Sixth Circuit Upholds FCC’s 2024 Breach Notification Rules

Telecommunications carriers must continue to adhere to a 2024 Federal Communications Commission (FCC) Order that substantially broadened carriers’ breach notification obligations, requiring that they disclose breaches of any customer personally identifiable information (PII), not just customer proprietary network information (CPNI), and do so for both inadvertent and intentional breaches, according to a decision on August 14 by the U.S. Court of Appeals for the Sixth Circuit upholding the order.¹ The FCC’s order defines “breach” broadly to include “inadvertent access, use, or disclosure of customer information.” Notification is triggered within seven business days when 500 or more customers are affected or when there is a “risk of customer harm.”²

Background

The FCC has broad authority under the Communications Act of 1934 to regulate interstate telephone communications, including, under 47 U.S.C. § 201(b), the authority to ensure that “[a]ll charges, practices, classifications, and regulations for and in connection with [a carrier’s] communication service, shall be just and reasonable.” Congress amended the Communications Act in 1996 to further authorize the FCC to ensure that carriers protect the privacy of customer information.

Under 47 U.S.C. § 222(a), carriers must “protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers.” Other subsections of Section 222 provide more specific guidance on how carriers handle CPNI, defined in 47 U.S.C. § 222(h)(1) as:

(a) information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (b) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.

The FCC promulgated regulations in 2007 requiring carriers (and, in 2013, relay service providers) to notify law enforcement and customers in the event of a breach involving CPNI, in what is commonly known as the “Data Breach Notification Rule.” Under this rule, carriers must notify the Secret Service and the FBI, through a central reporting facility, within seven business days after a reasonable determination of a breach, defined as “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.”³

After reclassifying broadband internet service providers (ISPs) as “telecommunication services” in 2015, the FCC went on the following year to issue an omnibus Broadband Privacy Order (the 2016 Privacy Rules). These rules not only expanded the breach notification requirements to include breaches of both CPNI and PII, they also placed extensive consent requirements on ISPs to provide customers with greater transparency, choice and security regarding their personal information.

For example, under the 2016 Privacy Rules, ISPs were required to obtain “opt in” consent from consumers prior to using and sharing their sensitive information, and to give consumers the opportunity to “opt out” of the use and sharing of non-sensitive PII.

By 2016, the world had experienced the high-profile data breaches of Target, Yahoo and Ashley-Madison, among many others, and the European Union had promulgated the General Data Protection Regulation. The Federal Trade Commission (FTC) had significantly stepped up its enforcement authority under Section 5 of the FTC Act to address mishandling of customers’ personal information as an “unfair” or “deceptive” trade practice. Consumer privacy had come of age.

According to Congress, however, the 2016 Privacy Rule extended the FCC’s authority too far. It struck down the regulation pursuant to the Congressional Review Act (CRA), which gives Congress authority not only to set aside regulations with which it disapproves but also prohibits agencies from reissuing “substantially the same” rules (5 U.S.C. §§ 801, 802). In 2017, the FCC again reclassified ISPs as “information service” providers not subject to common carrier obligations such as the Data Breach Notification Rule.

The 2024 Breach Notification Order

Cyber threats continued to escalate, and in 2023 the FCC issued a Notice of Proposed Rulemaking to amend the Data Breach Notification Rule. In the final Report and Order, issued in February 2024 (the 2024 Order), the FCC justified expanding the scope of the breach notification rules to cover all PII that carriers hold relating to their customers to “better protect consumers from improper use or disclosure of” such data. The FCC described the expanded rule as a mere extension of its current requirements on carriers to protect the “proprietary information of customers other than CPNI” such as names, addresses and telephone numbers.⁴

In the 2024 Order, the FCC expanded the definition of “breach” to include inadvertent access, use or disclosure of PII or CPNI, including when “a person, without authorization or exceeding authorization, has gained access to, used, or disclosed covered data.”⁵ The FCC’s goal in expanding the “breach” definition was to “encourage telecommunications carriers to adopt stronger data security practices” and to “help Federal agencies identify and address systemic network vulnerabilities.” Exempted from the definition, however, are instances where an employee or agent of the carrier “in good faith” acquires customer data so long as the data is not used improperly or further disclosed.⁶

The 2024 Order also expanded the notification requirements to require notice to the FCC and to consumers either when at least 500 consumers are affected, or when there is reasonable likelihood that consumers will be harmed. Whether or not these thresholds are met at the level of any one breach, carriers must prepare an annual report to the FCC describing all breaches.

Several trade associations filed petitions for review of the 2024 Order, which were consolidated before the Sixth Circuit as Ohio Telecom Association v. Federal Communications Commission. On August 13, 2025, the Sixth Circuit denied the petitions.

