On December 6, 2023, the Federal Communications Commission (“FCC”) announced a new partnership with four U.S. states—Connecticut, Illinois, New York, and Pennsylvania—to collaborate on privacy, data protection, and cybersecurity enforcement actions. The partnership is a product of the FCC's Privacy and Data Protection Task Force and draws authority from Sections 201 and 222 of the Communications Act. It mirrors a similar partnership between the FCC and U.S. states to investigate and prosecute robocall violations over the last couple years.
To formalize the partnership, the FCC’s Enforcement Bureau signed a Memorandum of Understanding (“MOU”) with the Attorney General of each state. The MOUs highlight common legal interests in investigating and prosecuting privacy and cybersecurity matters under any and all applicable federal or state laws. The FCC will provide its expertise, resources, and remedies to each participating state. It also may facilitate relationships with other federal agencies and provide access to specific investigative tools (e.g., subpoenas, confidential response letters).
Sections 201 and 222 of the Communications Act require telecommunication and VoIP providers to safeguard customer proprietary network information (“CPNI”) and to report any breaches of CPNI; the provisions also empower the FCC to investigate any such breaches. This new partnership appears to be yet another step toward the FCC’s broader goal of reinforcing and expanding its privacy and cybersecurity authority under Sections 201 and 222. For example, in January 2023, the agency asserted Section 222 authority to propose expanded breach-reporting requirements which would encompass inadvertent breaches and breaches that compromise PII (not just CPNI). Likewise, in October 2023, the agency proposed reclassifying broadband internet access service (“BIAS”) as a “telecommunications service” under Title II of the Communications Act to solidify its authority to regulate and protect U.S. broadband networks.
The FCC formed its Privacy and Data Protection Task Force in June 2023 in order to better coordinate rulemaking, enforcement, and public awareness related to privacy and cybersecurity issues within its purview. The Task Force has stated that it aims to address emerging threats like SIM swapping scams, port-out fraud, and data breaches.
Overall, this new partnership—together with the new Task Force and other expansionary actions taken in 2023—underscores an intentional strategic shift toward more proactive and collaborative privacy and cybersecurity enforcement. By pooling resources and expertise, the FCC and state Attorneys General aim to protect consumers in an emerging era of rapid technological advancement and increased digital threats. Companies in the telecommunications, VoIP, and broadband space should monitor for increased enforcement activity by the FCC, state Attorneys General, and other agencies like the Federal Trade Commission.
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-04-17-21-26-58-068-66203ea2326ad244c0dbf36a.jpg)
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-02-22-06-07-13-414-65d6e491f044e8ffe34bb259.jpg)
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-02-22-01-01-42-943-65d69cf6e32bf99d3fbd327b.jpg)
/Passle/655dcaac6d480d2e47438266/SearchServiceImages/2024-02-13-16-38-00-734-65cb9ae8a663ca0e2ecf87be.jpg)