Data Security

What a Fifth FCC Commissioner Means for Security and Privacy

Published: Aug. 09, 2023

Updated: Aug. 18, 2023

On July 12, the Senate Commerce Committee voted to advance the nomination of Anna Gomez to join the Federal Communications Commission (“FCC”). If the full Senate votes to confirm her in September, Gomez will finally fill the FCC’s fifth seat that has remained unoccupied for more than two and a half years.  Gomez would give Chairwoman Jessica Rosenworcel a critical third vote, breaking a two-two deadlock that has largely limited the FCC from taking major policy actions. While much of the focus will be on whether to treat broadband as a common carrier service under Title II of the Communications Act and the scope of any new “net neutrality” rules, cybersecurity and data privacy are likely to feature prominently in the expected forthcoming wave of policymaking.

TL;DR:  The FCC has a fulsome agenda for cybersecurity and data privacy.  If and when Commissioner Gomez arrives on the 8th Floor, we expect Chairwoman Rosenworcel to push rapidly to accomplish many items that have been stalled by the deadlocked 2-to-2 Commission for nearly two years. The new Privacy and Data Protection Task Force will be center stage in this effort, finalizing CPNI updates and recommending new enforcement actions. The Task Force has already resuscitated a SIM-swap proposal and will likely similarly take the lead on turning the BGP security inquiry into a final proposal. As if that weren’t enough, a new cybersecurity labeling proposal looks to catapult the FCC into a consumer-facing role on securing smart devices.       

Soon-to-be Commissioner Gomez?

On May 22, 2023, President Biden nominated Gomez to fill the vacant fifth seat on the FCC. This came after more than 18 months of stalemate in the Senate over Gigi Sohn, Biden’s first choice to fill the seat, which ended when Sohn withdrew her candidacy this past March. Gomez has extensive experience at the FCC, the National Telecommunications and Information Administration (“NTIA”), and, most recently, the State Department. While she has said little on the record on cybersecurity and data privacy, we expect that Gomez will largely support Chairwoman Rosenworcel’s agenda on cybersecurity and data privacy.

Privacy and Data Protection Task Force

On June 14, Chairwoman Rosenworcel announced the creation of the Privacy and Data Protection Task Force, a working group led by the chief of the FCC’s Enforcement Bureau that will coordinate the FCC’s efforts on rulemaking and enforcement of privacy and data protection and will attempt to “address problems that erode the public’s trust in data protection.” While the FCC will seemingly be taking a more active role on privacy and security, its jurisdiction is necessarily limited to regulated communications companies.  (There is some chance that Congress may strip the FCC of its privacy jurisdiction entirely by reviving the American Data Privacy and Protection Act (ADPPA), which, if passed, would give the FTC exclusive authority to enforce federal privacy laws. Passage of the ADPPA would substantially change the substance of much of this blog post!) Therefore, unless the communications sector is going to be subject to bespoke rules, it will be important for the FCC to act consistently with other federal and state regulators. While communications companies have a critical role to play, the fundamental rules of the road on privacy and security issues should be the same regardless of which agency regulates your industry. Chairwoman Rosenworcel’s call for a “whole-of-government” approach to these issues appears to be a recognition that the FCC is behind other agencies. Gomez’s experience in multiple agencies ought to help facilitate this coordination.

CPNI Reform

On January 6, 2023, the FCC issued a Notice of Proposed Rulemaking (“NPRM”) that would update data breach requirements by eliminating the current customer notification waiting period and updating the breach notification to expand to unintentional breaches. The NPRM would update when, and to whom, a telecommunications carrier or an interconnected Voice over Internet Protocol (“VoIP”) provider is required to report the breach of customer proprietary network information (“CPNI”). Public comments in the CPNI proceeding—which would bring the first major changes to CPNI in more than 15 years—were filed in early spring, meaning that a final rule could be forthcoming imminently. While neither Commissioner Carr nor Commission Simington (the two Republican Commissioners) publicly opposed the adoption of the NPRM, the addition of Gomez may result in the FCC adopting a stricter set of new rules.    

For more information on the CPNI proceeding, check out our post summarizing the NPRM.

Enforcement Actions

Chairwoman Rosenworcel has made clear that the FCC will be pursuing more (and more aggressive) enforcement actions against regulated companies that have violated the FCC’s privacy and security rules. In addition to the CPNI rules, the FCC can also take action using its broad authority under section 201(b) of the Communications Act, which is a general consumer protection provision that prohibits telecommunications carriers from engaging in “unjust and unreasonable practices.”   

