FCC Proposes New Reporting and Notification Requirements Following Uptick of Telecom Company Data Breaches

On Wednesday, the Federal Communications Commission (FCC) announced that it would begin the process of enhancing certain rules concerning breaches of customer proprietary network information (CPNI). The notice of proposed rulemaking would update current requirements to better align with recent developments in federal and state data breach laws, the agency said.

According to the FCC, the updates would alter what telecommunication carriers must do in the event of a data breach. The changes include:

·      Eliminating the obligatory seven business day waiting period for notifying customers of a breach
·      Requiring notification of inadvertent breaches
·      Requiring carriers to notify the FCC of all reportable breaches in addition to the FBI and the U.S. Secret Service.

The FCC’s notice also seeks comment on whether it should require customer breach notices to “include specific categories of information to help ensure they contain actionable information useful to the consumer and proposes to make consistent revisions to the Commission’s telecommunications relay services (TRS) data breach reporting rule.”

As a matter of policy, the FCC explains that the proposed changes reflect the trend that breaches involving CPNI are happening with increasing regularity and severity. Too, breaches can have lasting negative impacts on the economy and on consumers whose information has been improperly exposed, the agency said.

The press release notes that last September, the FCC proposed rules targeting SIM swapping scams and port-out fraud, the former of which has been the root cause of customer account hijacks and resultant cryptocurrency losses.The plans also come after T-Mobile experienced a massive data breach in August, resulting in the exposure of 54 million customers’ information. The case is proceeding as multidistrict litigation in the Western District of Missouri.