Last week Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel circulated a Notice of Proposed Rulemaking requiring US telecoms to notify the FCC, federal law enforcement and customers following data breaches that affect customer proprietary network information (CPNI). The proposed rule signals the Commission’s broader attempt to hold telecoms accountable, increase consumer transparency and align FCC rules with evolving cybersecurity threats as well as developments in federal and state data breach notification laws.
Major data breaches in US telecoms
This push for reform comes in the aftermath of major data breaches affecting US telecoms, including last year’s T-Mobile breach that impacted more than 47 million US consumers. And in 2021, Syniverse, which provides text messaging routing for telecoms, including AT&T, Verizon and T-Mobile, also disclosed to the Securities and Exchange Commission (SEC) a 5-year long breach starting in 2016 that potentially exposed billions of customer text messages.
Breach notification requirements
The proposed rule sets out a list of telecommunications carriers’ breach notification requirements including:
- Eliminating the current 7-day waiting period for notifying customers of a data breach;
- Requiring carriers to notify customers of inadvertent breaches to enhance customer protections; and
- Requiring carriers to notify the FCC, FBI, and U.S. Secret Service of all reportable breaches.
The proposal advances FCC efforts to reduce time between a data breach and a carrier’s report of the breach. It also ensures that federal law enforcement agencies receive information to mitigate harm resulting from the breach and prevent other potential breaches.
However, the devil will be in the details as to how the FCC will shape the new rule and its reporting requirements for telecoms. Once the FCC issues a proposed rule, we expect a call for comments as early as February.
Cyber preparedness is key
In light of these recent developments on breach reporting, it is as important as ever to stay on top of your organization’s cyber preparedness in the event of an incident. That means:
- developing and testing incident response plans for data breaches;
- managing an effective third-party vendor risk program so your vendors aren’t your weakest link;
- conducting periodic trainings for incident response plans to data breaches;
- implementing, testing and maintaining reasonable cybersecurity controls;
- defining key roles and responsibilities within your organization for dealing with a data breach; and
- maintaining a collaborative relationship with regulators and law enforcement.
Data Solutions, Cybersecurity and Privacy team
Feel free to reach out to our key contacts for more details: