Starting March 13th, telecommunications companies face stringent obligations to report data breaches impacting customers’ personally identifiable information (PII) within a 30-day timeframe, as per the FCC’s revised data breach reporting requirements.
The FCC’s final rule comes after a series of proposals dating back to January 2022, culminating in January 2024, aimed at modernizing breach notification rules to ensure prompt notification to customers by telecom carriers in the event of security breaches.
Scope of the Updated Regulations
- The revised rules expand breach notification requirements beyond Customer Proprietary Network Information (CPNI) to encompass PII.
- They now cover inadvertent access, use, or disclosure of customer information, ensuring a broader spectrum of incidents are reported.
The FCC emphasized that without these rules, there would be no federal requirement for telecom carriers to report non-CPNI breaches to their customers.
Removal of Waiting Period
The updated regulations eliminate the obligatory waiting period for carriers to notify customers, mandating prompt notification following the alerting of relevant federal agencies.
However, any notification delay must not exceed 30 days after breach identification, unless otherwise mandated by law enforcement.
Chairwoman’s Perspective
“Our mobile phones have become extensions of ourselves, constantly at our side, holding vast amounts of personal data. This connectivity underscores the importance of safeguarding sensitive information,” stated FCC Chairwoman Jessica Rosenworcel in January.
Rosenworcel emphasized the critical need for carriers to uphold their obligations in protecting customer data, ensuring it remains out of unauthorized hands.
Recent Telecom Breaches Highlight Urgency
Recent years have seen major breaches affecting major U.S. telecom carriers, prompting the FCC’s regulatory updates:
- In December 2022, Comcast Xfinity customers faced widespread attacks bypassing two-factor authentication.
- Verizon notified prepaid customers of a breach exposing credit card information, later exploited in SIM swapping attacks.
- T-Mobile has experienced multiple breaches since 2018, with one in January 2023 compromising the sensitive data of 37 million individuals.
- AT&T settled an FCC investigation in April 2016, stemming from three breaches impacting hundreds of thousands of customers.
FCC’s First Rule on Data Breach Reporting
The FCC’s initial rule mandates telecoms and VoIP providers to inform federal law enforcement agencies and customers of any data breaches, underscoring the regulator’s commitment to enhancing cybersecurity in the telecommunications sector.