filed by carriers.

   (c) Customer notification. After a telecommunications carrier has completed
   the process of notifying law enforcement pursuant to paragraph (b) of this
   section, it shall notify its customers of a breach of those customers' CPNI.

   (d) Recordkeeping. All carriers shall maintain a record, electronically or
   in some other manner, of any breaches discovered, notifications made to the
   USSS  and  the  FBI  pursuant  to  paragraph  (b) of this section, and
   notifications made to customers. The record must include, if available,
   dates of discovery and notification, a detailed description of the CPNI that
   was the subject of the breach, and the circumstances of the breach. Carriers
   shall retain the record for a minimum of 2 years.

   (e) Definitions. As used in this section, a “breach” has occurred when a
   person, without authorization or exceeding authorization, has intentionally
   gained access to, used, or disclosed CPNI.

   (f) This section does not supersede any statute, regulation, order, or
   interpretation  in  any State, except to the extent that such statute,
   regulation, order, or interpretation is inconsistent with the provisions of
   this section, and then only to the extent of the inconsistency.

   [ 72 FR 31963 , June 8, 2007]

   return arrow Back to Top

Subpart V—Recording, Retention and Reporting of Data on Long-Distance Telephone
Calls to Rural Areas and Reporting of Data on Long-Distance Telephone Calls to
Nonrural Areas

   Source:  78 FR 76239 , Dec. 17, 2013, unless otherwise noted.

   return arrow Back to Top