FCC Orders Telecom Carriers to Report PII Data Breaches within 30 Days

The FCC has updated their data breach reporting requirements, which now requires telecommunication companies to report data breaches that impact customer’s personal identifiable information within 30 days. These new requirements go into effect on March 13th, 2024. The FCC's final rule follows several proposals published in January 2024, one year earlier in January 2023, and first circulated in January 2022, focused on modernizing the commission's breach notification rules so that telecom carriers have to notify customers of security breaches as fast as possible.

The FCC says, “the updated data breach reporting rules aim to ensure that providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) are held accountable in their obligations to safeguard sensitive customer information, and to provide customers with the tools needed to protect themselves in the event that their data is compromised."

They expand the scope of breach notification requirements beyond customer proprietary network information (CPNI) to personally identifiable information (PII), as well as to include "inadvertent access, use, or disclosure of customer information." "Without an FCC rule requiring breach notifications for the above categories of PII, there would be no requirement in Federal law that telecommunications carriers report non-CPNI breaches to their customers," the FCC said. The FCC also removed the obligatory waiting period for carriers to inform customers, mandating them to promptly notify customers of breaches involving covered data after alerting relevant federal agencies. However, the notification delay must not exceed 30 days after a breach is identified unless a longer delay is mandated by law enforcement.

Analyst Comments:
The FCC says these new regulations protect customers of telecommunication companies from data leaks involving “data about who we are, where we have traveled, and who we have talked too,” and other personal data.

The report cites massive telecom data breaches as the driving factor for the FCC to update their reporting requirements.

  • In December 2022, widespread attacks bypassed two-factor authentication and hijacked Comcast Xfinity customers' accounts.
  • Verizon notified prepaid customers of a breach that exposed their credit card information, later used in SIM swapping attacks.
  • T-Mobile has also been hit by at least nine breaches since 2018, with the most recent one—and the least damaging—being disclosed in May 2023 after threat actors had access to the personal information of hundreds of customers for more than a month since February 2023.
  • AT&T paid $25 million to settle an FCC investigation into three data breaches that impacted hundreds of thousands of customers.