FCC Proposes Updated Data Breach Reporting Rules for Telecom Industry  

Late last week, the Federal Communications Commission (FCC) announced its revision of the rules governing when and how telecom providers must inform customers and federal law enforcement of data breaches involving customer information. According to the agency’s press release, the changes seek to bring FCC rules in greater alignment with state and federal law and also come in response to the increase in frequency, sophistication, and scale of data leaks.

Rules governing breaches of customer proprietary network information (CPNI) for telecom and Voice over Internet Protocol (VoIP) providers were first incepted in 2007. In the decade and a half since their enactment however, data breaches have increased in both frequency and severity in all industries, the FCC acknowledged, with the telecommunications industry suffering an increasing number of breaches in recent years. 

For example, T-Mobile subscribers and even those who merely contemplated using the nationwide provider, had their information lifted from its networks in August 2022. T-Mobile recently settled the accompanying private litigation for $350 million.

Changes to the rules, called “much-needed” by FCC Chair Jessica Rosenworcel, seek to enhance consumer protections, increase security, and reduce the impact of future breaches. Among other proposed changes, the FCC wants to eliminate the current, mandatory seven business day waiting period for notifying customers of a breach.

Its proposal is to “require telecommunications carriers to notify customers of CPNI breaches without unreasonable delay … unless law enforcement requests a delay,” which the rulemaking filing says is more current strategy and will keep customers better apprised of information and their rights.

Relatedly, the FCC is reviewing the wording “without unreasonable delay.” The agency seeks comment on whether the phrasing provides effective guidance or whether a concrete rule would be better, noting that states that impose an outside limit on consumer notification mostly use limits of 30, 45, or 60 days.

Among other issues, the Commission is eliciting comment as to whether it should require covered entities to include specific categories of information that would be useful to customers in the face of a breach.

The decision to update the rules was reached by a unanimous vote of the full FCC, which will now receive public comment on its proposed changes.