The Federal Communications Commission on Friday launched a process to update its rules for how quickly telecommunication carriers notify consumers about breaches of sensitive information.
The new rule would eliminate the current seven-day waiting period for carriers to notify customers of a breach and require all breaches to be reported to the FCC, FBI and U.S. Secret Service. Instead, telecoms would need to report breaches to law enforcement as soon as intrusions are discovered and immediately to consumers, as well, unless otherwise advised by authorities.
The law would also update the definition of a breach under the law to include inadvertent exposure of customer information, not just outside hacks.
Current FCC rules require that carriers that have more than 5,000 customers notify the FCC of a data breach within seven days of discovery, while breaches affecting fewer than 5,000 customers must be reported no later than 30 days.
The FCC first adopted the rule in 2007. But its requirements are insufficient given the severity of hacks on phone companies in recent years, the FCC’s Chairwoman Jessica Rosenworcel argued.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” Rosenworcel said in a statement. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
The notice of proposed rulemaking passed unanimously in a 4-0 vote. Rosenworcel began circulating the proposal in January 2022.
Telecom hacks and inside breaches have become rampant in recent years. T-Mobile suffered a breach of 50 million accounts in 2021, its fifth breach in three years. Sensitive data including Social Security Numbers, dates of birth and phone advertising ID numbers and the data quickly wound up on the dark web, officials in several states warned. In 2015, the FCC settled the investigation of a 2013 and 2014 data breach by AT&T with a $25 million civil penalty.
The FCC also previously proposed rules aimed at making it more difficult for scammers to take control of victims’ phone numbers using their personal information.
Harold Feld, vice president at Public Knowledge, said the update is a clear and long overdue use of the agency’s authorities.
“This is ultimately a good thing for consumers and will help to protect our most private information, our phone information,” he said. “Short of sending a written letter, there’s no more secure form of communication with regard to the protection of your data than a telephone call, which is what is subject to the rules here.”
Feld said that the proposed rules would make obligations clearer for carriers and make it easier for the FCC to take enforcement actions against bad actors. The notice now enters a 30-day comment period where stakeholders can weigh in.
Corrected Jan 6, 2023: An earlier version of this story misspelled Feld’s name.