FCC's Order on Broadband Privacy Will Be Felt by Energy Companies
Modern energy companies should pay close attention to the Federal Communications Commission's recent order adopting rules protecting the privacy of customer proprietary information. Although not particularly focused on energy companies, this order will have a direct impact on their service contracts with telecommunications carriers, as well as potentially control liability for data breaches at the carrier level which can impact the companies as the carriers' customers.
On November 2, 2016, the FCC released a report and order In the Matter of Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106FCC 16-148 (Privacy Order). In the Privacy Order the FCC adopted general rules to protect the privacy of broadband customers receiving broadband Internet access service (BIAS) [e.g. retail broadband voice and data internet connection]. For the most part, services provided by telecommunications carriers to modern electric companies were exempted from the being covered by these rules on the theory that power companies were enterprise customers that did not take BIAS service from carriers. However, the FCC did not completely ignore the potential impact of carrier data breaches on enterprise customers. It required that for any exemption of non-BIAS services from coverage of the overall rules to be valid, the carrier/enterprise service contract in question must contain certain provisions. It stated:
Recognizing that enterprise customers of telecommunications services other than BIAS have different privacy concerns and the capacity to protect their own interests, we find that a carrier that contracts with an enterprise customer for telecommunications services other than BIAS need not comply with the privacy and data security rules we adopt today if the carrier’s contract with that customer specifically addresses the issues of transparency, choice, data security, and data breach and provides a mechanism for the customer to communicate with the carrier about privacy and data security concerns. Id. ¶ 15.
The FCC's rationale was that "the existence of contractual terms between two businesses addressing privacy ensures that the enterprise customer’s privacy is in fact protected without the need for our [FCC] rules." Id. ¶ 308. Even then the Commission's exemption was not absolute because carriers are still subject to 47 U.S.C. § 222 which provides that telecommunications carriers have a duty to protect the customer proprietary network information (CPNI) of their customers.1 Moreover, the exemption does not apply to BIAS services enterprise customers, because BIAS services by definition are "mass market retail service[s]," and as such the FCC did not anticipate that it would be typical for purchasers to negotiate the terms of their contracts. Id. Further, the FCC strongly encouraged telecommunications providers to adhere to the NIST Framework as a model for protecting the privacy and security of CPNI.
Consequently, modern energy companies should review their carrier service contracts to determine whether they contain the necessary provisions and in the event that the contracts do not, make a decision with regard to coverage.
1 CPNI is defined as (A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier; except that CPNI does not include subscriber list information. With regard to BIAS services, CPNI includes: MAC Addresses and Other Device Identifiers, IP Addresses and Domain Name Information, Traffic Statistics, Port Information, Application Header, Application Usage, Application Payload and Customer Premises Equipment and Device Information.