§ 64.5111   Notification of customer proprietary network information security
breaches.

   (a)  A  TRS  provider  shall notify law enforcement of a breach of its
   customers' CPNI as provided in this section. The TRS provider shall not
   notify its customers or disclose the breach publicly, whether voluntarily or
   under state or local law or these rules, until it has completed the process
   of notifying law enforcement pursuant to paragraph (b) of this section. The
   TRS provider shall file a copy of the notification with the Disability
   Rights Office of the Consumer and Governmental Affairs Bureau at the same
   time as when the TRS provider notifies the customers.

   (b) As soon as practicable, and in no event later than seven (7) business
   days, after reasonable determination of the breach, the TRS provider shall
   electronically  notify the United States Secret Service (USSS) and the
   Federal Bureau of Investigation (FBI) through a central reporting facility.
   The  Commission  will  maintain  a  link  to the reporting facility at
   http://www.fcc.gov/eb/cpni.

   (1) Notwithstanding any state law to the contrary, the TRS provider shall
   not notify customers or disclose the breach to the public until 7 full
   business days have passed after notification to the USSS and the FBI except
   as provided in paragraphs (b)(2) and (3) of this section.

   (2) If the TRS provider believes that there is an extraordinarily urgent
   need to notify any class of affected customers sooner than otherwise allowed
   under paragraph (b)(1) of this section, in order to avoid immediate and
   irreparable harm, it shall so indicate in its notification and may proceed
   to immediately notify its affected customers only after consultation with
   the relevant investigating agency. The TRS provider shall cooperate with the
   relevant investigating agency's request to minimize any adverse effects of
   such customer notification.

   (3) If the relevant investigating agency determines that public disclosure
   or notice to customers would impede or compromise an ongoing or potential
   criminal investigation or national security, such agency may direct the TRS
   provider not to so disclose or notify for an initial period of up to 30
   days. Such period may be extended by the agency as reasonably necessary in
   the judgment of the agency. If such direction is given, the agency shall
   notify the TRS provider when it appears that public disclosure or notice to
   affected  customers  will  no  longer  impede or compromise a criminal
   investigation or national security. The agency shall provide in writing its
   initial direction to the TRS provider, any subsequent extension, and any
   notification that notice will no longer impede or compromise a criminal
   investigation   or  national  security  and  such  writings  shall  be
   contemporaneously  logged on the same reporting facility that contains
   records of notifications filed by TRS providers.

   (c) Customer notification. After a TRS provider has completed the process of
   notifying law enforcement pursuant to paragraph (b) of this section, and
   consistent with the waiting requirements specified in paragraph (b) of this
   section, the TRS provider shall notify its customers of a breach of those
   customers' CPNI.

   (d) Recordkeeping. All TRS providers shall maintain a record, electronically
   or in some other manner, of any breaches discovered, notifications made to
   the  USSS  and  the FBI pursuant to paragraph (b) of this section, and
   notifications made to customers. The record must include, if available,
   dates of discovery and notification, a detailed description of the CPNI that
   was the subject of the breach, and the circumstances of the breach. TRS
   providers shall retain the record for a minimum of 2 years.

   (e) Definition. As used in this section, a “breach” has occurred when a
   person, without authorization or exceeding authorization, has intentionally
   gained access to, used, or disclosed CPNI.

   (f) This section does not supersede any statute, regulation, order, or
   interpretation  in  any State, except to the extent that such statute,
   regulation, order, or interpretation is inconsistent with the provisions of
   this section, and then only to the extent of the inconsistency.

   Effective Date Note: At  78 FR 40613 , July 5, 2013, § 64.5111 was added. This
   section contain information collection and recordkeeping requirements and
   will not become effective until approval has been given by the Office of
   Management and Budget.

   return arrow Back to Top

Subpart FF—Inmate Calling Services

   Source:  78 FR 67975 , Nov. 13, 2013, unless otherwise noted.

   return arrow Back to Top