Goto Section: 64.5110 | 64.6000 | Table of Contents
FCC 64.5111
Revised as of October 2, 2015
Goto Year:2014 |
2016
§ 64.5111 Notification of customer proprietary network information security
breaches.
(a) A TRS provider shall notify law enforcement of a breach of its
customers' CPNI as provided in this section. The TRS provider shall not
notify its customers or disclose the breach publicly, whether voluntarily or
under state or local law or these rules, until it has completed the process
of notifying law enforcement pursuant to paragraph (b) of this section. The
TRS provider shall file a copy of the notification with the Disability
Rights Office of the Consumer and Governmental Affairs Bureau at the same
time as when the TRS provider notifies the customers.
(b) As soon as practicable, and in no event later than seven (7) business
days, after reasonable determination of the breach, the TRS provider shall
electronically notify the United States Secret Service (USSS) and the
Federal Bureau of Investigation (FBI) through a central reporting facility.
The Commission will maintain a link to the reporting facility at
http://www.fcc.gov/eb/cpni.
(1) Notwithstanding any state law to the contrary, the TRS provider shall
not notify customers or disclose the breach to the public until 7 full
business days have passed after notification to the USSS and the FBI except
as provided in paragraphs (b)(2) and (3) of this section.
(2) If the TRS provider believes that there is an extraordinarily urgent
need to notify any class of affected customers sooner than otherwise allowed
under paragraph (b)(1) of this section, in order to avoid immediate and
irreparable harm, it shall so indicate in its notification and may proceed
to immediately notify its affected customers only after consultation with
the relevant investigating agency. The TRS provider shall cooperate with the
relevant investigating agency's request to minimize any adverse effects of
such customer notification.
(3) If the relevant investigating agency determines that public disclosure
or notice to customers would impede or compromise an ongoing or potential
criminal investigation or national security, such agency may direct the TRS
provider not to so disclose or notify for an initial period of up to 30
days. Such period may be extended by the agency as reasonably necessary in
the judgment of the agency. If such direction is given, the agency shall
notify the TRS provider when it appears that public disclosure or notice to
affected customers will no longer impede or compromise a criminal
investigation or national security. The agency shall provide in writing its
initial direction to the TRS provider, any subsequent extension, and any
notification that notice will no longer impede or compromise a criminal
investigation or national security and such writings shall be
contemporaneously logged on the same reporting facility that contains
records of notifications filed by TRS providers.
(c) Customer notification. After a TRS provider has completed the process of
notifying law enforcement pursuant to paragraph (b) of this section, and
consistent with the waiting requirements specified in paragraph (b) of this
section, the TRS provider shall notify its customers of a breach of those
customers' CPNI.
(d) Recordkeeping. All TRS providers shall maintain a record, electronically
or in some other manner, of any breaches discovered, notifications made to
the USSS and the FBI pursuant to paragraph (b) of this section, and
notifications made to customers. The record must include, if available,
dates of discovery and notification, a detailed description of the CPNI that
was the subject of the breach, and the circumstances of the breach. TRS
providers shall retain the record for a minimum of 2 years.
(e) Definition. As used in this section, a “breach” has occurred when a
person, without authorization or exceeding authorization, has intentionally
gained access to, used, or disclosed CPNI.
(f) This section does not supersede any statute, regulation, order, or
interpretation in any State, except to the extent that such statute,
regulation, order, or interpretation is inconsistent with the provisions of
this section, and then only to the extent of the inconsistency.
Effective Date Note: At 78 FR 40613 , July 5, 2013, § 64.5111 was added. This
section contain information collection and recordkeeping requirements and
will not become effective until approval has been given by the Office of
Management and Budget.
return arrow Back to Top
Subpart FF—Inmate Calling Services
Source: 78 FR 67975 , Nov. 13, 2013, unless otherwise noted.
return arrow Back to Top
Goto Section: 64.5110 | 64.6000
Goto Year: 2014 |
2016
CiteFind - See documents on FCC website that
cite this rule
Want to support this service?
Thanks!
Report errors in
this rule. Since these rules are converted to HTML by machine, it's possible errors have been made. Please
help us improve these rules by clicking the Report FCC Rule Errors link to report an error.
hallikainen.com
Helping make public information public