US FCC proposes rule to up data breach reporting requirements, Caitlin Potratz Metcalf, Salma Shitia

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

Last week Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel circulated a Notice of Proposed Rulemaking requiring US telecoms to notify the FCC, federal law enforcement and customers following data breaches that affect customer proprietary network information (CPNI). The proposed rule signals the Commission’s broader attempt to hold telecoms accountable, increase consumer transparency and align FCC rules with evolving cybersecurity threats as well as developments in federal and state data breach notification laws.

Major data breaches in US telecoms

This push for reform comes in the aftermath of major data breaches affecting US telecoms, including last year’s T-Mobile breach that impacted more than 47 million US consumers. And in 2021, Syniverse, which provides text messaging routing for telecoms, including AT&T, Verizon and T-Mobile, also disclosed to the Securities and Exchange Commission (SEC) a 5-year long breach starting in 2016 that potentially exposed billions of customer text messages.

Breach notification requirements

The proposed rule sets out a list of telecommunications carriers’ breach notification requirements including:

Eliminating the current 7-day waiting period for notifying customers of a data breach;
Requiring carriers to notify customers of inadvertent breaches to enhance customer protections; and
Requiring carriers to notify the FCC, FBI, and U.S. Secret Service of all reportable breaches.

The proposal advances FCC efforts to reduce time between a data breach and a carrier’s report of the breach. It also ensures that federal law enforcement agencies receive information to mitigate harm resulting from the breach and prevent other potential breaches.

However, the devil will be in the details as to how the FCC will shape the new rule and its reporting requirements for telecoms. Once the FCC issues a proposed rule, we expect a call for comments as early as February.

Cyber preparedness is key

In light of these recent developments on breach reporting, it is as important as ever to stay on top of your organization’s cyber preparedness in the event of an incident. That means:

developing and testing incident response plans for data breaches;
managing an effective third-party vendor risk program so your vendors aren’t your weakest link;
conducting periodic trainings for incident response plans to data breaches;
implementing, testing and maintaining reasonable cybersecurity controls;
defining key roles and responsibilities within your organization for dealing with a data breach; and
maintaining a collaborative relationship with regulators and law enforcement.

Data Solutions, Cybersecurity and Privacy team

Feel free to reach out to our key contacts for more details:

{

Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers... Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information.

https://www.fcc.gov/document/chair-rosenworcel-circulates-new-data-breach-reporting-requirements