Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Log in to CasePortal
Search Articles
Free Litigation Reports Find Judicial Opinions

Wednesday, April 23, 2025

View Back issues
Wednesday, April 23, 2025

Telecom providers smear new FCC data breach rule as old hat

Since Congress struck down a similar 2016 regulation, a group of telecommunications providers say the federal government can't make them keep records of certain consumer data and disclose breaches to law enforcement.

/ December 12, 2024
This Thursday, Dec. 14, 2017, photo, shows the seal of the Federal Communications Commission before a meeting in Washington. (Jacquelyn Martin/AP)
[et_pb_section admin_label="section"] [et_pb_row admin_label="row"] [et_pb_column type="4_4"][et_pb_text admin_label="Text"]

CINCINNATI (CN) — The Federal Communications Commission overstepped its regulatory authority when it imposed onerous reporting requirements on telecom providers in the event of consumer data breaches, the providers argued before a Sixth Circuit panel Thursday.

Several trade groups, including the Ohio Telecom Association and USTelecom - The Broadband Association, petitioned the appeals court for a review of the 2024 Reporting Rule, which they claim improperly expands the scope of consumer data within the commission’s purview.

The rule initially came about as part of the omnibus 2016 Broadband Privacy Order, but Congress rejected that measure under the Congressional Review Act.

The providers argue the resolution prevented the rule — or anything substantially similar — from future adoption, and they say the commission’s 2024 rule “defied Congress’s directive.”

“Like the 2016 Reporting Rule, the new version imposes broad reporting and recordkeeping obligations with respect to data breaches involving customer personally identifiable information. And it closely resembles the disapproved 2016 Reporting Rule in numerous other respects. Indeed, the commission barely asserted otherwise in its rulemaking proceedings,” the providers say in their brief to the appeals court.

Attorney Roman Martinez of the Washington firm Latham and Watkins LLP argued Thursday on behalf of the providers.

He told the court the 2024 rule is “virtually the same” as the one rejected by Congress in 2016.

U.S. Circuit Judge Richard Griffin, a George W. Bush appointee, parsed the attorney’s choice of words.

“Is it virtually the same or ‘substantially’ the same? I think that’s the phrase we have to consider,” Griffin said.

“It is the same in all the respects that matter the most,” Martinez answered.

The commission defends the rule as authorized by the Communications Act and says that “meaningful changes” to the text of the rejected 2016 version render it acceptable under the Congressional Review Act.

Griffin agreed and seemed skeptical of the commission’s claim that congress’ disapproval of a “package of rules” in the omnibus order allows it to pass each order individually.

“It is a recipe for circumvention of the Congressional Review Act,” Martinez said. “The obvious congressional intent of the act was to put a meaningful limit on agency authority.”

U.S. Circuit Judge Jane Stranch, a Barack Obama appointee, spoke about the commission’s authority to respond to increases in data breaches.

“Practically speaking, there are more and more significant data breaches over time, so why are they not able to adapt their congressionally approved authority to address the changing nature of telecommunications and dangers to consumers?” she asked.

The providers’ attorney emphasized the industry is heavily regulated by states, and pointed out the purpose of the commission has never been to deal with privacy or data breach issues.

Stranch responded, “I’m not comforted by the idea that each state can do it on its own.”

Attorney Adam Sorensen picked up on Stranch’s line of thought in his arguments on behalf of the commission, saying the rule was crafted in response to an “alarming rise” in the number of data breaches across the country.

“The newest rule is responding as conditions have changed on the ground, and the increased ability of bad actors to collect and collate consumer data,” Sorensen told the panel.

Griffin reiterated his concerns about the commission’s ability to sidestep the Congressional Review Act.

“If we accept your interpretation, the agency can get around the intent of Congress and the act would not mean anything at all,” he said. “It might be a good policy, but it’s up to Congress now.”

The commission balked at the providers’ reading of the updated reporting rule, and was quick to point out differences between the 2024 version and the one rejected by Congress.

“Critical differences include less prescriptive customer notification requirements, the addition of a good-faith exception to the definition of a ‘breach,’ and different disclosure requirements for federal reporting,” it says in its brief.

Sorensen emphasized the 2016 rule was a “very small part” of the omnibus legislation rejected by Congress, and also pointed out several changes to differentiate the 2024 version.

“Very significant differences include the definition of the term ‘breach’ and the definition of ‘personal information,’ which has been narrowed in a couple of key ways,” the attorney said.

U.S. Circuit Judge Andre Mathis, a Joe Biden appointee, rounded out the panel, which did not set a timetable for its decision.

[/et_pb_text][/et_pb_column] [/et_pb_row] [/et_pb_section]
Follow @kkoeninger44
Categories / Appeals, Consumers, Government, Uncategorized

Subscribe to our free newsletters

Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.

Loading...