Enhanced FCC regulations for data breach disclosure by telecommunications companies become effective
The Federal Communications Commission (FCC) has recently updated its data breach reporting rules for telecommunications network operators in the United States. The new rules, which took effect on March 13, aim to enhance the security and privacy of customers' personally identifiable information (PII).
Under the new FCC rules, network operators are required to report any data breaches according to enhanced, specific reporting obligations. While direct new breach reporting requirements are not explicitly detailed in the provided search results, the FCC's emphasis on timeliness and detailed disclosure obligations in related areas suggests an increased focus on swift action in the event of a breach.
One of the key changes is that carriers must now notify customers about a breach more quickly than the old rules. The FCC requires carriers to notify customers without reasonable delay and no more than 30 days following a reasonable determination of a breach. This change is significant, as the old rules required a seven-business-day waiting period before notifying customers.
In addition to quicker customer notification, the new rules also require telecommunications network operators to notify regulators, law enforcement agencies, and customers of breaches more quickly. In the event of a data breach, carriers must inform the FCC, the Secret Service, and the FBI within seven business days after a reasonable determination of a breach.
The updated data breach reporting rules now apply to any exposure of customers' PII, including intentional and inadvertent data breaches. This broadens the scope of the previous rules, which only covered certain types of breaches.
The FCC's chair, Jessica Rosenworcel, has emphasized the importance of timely and explicit disclosure in the event of a data breach. She stated that consumers now deserve to know if their carrier has disclosed their Social Security number, financial data, or other sensitive information that could put them in harm's way.
This rule change is part of a larger, federal, industrywide effort to compel businesses to disclose data breaches in a more explicit and timely manner. Last year, the Securities and Exchange Commission (SEC) imposed new rules requiring companies to disclose any material security incident within four business days of determining materiality.
The new FCC rules come at a time when data breaches are increasingly common. In August 2021, a massive data breach at T-Mobile exposed personal data of at least 76.6 million people. This was the eighth publicly acknowledged data breach at the carrier since 2018. A cyberattack hit T-Mobile again in November 2022, exposing the records of 37 million customers.
These updates to the FCC's data breach reporting rules are an important step towards enhancing the security and privacy of customers' PII. For precise compliance obligations regarding data breaches, consulting the FCC’s official rulemakings or legal advisories specifically addressing breach reporting rules would be necessary.
[1] FCC Robocall Mitigation Database [2] FCC Disaster Information Reporting System [3] FCC Enhanced Requirements for Submarine Cable Licensees [4] FCC's Rulemaking on Data Breach Reporting
- The FCC's rulemaking on Data Breach Reporting, which came into effect on March 13, necessitates telecommunications network operators to report data breaches according to enhanced, specific reporting obligations, implying a heightened emphasis on cybersecurity in the realm of technology and policy-and-legislation.
- In the wake of data breaches becoming increasingly common, as evident in cases like the massive breach at T-Mobile in August 2021 and the subsequent cyberattack in November 2022, the FCC's rulemaking on Data Breach Reporting is an essential step towards improving overall cybersecurity and maintaining the privacy of customers' personally identifiable information.
- The updated FCC data breach reporting rules broaden the scope of previous rules, now applying to any exposure of customers' PII, including intentional and inadvertent data breaches, signifying a shift in politics towards stricter data protection measures in the general-news landscape.
