FCC to mull changes to telecom data breach notifications

The Federal Communications Commission voted unanimously Friday to investigate potential changes to the breach notification rules for telecommunications companies.

FCC Chairwoman Jessica Rosenworcel said the rules the agency created more than 15 years ago are no longer compatible with a modern world where telecommunication carriers have access to a “treasure trove of data about who we are, where we have traveled, and who we have talked to.”

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” Rosenworcel said. 

“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

The rules – outlined in Section 222 of the Communications Act – were updated in 2007 to include a provision mandating companies to notify law enforcement of breaches “no later than seven business days after a reasonable determination of a breach” to the United States Secret Service and FBI. 

The rules say a company can then notify customers after the seven-day limit expires “if the Secret Service and the FBI have not requested that the telecommunications carrier continue to postpone disclosure.” There is no language mandating what companies have to tell customers in light of a breach. 

On Friday, the FCC said it wanted to “better address telecommunications carriers’ breach notification requirements” and potentially eliminate the seven-day waiting period rule. 

“The FCC also proposes clarifying its rules to require consumer notification by carriers of inadvertent breaches and requiring notification of all reportable breaches to the FCC, FBI, and U.S. Secret Service,” they said. 

In a 40-page proposal document, the FCC explained that there have been multiple breaches affecting the country’s largest telecommunications companies: Verizon, T-Mobile and AT&T. 

Rosenworcel called the waiting period rule “outdated” and said the FCC wanted to now also be notified of breaches.

She added that they are seeking comments on how their new breach reporting rules could work alongside those that are coming from the Cybersecurity and Infrastructure Security Agency. 

As part of the Cyber Incident Reporting for Critical Infrastructure Act – which was signed into law in March – CISA was asked to create new rules mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment.

Now the FCC will gather information on the issue and take comments on “whether to require customer breach notices to include specific categories of information to help ensure they contain actionable information useful to the consumer.”

The proposal was first introduced last year, and the new rule making process will officially start now that it has received a majority vote from the Commission, according to a spokesperson for the agency.