FCC PROPOSES UPDATED DATA BREACH REPORTING TO ADDRESS SECURITY BREACHES IN TELECOM INDUSTRY

Commission Will Seek Comment on Proposed Consumer and Law Enforcement Notification Requirements for CPNI Leaks

  --
WASHINGTON, January 6, 2023—The Federal Communications Commission today launched a proceeding to strengthen the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).  The Commission will look to better align its rules with recent developments in federal and state data breach laws covering other sectors.   

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said FCC Chairwoman Jessica Rosenworcel.  “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

The Notice of Proposed Rulemaking released today and adopted by a unanimous vote of the full Commission will launch a formal proceeding to gather information on this important issue and also take comment on rule changes proposed by the Commission.  Today’s action seeks to better address telecommunications carriers’ breach notification requirements.  The FCC proposes eliminating the current seven business day mandatory waiting period for notifying customers of a breach.  The FCC also proposes clarifying its rules to require consumer notification by carriers of inadvertent breaches and requiring notification of all reportable breaches to the FCC, FBI, and U.S. Secret Service. 

The FCC will also seek comment on whether to require customer breach notices to include specific categories of information to help ensure they contain actionable information useful to the consumer.  The Notice also proposes to make consistent revisions to the Commission’s telecommunications relay services (TRS) data breach reporting rule. 



Date Issued: 1/6/2023