The Federal Communications Commission (FCC) Mandates Data Breach Disclosure By Telecoms

After a 30-day response period, the FCC has published a final rule requiring that telecom companies must report all data breaches to their customers. The Register reports that the rule eliminates the mandatory seven-day waiting period for reporting to consumers.

The FCC now “requires carriers to notify customers of breaches of covered data without unreasonable delay … and in no case more than 30 days following reasonable determination of a breach.” 

The FCC has also widened the scope of data under mandatory disclosure. Before the new rule was passed, customers only had to be told if Customer proprietary network information (CPNI) was exposed. 

CPNI is the data that appears on a bill concerning phone calls and service agreements. Personally identifiable information wasn’t included in previous reporting requirements unless CPNI was implicated. 

Now names, government ID numbers, data used for authentication purposes, email addresses/passwords, and biometric data are all included in the FCC’s reporting requirements.

“Without an FCC rule requiring breach notifications for the above categories of PII, there would be no requirement in Federal law that telecommunications carriers report non-CPNI breaches to their customers,” the FCC said of the new rule. 

The breach must additionally be reported to the FCC, the FBI, and the Secret Service within seven days. 

There have been objections to some of the new reporting requirements in Congress. Bills introduced in both houses would overturn the SEC’s four-day reporting deadline for data break-ins that could have a “material” effect on a company’s finances. The Biden administration promised to veto any attempts to undo the rules.