Increased Data Breach Reporting Obligations for Telecom Companies Under New FCC Regulations Now in Effect

Increased Data Breach Reporting Obligations for Telecom Companies Under New FCC Regulations Now in Effect

In a move to enhance transparency and bolster regulatory oversight, the Federal Communications Commission (FCC) has recently implemented new data breach reporting rules for U.S. telecommunications network operators. These changes come in response to ongoing cyber threats affecting the sector, aiming to tighten security measures and provide faster, more explicit breach notifications.

The new rules, which took effect on March 13, expand the definition of personal information (PII) that must be reported in breach incidents. This now includes identifiers such as government-created unique ID numbers, biometric data, and combinations of electronic identifiers with security codes that could grant access to financial accounts. Previously, definitions were narrower, often limited to basic personal identifiers like name and Social Security number.

One of the key differences in the new rules is the requirement for telecommunications entities to notify state Attorneys General or federal regulators when breaches affect a certain number of individuals, within specified timeframes. Unlike earlier laws that primarily focused on notifying affected individuals without mandatory regulator notification or less stringent definitions of personal information, these latest rules mandate stricter timelines and broader coverage.

In addition, the new rules also require telecom licensees to disclose security-related information, including details about equipment and service providers linked to foreign adversaries. Failure to comply can result in monetary penalties, reflecting a growing focus on safeguarding telecommunications infrastructure from national security threats.

When PII is exposed by a breach, carriers must notify customers without reasonable delay and in no case more than 30 days following a reasonable determination of a breach. This is a significant shift from the FCC's previous rules, which only prohibited the disclosure of information about who is called and when.

In the event of a data breach, your carrier now has to tell the FCC and you in a timely way. Telecom operators are now required to notify the FCC, Secret Service, and FBI within seven business days after a reasonable determination of a breach. This is a departure from the old rules, which required carriers to wait seven business days before notifying customers.

The new FCC rules also require telecommunications network operators to notify regulators, law enforcement agencies, and customers of breaches more quickly. This is another federal, industrywide effort to compel businesses to disclose data breaches in a more explicit and timely manner.

Last year, the Securities and Exchange Commission imposed new rules requiring companies to disclose any material security incident within four business days of determining materiality. Public companies, including major network operators, are subject to both FCC and SEC disclosure rules.

The rule change at the FCC comes after a series of data breaches at T-Mobile, with the latest cyberattack in November 2022 exposing the records of 37 million customers. This is the eighth publicly acknowledged data breach at T-Mobile since 2018. FCC Chair Jessica Rosenworcel stated that consumers also deserve to know if their carrier has disclosed their Social Security number, financial data, or other sensitive information that could put them in harm's way.

These changes reflect a wider trend in U.S. telecommunications security law to enhance transparency, bolster regulatory oversight, and tighten security measures amid ongoing cyber threats affecting the telecommunications sector.

[1] Source: https://www.federalregister.gov/documents/2023/01/24/2023-01062/amendment-of-the-commissions-rules-regarding-the-protection-of-the-confidentiality-of-customer

[2] Source: https://www.fcc.gov/document/fcc-adopts-new-rules-protecting-consumer-data-from-data-breaches

[3] Source: https://www.fcc.gov/document/fcc-adopts-new-rules-protecting-consumer-data-from-data-breaches

[4] Source: https://www.federalregister.gov/documents/2023/01/24/2023-01062/amendment-of-the-commissions-rules-regarding-the-protection-of-the-confidentiality-of-customer

1. The new data breach reporting rules implemented by the Federal Communications Commission (FCC) for U.S. telecommunications network operators expand the definition of personal information (PII) that must be reported, now including government-created unique ID numbers, biometric data, and combinations of electronic identifiers with security codes.
2. telecom licensees are now required to disclose security-related information, including details about equipment and service providers linked to foreign adversaries, under the new FCC rules to safeguard telecommunications infrastructure from national security threats.
3. The new FCC rules mandate stricter timelines and broader coverage for data breach notifications, as telecommunications network operators are now required to notify state Attorneys General or federal regulators when breaches affect a certain number of individuals within specified timeframes.

Read also: