FCC Rule Would Require Telecom Providers to Immediately Disclose Sensitive Data Breaches

The Federal Communications Commission on Friday proposed a new rule that would require telecommunications providers to immediately notify consumers and federal law enforcement agencies about any breaches of sensitive data. 

Under the FCC’s proposed rule, the agency would eliminate “the current seven business day mandatory waiting period for notifying customers of a breach,” and require that all identified data breaches be reported to consumers and to the FCC, FBI and Secret Service as soon as they are identified, unless otherwise directed by federal officials. 

Additionally, the proposal would expand the FCC’s definition of a data breach “to include inadvertent access, use or disclosures of customer information,” rather than simply limiting it to instances where an outside actor gained unauthorized access to sensitive information, as is the case with the agency’s current rule. 

The FCC’s current data breach reporting rule—which the agency adopted in 2007—requires providers with more than 5,000 customers to notify law enforcement agencies of breaches involving “customer proprietary network information” within a seven-day period, while breaches affecting providers with less than 5,000 customers must be reported within 30 days. 

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” FCC Chairwoman Jessica Rosenworcel said in a statement. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security and reduce the impact of future breaches.” 

Rosenworcel previously circulated the proposal to enhance the reporting requirements for data breaches in January 2022. 

Data breaches across the federal government and private sector have increased in recent years, with telecommunications carriers in particular experiencing high-profile leaks of sensitive user information over the past decade. In August 2021, T-Mobile disclosed that it suffered a data breach that impacted approximately 50 million of its customers. The FCC also fined AT&T $25 million in 2015 to settle an investigation into data breaches at three of the telecommunication giant’s call centers between 2012 and 2014 that affected hundreds of thousands of customers. 

The FCC said in a press release that the proposed rule—which was passed by the commission in a 4-0 vote—was part of an effort to better align the agency’s rules “with recent developments in federal and state data breach laws covering other sectors.” All 50 states have implemented data breach disclosure laws for private entities, with a number of these requirements having been implemented since the FCC’s current data breach rules were adopted in 2007.

The public will have 30 days to submit comments on the notice of proposed rulemaking following its publication in the Federal Register, and 60 days to submit reply comments.