378.The RFA requires an agency to describe any significant, specifically small business, alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): “(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.” NOTEREF _Ref445303279
379.The Commission expects to consider the economic impact on small providers, as identified in comments filed in response to the Notice and this IRFA, in reaching its final conclusions and taking action in this proceeding. Moreover, in formulating these rules, we seek to provide flexibility for small providers whenever possible, by setting out standards and goals for the providers to reach in whichever way is most efficient for them. NOTEREF _Ref445303279
380.Definitions. As discussed above, in proposing definitions to accompany these proposed rules we seek comment on alternative formulations, including alternatives that could reduce burdens on small providers. NOTEREF _Ref445303279 We seek comment on alternative definitions of the terms affiliate; NOTEREF _Ref445303279 customer; NOTEREF _Ref445303279 CPNI; NOTEREF _Ref445303279 customer PI; NOTEREF _Ref445303279 opt-out and opt-in approval; NOTEREF _Ref445303279 communications-related services; NOTEREF _Ref445303279 breach; NOTEREF _Ref445303279 and other terms NOTEREF _Ref445303279 and ask how such alternatives could affect the benefits and burdens to small providers. NOTEREF _Ref445303279 In addition to these requests for comment, we seek comment generally on alternative definitions that would reduce burdens on small providers.
382.Customer Approval Requirements for the Use and Disclosure of Customer PI. As discussed above, we seek comment on alternative customer approval rules that could alleviate burdens on small providers while preserving the ability of all BIAS customers to have meaningful choices in the use and disclosure of their personal information. NOTEREF _Ref445303279 Choice is a critical component of protecting the confidentiality of customer proprietary information. We seek comment on ways to minimize the burden of our proposed customer choice framework on small BIAS providers. NOTEREF _Ref445303279 In particular, we seek comment on whether there are any small-provider-specific exemptions that we might build into our proposed approval framework. For example, should we allow small providers who have already obtained customer approval to use their customers’ proprietary information to grandfather in those approvals? Should this be allowed for third parties? Should we exempt providers that collect data from fewer than 5,000 customers a year, provided they do not share customer data with third parties? NOTEREF _Ref445303279 Are there other such policies that would minimize the burden of our proposed rules on small providers? If so, would the benefits to small providers of any suggested exemptions outweigh the potential negative impact of such an exemption on the privacy interests of the customers of small BIAS providers? Further, were we to adopt an exemption, how would we define what constitutes a “small provider” for purposes of that exemption?
383.Use and Disclosure of Aggregate Customer PI. As discussed above, we seek comment on alternative approaches to the use and disclosure of aggregate customer PI that could alleviate burdens on small BIAS providers. NOTEREF _Ref445303279 In particular, we seek comment on an approach to aggregate customer PI that is similar to that used by HIPAA, and whether such an approach would be less burdensome to small BIAS providers. NOTEREF _Ref445303279 We also ask that as commenters consider whether we should adopt each of the prongs of our proposed rule, and any proposed alternatives, that they also consider how we could limit any burdens associated with compliance, particularly for small providers. NOTEREF _Ref445303279
384.Securing Customer Proprietary Information. As discussed above, we seek comment on alternative approaches to secure customer proprietary information that could alleviate burdens on small BIAS providers. NOTEREF _Ref445303279 We propose that any specific security measures employed by a BIAS provider take into consideration the nature and scope of the BIAS provider’s activities, because we believe that this sliding scale approach will afford sufficient flexibility for small providers while still protecting their customers. NOTEREF _Ref445303279 The Commission has previously explained that “privacy is a concern which applies regardless of carrier size or market share.” NOTEREF _Ref445303279 However, we recognize that the same data security protections may not be necessary in all cases. For example, a small provider with only a few customers may not store, use, or disclose customer PI in the same manner as a large provider. In such a case, what constitutes “reasonable” safeguards might be different. We seek comment on current data security practices in the industry and alternative structures that can build on current best practices to alleviate burdens. NOTEREF _Ref445303279 We seek comment on alternatives to our proposed rule on account change notifications that could reduce burdens on small providers. NOTEREF _Ref445303279 When discussing whether to require multi-factor authentication or contractual data security commitments from third party recipients of customer PI, we seek comment on the burdens such proposals could place on small providers and alternatives that could reduce such burdens. NOTEREF _Ref445303279 We also ask that comments and proposals regarding data destruction discuss potential burdens for small providers. NOTEREF _Ref445303279
385.Data Breach Notification Requirements. As discussed above, we seek comment on alternative approaches to data breach notifications that could alleviate burdens on small providers. NOTEREF _Ref445303279 In particular we propose a threshold of 5,000 affected customers for breach notification of the Federal Bureau of Investigation and U.S. Secret Service, and seek comment on how such a threshold could benefit or burden small providers. NOTEREF _Ref445303279 We also seek comment on record retention rules and alternatives that could reduce compliance burdens. NOTEREF _Ref445303279
386.Other Practices Implicating Privacy. As discussed above, in seeking comment on whether to prohibit specific practices implicating privacy, we also seek comment on how proposals and alternatives can alleviate burdens on small providers. NOTEREF _Ref445303279 In particular, when seeking comment on whether heightened notice and choice requirements are necessary for some practices, we specifically ask commenters to address the burdens of their proposals on small providers, and alternatives to reduce such burdens. NOTEREF _Ref445303279
387.Dispute Resolution. As discussed above, in seeking comment on potential approaches to dispute resolution, we also seek comment on how proposals and alternatives can benefit or burden small providers. NOTEREF _Ref445303279