PII is Not Protected as “Proprietary” Information of Customers Under Section 222

The Sixth Circuit in Ohio Telecom first dispensed with the FCC’s argument that its authority for the 2024 Order is a natural extension of its authority to regulate the “proprietary information” of customers under Section 222(a). While agreeing that the section includes more than just CPNI, the court concluded that it does not include PII. Sidestepping the petitioners’ argument that customers’ names and addresses are not “proprietary” to customers because they “routinely disclose them to third parties,” the court nonetheless found that Congress did not intend Section 222(a) to cover PII, and any interpretation to the contrary “creates anomalies across the remainder of the statute and ignores the clear statutory focus on specific categories of customer information, none of which includes PII.”⁷

A Carrier’s Refusal to Report a Breach is a “Practice” Under Section 201

The court then proceeded to uphold the 2024 Order by rejecting the petitioners’ contention that the FCC’s authority under Section 201(b) of the Communications Act is limited to practices resembling rate setting and rate division. Relying on the U.S. Supreme Court’s opinion in Global Crossing Telecommunications, Inc. v. Metrophones Telecommunications, Inc., 550 U.S. 45 (2007), in which a carrier’s “failure to pay compensation” to a payphone operator amounted to a “practice” in connection with a telecommunication service within the meaning of Section 201(b), the Sixth Circuit held that “a carrier’s refusal . . . to notify customers in response to a breach of customer PII can reasonably be deemed to be a ‘practice’ of that carrier.”⁸ This is justified, the court reasoned, by the FCC’s finding that in the course of providing telecommunication services, carriers often collect and process “large quantities of sensitive customer data.”⁹

Preventing and mitigating improper disclosure of that data, in turn, helps ensure that “when customers use telecommunication services, their personal information is protected.” And the requirement that carriers disclose breaches of PII is a method of ensuring that protection. In short, there is a direct connection between a carrier’s failure to disclose breaches of customer PII and its role in providing communication services.¹⁰

The Court found further support for its broad interpretation of Section 201(b) from Section 45 of the Federal Trade Commission Act, pursuant to which the FTC regulates inadequate data privacy and security practices as “unfair or deceptive trade practices.” Reading Section 201(b) just as broadly aligns the FCC’s privacy regulation with the FTC’s and “prevents the anomalous result of carriers falling into a regulatory gap in which there is little to no federal protection against carriers’ mishandling of customer PII.”¹¹

Congressional Review Act

Finally, the Sixth Circuit held that the 2024 Order did not violate the Congressional Review Act, in spite of data breach notifications provisions forming part of the 2016 Privacy Rules that Congress summarily struck down under the CRA, which prohibits an agency from reissuing “substantially the same” rule.

According to the majority, under the CRA a new rule is “substantially the same” as a prior rule only if it is similar to the entire rule identified in the disapproval resolution. “If Congress intended to prohibit an agency from issuing a new rule that is substantially the same as any part of a prior rule nullified by a disapproval resolution, it could have said so.”¹² Because the 2016 Order was devoted in large part to consumer transparency and consent concerns, and only partially to security breach notification, the 2024 Order pertaining exclusively to breach notification was not “substantially the same.”¹³

Dissent

Judge Griffin in dissent strongly objected to the majority’s novel interpretation of the CRA, arguing not only that the 2016 Privacy Rules and the 2024 Order overlap in many substantially similar respects, but also that when Congress rejected the entire 2016 Privacy Rules, it rejected as well each of its parts.¹⁴

The dissent further argued that Global Crossing and classic canons of statutory interpretation did not support such a broad reading of Section 201(b). Even if collecting and storing data could be considered “inherent in or necessary for the provision of communication services,” Judge Griffin wrote, the data breach reporting requirements of the 2024 Order do not address storage and processing but instead only reporting on their compromise.¹⁵ “[C]arriers need not take any action in response to breaches of customer PII to furnish a communication service.”¹⁶

Takeaways

While opponents of the 2024 Order consider whether to seek rehearing of their challenge en banc in the Sixth Circuit, petition for a writ of certiorari at the Supreme Court, request relief from the FCC itself, or some combination of these options, the expanded FCC rules remain in effect. Carriers are advised to continue compliance:

• Maintain and routinely review data inventories to identify personal information that constitutes PII and may not be considered CPNI.
• Make sure internal incident reporting protocols alert to all instances of access, use or disclosure of customer information, even unintentional or inadvertent mistakes. This includes mishandled customer lists such as missent email attachments and not just threat-actor intrusion incidents.
• Be prepared to engage counsel to determine if any of these disclosures constitutes a “breach” under the new rules, and revise reporting process documents to include the possibility of providing notification to the appropriate authorities within seven days of discovery.

Carriers with questions about the applicability of, and compliance with, the FCC’s expanded rules are encouraged to contact Akin’s market-leading telecom, media & technology and privacy & cybersecurity practices.

^{1 Ohio Telecom Assoc. v. FCC, Nos. 24-3133/3206/3252, 2025 WL 2331753 (Aug. 13, 2025).}

^{2 Data Breach Reporting Requirements, 89 Fed. Reg. 9968-01 (Feb. 12, 2024).}

^{3 47 C.F.R. § 64.2011(e) (2007) (emphasis added).}

^{4 89 FR 10002.}

^{5 Id. 47 C.F.R. 64.2011(e) now reads: “(e) As used in this section, a “breach” occurs when a person, without authorization or exceeding authorization, gains access to, uses, or discloses covered data. A “breach” shall not include a good-faith acquisition of covered data by an employee or agent of a telecommunications carrier where such information is not used improperly or further disclosed.”}

^{6 Id.}

^{7 Ohio Telecom, 2025 WL 2331753, at *7-8.}

^{8 Id., at *9.}

^{9 Id. at *11 (citing 38 FCC Rcd. 12523, 12524-25 (2023).)}

^{10 Id. (citing 38 FCC Rcd. at 12424-25).}

^{11 Id. at *15.}

^{12 Id. at *20 (emphasis added).}

^{13 Id. at *21.}

^{14 2025 WL 2331753, at *24 (Griffin, J., dissenting)}

^{15 Id. at *26.}

^{16 Id. at *29.}