The Federal Communications Commission’s (FCC) Media Relations Office has released a statement announcing Chairman Pai’s intention to stay a data security rule adopted by the Commission late last year in its Broadband Privacy Order. Absent a stay, the rule is set to go into effect on March 2.
The data security rule at issue states in its entirety:
- A telecommunications carrier must take reasonable measures to protect customer proprietary information from unauthorized use, disclosure, or access.
- The security measures taken by a telecommunications carrier to implement the requirement set forth in this section must appropriately take into account each of the following factors:
- The nature and scope of the telecommunications carrier’s activities;
- The sensitivity of the data it collects;
- The size of the telecommunications carrier; and
- Technical feasibility.
- A telecommunications carrier may employ any lawful security measures that allow it to implement the requirement set forth in this section.
Customer proprietary information, or “Customer PI,” is the FCC’s operative label for the data protected by many of the privacy and security requirements adopted late last year.
In the Broadband Privacy Order, the FCC determined that March 2 (90 days after publication of the summary of the Order in the Federal Register) was an appropriate implementation date because “carriers should already be largely in compliance with these requirements because the reasonableness standard adopted in [the] Order provides carriers flexibility in how to approach data security and resembles the obligation to which they were previously subject pursuant to Section 5 of the FTC Act.”
In the statement released by the Media Relations Office, however, Chairman Pai disagrees with this determination, stating that “[the data security rule] that is scheduled to take effect on March 2 is not consistent with the FTC’s privacy standards.”
Shortly after Pai’s statement was released, FCC Commissioner Clyburn released a joint statement with Federal Trade Commission (FTC) Commissioner McSweeny criticizing the proposal. In the joint statement, Commissioner Clyburn stated that “[t]oday Chairman Pai has created an unfortunate dilemma: accept a Bureau-level action that indefinitely unwinds key consumer privacy protections established by the FCC last year, or accept four business days (rather than the usual three weeks) to evaluate and vote on a decision that has massive ramifications for the security of private information held by broadband providers.” Commissioner McSweeny also expressed her disapproval with the proposal, stating that “[t]he rules the FCC adopted conform to long standing FTC practice and provide clear rules on how broadband companies should protect their customers’ personal information. This action weakens the security requirement guarding every consumers’ most personal data and should be reconsidered.”
FCC Commissioner O’Rielly later released a statement supporting Chairman Pai’s proposal, stating that he “support[s] the Chairman’s proposal to allow the Commission and Congress time to take another look at these ill-considered rules before they have a chance to throw broadband providers’ data security practices into unsettled territory.”
If Commissioners O’Rielly and Clyburn agree to vote on the stay request by March 2, the full commission vote will determine the stay. However, if Chairman Pai does not get a full vote by March 2, he has indicated that the FCC’s Wireline Competition Bureau will stay the data security rules until a full vote on pending reconsideration petitions can take place.