§ 64.5111   Notification of customer proprietary network information security
breaches.

   (a) A TRS provider shall notify law enforcement of a breach of its
   customers' CPNI as provided in this section. The TRS provider shall not
   notify its customers or disclose the breach publicly, whether
   voluntarily or under state or local law or these rules, until it has
   completed the process of notifying law enforcement pursuant to
   paragraph (b) of this section. The TRS provider shall file a copy of
   the notification with the Disability Rights Office of the Consumer and
   Governmental Affairs Bureau at the same time as when the TRS provider
   notifies the customers.

   (b) As soon as practicable, and in no event later than seven (7)
   business days, after reasonable determination of the breach, the TRS
   provider shall electronically notify the United States Secret Service
   (USSS) and the Federal Bureau of Investigation (FBI) through a central
   reporting facility. The Commission will maintain a link to the
   reporting facility at http://www.fcc.gov/eb/cpni.

   (1) Notwithstanding any state law to the contrary, the TRS provider
   shall not notify customers or disclose the breach to the public until 7
   full business days have passed after notification to the USSS and the
   FBI except as provided in paragraphs (b)(2) and (3) of this section.

   (2) If the TRS provider believes that there is an extraordinarily
   urgent need to notify any class of affected customers sooner than
   otherwise allowed under paragraph (b)(1) of this section, in order to
   avoid immediate and irreparable harm, it shall so indicate in its
   notification and may proceed to immediately notify its affected
   customers only after consultation with the relevant investigating
   agency. The TRS provider shall cooperate with the relevant
   investigating agency's request to minimize any adverse effects of such
   customer notification.

   (3) If the relevant investigating agency determines that public
   disclosure or notice to customers would impede or compromise an ongoing
   or potential criminal investigation or national security, such agency
   may direct the TRS provider not to so disclose or notify for an initial
   period of up to 30 days. Such period may be extended by the agency as
   reasonably necessary in the judgment of the agency. If such direction
   is given, the agency shall notify the TRS provider when it appears that
   public disclosure or notice to affected customers will no longer impede
   or compromise a criminal investigation or national security. The agency
   shall provide in writing its initial direction to the TRS provider, any
   subsequent extension, and any notification that notice will no longer
   impede or compromise a criminal investigation or national security and
   such writings shall be contemporaneously logged on the same reporting
   facility that contains records of notifications filed by TRS providers.

   (c) Customer notification. After a TRS provider has completed the
   process of notifying law enforcement pursuant to paragraph (b) of this
   section, and consistent with the waiting requirements specified in
   paragraph (b) of this section, the TRS provider shall notify its
   customers of a breach of those customers' CPNI.

   (d) Recordkeeping. All TRS providers shall maintain a record,
   electronically or in some other manner, of any breaches discovered,
   notifications made to the USSS and the FBI pursuant to paragraph (b) of
   this section, and notifications made to customers. The record must
   include, if available, dates of discovery and notification, a detailed
   description of the CPNI that was the subject of the breach, and the
   circumstances of the breach. TRS providers shall retain the record for
   a minimum of 2 years.

   (e) Definition. As used in this section, a “breach” has occurred when a
   person, without authorization or exceeding authorization, has
   intentionally gained access to, used, or disclosed CPNI.

   (f) This section does not supersede any statute, regulation, order, or
   interpretation in any State, except to the extent that such statute,
   regulation, order, or interpretation is inconsistent with the
   provisions of this section, and then only to the extent of the
   inconsistency.

   [ 78 FR 40613 , July 5, 2013]

   return arrow Back to Top

Subpart FF—Inmate Calling Services

   Source:  78 FR 67975 , Nov. 13, 2013, unless otherwise noted.

   return arrow Back to Top