FCC gives telecom companies 7 days to alert authorities of discovered data breaches

The Federal Communications Commission on Monday will adopt a rule requiring telecommunications and voice over IP providers to notify authorities of a data breach within seven business days of discovery.

Phone carriers will have to alert the commission, Secret Service and FBI of breaches within the timespan and notify customers about data breaches “without unreasonable delay” after they have informed federal agencies and within 30 days of determining a breach has occurred — unless law enforcement requests a delay — according to a final rule set to publish next week.

Providers will no longer have to notify customers of a breach if they can reasonably determine the incident is unlikely to harm the customers, though the definition of a “breach” has been expanded by the agency to include unintended access, use or sharing of customer data.

The publication of the final rule, which has been in the works for more than a year, comes days after a Verizon employee was reported to have inadvertently released data on some 63,000 employees in December.

The agency’s action is linked to a report and order issued in November that seeks to harmonize FCC regulation with newer state and federal data breach laws that have considered other sectors outside telecom and communications.

Both heightened cyber activity and growing scrutiny over federal privacy frameworks during the Biden administration have pushed agencies to take more assertive stances in safeguarding customers’ data. Those include sweeping requirements to prevent hacking attempts into company systems, as well as efforts to curtail certain data collection practices at large companies.

The FCC, in particular, has expanded the scope of compromised information under the new rules to include personally identifiable information, — or PII — a step up from Customer Proprietary Network Information, which is generally defined as subscription data collected by telecom providers.

“The pervasiveness of data breaches and the frequency of breach notifications have evolved and increased since the Commission first adopted its breach notification rule in 2007,” said the public readout detailing the adoption. “Consumers expect that they will be notified of substantial breaches that endanger their privacy, and businesses that handle sensitive personal information should expect to be obligated to report such breaches.”

The rule is set to take effect next month after it is officially published on Monday.

“It has been sixteen years since the Federal Communications Commission last updated its policies to protect consumers from data breaches,” FCC Chair Jessica Rosenworcel said in December when the agency adopted the notification rules. “Today we fix this problem. We update our policies to protect consumers from digital age data breaches. We make clear that under the Communications Act carriers have a duty to protect the privacy and security of consumer data.”