Section 64.2011 - [Effective on an indefinitely delayed date ] Notification of security breaches(a)Commission and Federal Law Enforcement Notification. Except as provided in paragraph (a)(3) of this section, as soon as practicable, but no later than seven business days, after reasonable determination of a breach, a telecommunications carrier shall electronically notify the Commission, the United States Secret Service (Secret Service), and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility on its website. (1) A telecommunications carrier shall, at a minimum, include in its notification to the Commission, Secret Service, and FBI:(i) The carrier's address and contact information;(ii) A description of the breach incident;(iii) The method of compromise;(iv) The date range of the incident;(v) The approximate number of customers affected;(vi) An estimate of financial loss to the carrier and customers, if any; and(vii) The types of data breached.(2) If the Commission, or a law enforcement or national security agency, notifies the carrier that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, such agency may direct the carrier not to so disclose or notify for an initial period of up to 30 days. Such period may be extended by the agency as reasonably necessary in the judgment of the agency. If such direction is given, the agency shall notify the carrier when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. The agency shall provide in writing its initial direction to the carrier, any subsequent extension, and any notification that notice will no longer impede or compromise a criminal investigation or national security.(3) A telecommunications carrier is exempt from the requirement to provide notification to the Commission and law enforcement pursuant to paragraph (a) of this section of a breach that affects fewer than 500 customers and the carrier reasonably determines that no harm to customers is reasonably likely to occur as a result of the breach. In circumstances where a carrier initially determined that it qualified for an exemption under this paragraph (a)(3), but later discovers information such that this exemption no longer applies, the carrier must report the breach to Federal agencies as soon as practicable, but no later than within seven business days of this discovery, as required in this paragraph (a).(b)Customer notification. Except as provided in paragraph (a)(2) of this section, a telecommunications carrier shall notify affected customers of a breach of covered data without unreasonable delay after notification to the Commission and law enforcement pursuant to paragraph (a) of this section, and no later than 30 days after reasonable determination of a breach. This notification shall include sufficient information so as to make a reasonable customer aware that a breach occurred on a certain date, or within a certain estimated timeframe, and that such a breach affected or may have affected that customer's data. Notwithstanding the foregoing, customer notification shall not be required where a carrier reasonably determines that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed.(c)Recordkeeping. All carriers shall maintain a record, electronically or in some other manner, of any breaches discovered, notifications made to the Commission, Secret Service, and the FBI pursuant to paragraph (a) of this section, and notifications made to customers pursuant to paragraph (b) of this section. The record shall include, if available, dates of discovery and notification, a detailed description of the covered data that was the subject of the breach, the circumstances of the breach, and the bases of any determinations regarding the number of affected customers or likelihood of harm as a result of the breach. Carriers shall retain the record for a minimum of 2 years.(d)Annual Reporting of Certain Small Breaches. A telecommunications carrier shall have an officer, as an agent of the carrier, sign and file with the Commission, Secret Service, and FBI, a summary of all breaches occurring in the previous calendar year affecting fewer than 500 individuals and where the carrier could reasonably determine that no harm to customers was reasonably likely to occur as a result of the breach. This filing shall be made annually, on or before February 1 of each year, through the central reporting facility, for data pertaining to the previous calendar year.(e)Definitions.(1) As used in this section, a "breach" occurs when a person, without authorization or exceeding authorization, gains access to, uses, or discloses covered data. A "breach" shall not include a good-faith acquisition of covered data by an employee or agent of a telecommunications carrier where such information is not used improperly or further disclosed.(2) As used in this section, "covered data" includes both a customer's CPNI, as defined by § 64.2003 , and personally identifiable information.(3) As used in this section, "encrypted data" means covered data that has been transformed through the use of an algorithmic process into a form that is unusable, unreadable, or indecipherable through a security technology or methodology generally accepted in the field of information security.(4) As used in this section, "encryption key" means the confidential key or process designed to render encrypted data useable, readable, or decipherable.(5) Except as provided in paragraph (e)(6) of this section, as used in this section, "personally identifiable information" means:(i) An individual's first name or first initial, and last name, in combination with any government-issued identification numbers or information issued on a government document used to verify the identity of a specific individual, or other unique identification number used for authentication purposes;(ii) An individual's username or email address, in combination with a password or security question and answer, or any other authentication method or information necessary to permit access to an account; or(iii) Unique biometric, genetic, or medical data.(iv) Notwithstanding the above:(A) Dissociated data that, if linked, would constitute personally identifiable information is to be considered personally identifiable if the means to link the dissociated data were accessed in connection with access to the dissociated data; and(B) Any one of the discrete data elements listed in paragraphs (e)(5)(i) through (iii) of this section, or any combination of the discrete data elements listed above is personally identifiable information if the data element or combination of data elements would enable a person to commit identity theft or fraud against the individual to whom the data element or elements pertain.(6) As used in this section, "personally identifiable information" does not include information about an individual that is lawfully made available to the general public from Federal, State, or local government records or widely distributed media.(f) This section does not supersede any statute, regulation, order, or interpretation in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only to the extent of the inconsistency. 82 FR 44119, 9/21/2017; 89 FR 10002, effective date to be determined