Major Industry Stakeholders Concerned About Confidentiality Protections for FCC-Private Sector Cyber Risk Meetings
Major communications interests are urging the FCC to implement confidentiality protection rules for its proposed voluntary FCC-private sector meetings on cyber risks that are similar to those that the Department of Homeland Security uses in its Protected Critical Infrastructure Information (PCII) program, several told us. The FCC is circulating a policy statement that would set up the process for conducting the FCC-private sector meetings as part of its larger adoption of the Communications Security, Reliability and Interoperability Council’s (CSRIC) 2015 report on recommendations for communications sector cybersecurity risk management. The private sector voluntarily committed via the CSRIC report to promote the use of FCC meetings with individual companies about their cyber risks and their use of cybersecurity best practices (see 1503180056 and 1602220052). Several stakeholders said the FCC is unsure whether it has the legal authority to fully implement the confidentiality protections used in DHS’ PCII program for its own confidential meetings.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Industry officials have told the FCC they're concerned about “whether the processes that the FCC can put in place [on information confidentiality protection] are equal [to those in the DHS PCII program] in terms of the level of protection,” an eighth-floor FCC staffer told us. The PCII program protects information submitted by participating entities against state, federal and local freedom of information laws, DHS said. Information that qualifies under the PCII program is also protected against use in regulatory enforcement actions and civil litigation. Industry officials are seeking “airtight protections” similar to those included in the PCII program that would give them assurance their information “won’t go public” via federal or state freedom of information laws or be used in enforcement actions, the staffer said. The FCC is apparently concerned it may not be fully able to use the PCII program’s confidentiality rules as a “backdrop for strong confidentiality” in the FCC meetings as suggested in the CSRIC report without coordination with DHS, an industry lobbyist told us.
The FCC has indicated it may not be able to exempt information gathered during the meetings with the private sector from use in future enforcement actions, but “I’m pretty sure that under the FCC process that information wouldn’t be” subject to freedom of information laws, said Competitive Carriers Association President Steve Berry. Despite the possible lack of a universal exemption from enforcement action, “it’s very positive that [the FCC is] handling this through a policy statement and not a” notice of inquiry or rulemaking, Berry said. “I think this is an acceptable and more rational approach.” Barry said he’s “very cautious about the FCC imposing new requirements on industry but I’ve been assured that that’s not their intent.” The FCC’s goal “is not to ferret out activities [through the meetings] that are inappropriate,” he said.
The FCC’s ability to make ISPs and telcos comfortable with the confidentiality rules for the voluntary FCC-private sector meetings “has been the big question” throughout development of the meeting process, said Venable cybersecurity and telecom lawyer Jamie Barnett. It’s unclear how much the FCC will actually use the PCII confidentiality rules in their own meetings, but the agency may need to use the policy statement as a “step along the way” toward adopting those rules for major communications firms “to feel comfortable” with moving forward with the meetings, he said. Barnett told us he believes the policy statement will be a “logical progression” of FCC Chairman Tom Wheeler’s commitment to a full voluntary cybersecurity program. “I don’t think it’ll depart much from that,” Barnett said.