At or near the top of Chairwoman Rosenworcel’s list is a series of actions against the four largest wireless carriers for apparently failing to protect consumer geolocation data. These actions were first proposed by then-Chairman Ajit Pai in February 2020.  Now-Chairwoman Rosenworcel dissented from those proposed actions, calling them “a day late and a dollar short,” with fines that are “too small relative to the law and the population put at risk.” Those proposed enforcement actions are still pending in the Enforcement Bureau and would, if Gomez is confirmed, likely be among the first major enforcement actions taken by the FCC after her arrival.  

In addition to these ongoing matters, expect the FCC to jump eagerly into investigating future data breaches. While the Privacy and Data Protection Task Force recently issued a Notice of Apparent Liability for Forfeiture carrying a proposed $20 million fine for alleged violations of the CPNI security authentication requirements, it has been many years since the FCC’s last major data breach enforcement penalty—2015’s consent decree and $25 million civil penalty against AT&T to settle a data breach that exposed the information of nearly 280,000 customers. Since then, T-Mobile has announced two data breaches—impacting 50 million and 37 million accounts, respectively.  Whether those breaches or some other future incident, expect significant action from the fully constituted FCC.   

SIM Swaps

In September 2021, the FCC proposed rules aimed at preventing cybercriminals from stealing consumers’ phone numbers and swapping them into scammer-controlled devices. This threat—known as “SIM-swapping” or “port-out fraud”—has become a particularly useful way for cybercriminals to bypass SMS-based multi-factor authentication tools that are used by many technology, media, and financial service companies and are considered a key security tool for consumers and companies. The proposed rules would require voice carriers to use secure methods of authenticating a customer before instituting a SIM swap and to immediately notify customers whenever a SIM change or port request is made on their account. After nearly 20 months with no public action on this proposal, on July 11 Chairwoman Rosenworcel’s new Privacy and Data Protection Task Force proposed final rules that are now pending before the Commission. While the final draft is not yet available, the Commission’s summary is broadly consistent with the 2021 proposal. Like the CPNI NPRM discussed above, we expect the Commission to vote rapidly on the SIM swapping proposal if Gomez is sworn in.

BGP Security

In February 2022, the FCC adopted a Notice of Inquiry seeking information on how best to protect communications networks from vulnerabilities posed by the Border Gateway Protocol (“BGP”). BGP is a path-vectoring routing protocol that connects autonomous systems on the Internet, effectively choosing the shortest, least-congested paths to pass traffic between neighboring routers. Whether caused by accidental misconfigurations or malicious interference, vulnerabilities in BGP can interrupt connectivity and create opportunities for wide-scale espionage or sabotage. CISA, the Cybersecurity and Infrastructure Security Agency, urged the FCC to take action to mitigate the “critical and widespread” vulnerabilities in BGP, which “foreign adversaries have shown willingness to exploit.” On July 31, 2023, the FCC hosted a workshop to discuss options for enhancing BGP security. While a firm proposal for BGP security is likely many months away, substantial new rules are possible with the FCC operating with a full complement of Commissioners.  

Cybersecurity Labeling

On July 18, 2023, Chairwoman Rosenworcel spoke at the White House to announce a proposal to launch a voluntary cybersecurity labeling program for smart devices. If adopted, the “U.S. Cyber Trust Mark” proposal would allow manufacturers to demonstrate that their smart devices meet or exceed certain cybersecurity criteria developed by the National Institute of Standards and Technology (“NIST”). Just as all wireless devices sold in the U.S. today bear an FCC conformity label, manufacturers that meet the new standards would display the U.S. Cyber Trust Mark label (shown below), along with a QR code that would enable consumers to access current information on the security features of the device.

The Cyber Trust Mark proposal is now pending before the full commission and, if adopted, would be published for public comment. Given that this item has yet to be formally proposed, Gomez would have more opportunity to influence this proposal than much of the rest of the agenda.

Update:  On August 10, the FCC adopted a Notice of Proposed Rulemaking outlining the proposed voluntary cybersecurity labeling program.  Public comment is being sought on the scope of devices to include, how to manage evolving security standards, how to safeguard the standard, and other issues.  Public comments will be due 30 days after the NPRM is published in the Federal Register, with reply comments due 15 days thereafter.  This proceeding should bring in many voices that are not regularly before the FCC; the ZwillGen team is ready to help if you want to participate.

*          *          *

With this expected flurry of activity, communications companies need to prepare to participate in rulemaking and adapt their practices to new regulations. ZwillGen’s experienced team of cybersecurity and privacy attorneys can assist clients with drafting comments responding to open proceedings, appearing before FCC staff, and implementing compliance strategies if and when these new rules are adopted.