The Sixth Circuit U.S. Court of Appeals has upheld the FCC’s data breach notification rules, adopted in 2024, in the face of challenges from the Ohio Telecom Association, the Texas Association of Business, CTIA, NCTA, and USTelecom, who filed petitions for review challenging the rules. The petitioners had argued that the data breach notification rules exceeded the FCC’s authority and violated the Congressional Review Act, citing to the fact that Congress vetoed similar requirements in 2017.
The FCC’s adopted data breach notification rules, which have not yet gone into effect, update the data breach requirements by: (1) expanding the scope of the FCC’s breach notification rules to cover certain personally identifiable information that carriers and telecommunications relay service providers hold; (2) expanding the definition of what constitutes a breach; and (3) updating the breach notification rules for carriers and TRS providers.
A three-judge panel issued an opinion affirming the data breach notification rules approved 3-2 in 2023 by the FCC, with dissents from then-Commissioners Brendan Carr and Nathan Simington. The Sixth Circuit Court determined that the Congressional Review Act does not prevent agencies from issuing new rules similar to those nullified by CRA resolutions. Judge Jane Stranch, writing for the court, noted that Congress could have explicitly prohibited such actions but chose not to. Furthermore, the court found that the 2017 rules and the 2024 FCC data breach order are not substantively identical.
