Goto Section: 64.2010 | 64.2101 | Table of Contents
FCC 64.2011
Revised as of October 5, 2017
Goto Year:2016 |
2018
§ 64.2011 Notification of customer proprietary network information security
breaches.
(a) A telecommunications carrier shall notify law enforcement of a
breach of its customers' CPNI as provided in this section. The carrier
shall not notify its customers or disclose the breach publicly, whether
voluntarily or under state or local law or these rules, until it has
completed the process of notifying law enforcement pursuant to
paragraph (b) of this section.
(b) As soon as practicable, and in no event later than seven (7)
business days, after reasonable determination of the breach, the
telecommunications carrier shall electronically notify the United
States Secret Service (USSS) and the Federal Bureau of Investigation
(FBI) through a central reporting facility. The Commission will
maintain a link to the reporting facility at
http://www.fcc.gov/eb/cpni.
(1) Notwithstanding any state law to the contrary, the carrier shall
not notify customers or disclose the breach to the public until 7 full
business days have passed after notification to the USSS and the FBI
except as provided in paragraphs (b)(2) and (b)(3) of this section.
(2) If the carrier believes that there is an extraordinarily urgent
need to notify any class of affected customers sooner than otherwise
allowed under paragraph (b)(1) of this section, in order to avoid
immediate and irreparable harm, it shall so indicate in its
notification and may proceed to immediately notify its affected
customers only after consultation with the relevant investigating
agency. The carrier shall cooperate with the relevant investigating
agency's request to minimize any adverse effects of such customer
notification.
(3) If the relevant investigating agency determines that public
disclosure or notice to customers would impede or compromise an ongoing
or potential criminal investigation or national security, such agency
may direct the carrier not to so disclose or notify for an initial
period of up to 30 days. Such period may be extended by the agency as
reasonably necessary in the judgment of the agency. If such direction
is given, the agency shall notify the carrier when it appears that
public disclosure or notice to affected customers will no longer impede
or compromise a criminal investigation or national security. The agency
shall provide in writing its initial direction to the carrier, any
subsequent extension, and any notification that notice will no longer
impede or compromise a criminal investigation or national security and
such writings shall be contemporaneously logged on the same reporting
facility that contains records of notifications filed by carriers.
(c) Customer notification. After a telecommunications carrier has
completed the process of notifying law enforcement pursuant to
paragraph (b) of this section, it shall notify its customers of a
breach of those customers' CPNI.
(d) Recordkeeping. All carriers shall maintain a record, electronically
or in some other manner, of any breaches discovered, notifications made
to the USSS and the FBI pursuant to paragraph (b) of this section, and
notifications made to customers. The record must include, if available,
dates of discovery and notification, a detailed description of the CPNI
that was the subject of the breach, and the circumstances of the
breach. Carriers shall retain the record for a minimum of 2 years.
(e) Definitions. As used in this section, a “breach” has occurred when
a person, without authorization or exceeding authorization, has
intentionally gained access to, used, or disclosed CPNI.
(f) This section does not supersede any statute, regulation, order, or
interpretation in any State, except to the extent that such statute,
regulation, order, or interpretation is inconsistent with the
provisions of this section, and then only to the extent of the
inconsistency.
return arrow Back to Top
Subpart V—Recording, Retention and Reporting of Data on Long-Distance
Telephone Calls to Rural Areas and Reporting of Data on Long-Distance
Telephone Calls to Nonrural Areas
Source: 78 FR 76239 , Dec. 17, 2013, unless otherwise noted.
return arrow Back to Top
Goto Section: 64.2010 | 64.2101
Goto Year: 2016 |
2018
CiteFind - See documents on FCC website that
cite this rule
Want to support this service?
Thanks!
Report errors in
this rule. Since these rules are converted to HTML by machine, it's possible errors have been made. Please
help us improve these rules by clicking the Report FCC Rule Errors link to report an error.
hallikainen.com
Helping make public information public