Goto Section: 64.5110 | 64.6000 | Table of Contents
FCC 64.5111
Revised as of September 1, 2021
Goto Year:2020 |
2022
§ 64.5111 Notification of customer proprietary network information security
breaches.
(a) A TRS provider shall notify law enforcement of a breach of its
customers' CPNI as provided in this section. The TRS provider shall not
notify its customers or disclose the breach publicly, whether
voluntarily or under state or local law or these rules, until it has
completed the process of notifying law enforcement pursuant to
paragraph (b) of this section. The TRS provider shall file a copy of
the notification with the Disability Rights Office of the Consumer and
Governmental Affairs Bureau at the same time as when the TRS provider
notifies the customers.
(b) As soon as practicable, and in no event later than seven (7)
business days, after reasonable determination of the breach, the TRS
provider shall electronically notify the United States Secret Service
(USSS) and the Federal Bureau of Investigation (FBI) through a central
reporting facility. The Commission will maintain a link to the
reporting facility at http://www.fcc.gov/eb/cpni.
(1) Notwithstanding any state law to the contrary, the TRS provider
shall not notify customers or disclose the breach to the public until 7
full business days have passed after notification to the USSS and the
FBI except as provided in paragraphs (b)(2) and (3) of this section.
(2) If the TRS provider believes that there is an extraordinarily
urgent need to notify any class of affected customers sooner than
otherwise allowed under paragraph (b)(1) of this section, in order to
avoid immediate and irreparable harm, it shall so indicate in its
notification and may proceed to immediately notify its affected
customers only after consultation with the relevant investigating
agency. The TRS provider shall cooperate with the relevant
investigating agency's request to minimize any adverse effects of such
customer notification.
(3) If the relevant investigating agency determines that public
disclosure or notice to customers would impede or compromise an ongoing
or potential criminal investigation or national security, such agency
may direct the TRS provider not to so disclose or notify for an initial
period of up to 30 days. Such period may be extended by the agency as
reasonably necessary in the judgment of the agency. If such direction
is given, the agency shall notify the TRS provider when it appears that
public disclosure or notice to affected customers will no longer impede
or compromise a criminal investigation or national security. The agency
shall provide in writing its initial direction to the TRS provider, any
subsequent extension, and any notification that notice will no longer
impede or compromise a criminal investigation or national security and
such writings shall be contemporaneously logged on the same reporting
facility that contains records of notifications filed by TRS providers.
(c) Customer notification. After a TRS provider has completed the
process of notifying law enforcement pursuant to paragraph (b) of this
section, and consistent with the waiting requirements specified in
paragraph (b) of this section, the TRS provider shall notify its
customers of a breach of those customers' CPNI.
(d) Recordkeeping. All TRS providers shall maintain a record,
electronically or in some other manner, of any breaches discovered,
notifications made to the USSS and the FBI pursuant to paragraph (b) of
this section, and notifications made to customers. The record must
include, if available, dates of discovery and notification, a detailed
description of the CPNI that was the subject of the breach, and the
circumstances of the breach. TRS providers shall retain the record for
a minimum of 2 years.
(e) Definition. As used in this section, a “breach” has occurred when a
person, without authorization or exceeding authorization, has
intentionally gained access to, used, or disclosed CPNI.
(f) This section does not supersede any statute, regulation, order, or
interpretation in any State, except to the extent that such statute,
regulation, order, or interpretation is inconsistent with the
provisions of this section, and then only to the extent of the
inconsistency.
[ 78 FR 40613 , July 5, 2013]
Subpart FF—Inmate Calling Services
Source: 78 FR 67975 , Nov. 13, 2013, unless otherwise noted.
Goto Section: 64.5110 | 64.6000
Goto Year: 2020 |
2022
CiteFind - See documents on FCC website that
cite this rule
Want to support this service?
Thanks!
Report errors in
this rule. Since these rules are converted to HTML by machine, it's possible errors have been made. Please
help us improve these rules by clicking the Report FCC Rule Errors link to report an error.
hallikainen.com
Helping make public information public