On August 13, the U.S. Court of Appeals for the 6th Circuit denied several consolidated petitions for review and upheld the FCC’s 2024 rule expanding data breach reporting requirements for telecommunications carriers and broadband providers. The rule requires carriers to notify both customers and federal authorities of breaches involving not only “customer proprietary network information” but also “personally identifiable information.” Industry groups filed petitions that argued the FCC exceeded its statutory authority and that the rule was substantially similar to a rule that Congress previously reviewed, and denied, under the Congressional Review Act (CRA).

On petition, the court rejected these arguments and held that the FCC acted within its statutory authority under Section 201(b) of the Communication Act, and that the rule at issue was not “substantially the same” as the rule Congress rejected. The court also upheld the FCC’s authority to apply the rule to telecommunications relay service providers under Section 225. Finally, the 6th Circuit determined that both the FCC’s expanded definition of covered data and new notification protocols were permissible.