The Federal Communications Commission is exploring updating data breach laws for telecom carriers, the agency announced Wednesday.
“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information,” said FCC Chairwoman Jessica Rosenworcel. “But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.”
One key change suggested in a proposal Rosenworcel circulated Wednesday is eliminating the seven-business-day waiting period required of businesses before notifying customers of a breach. The proposed rule would also require carriers to report breaches to the FCC in addition to the FBI and U.S. Secret Service.
Current FCC rules require that carriers over 5,000 or more customers notify the FCC of a data breach within seven days of discovery, while breaches affecting fewer than 5,000 customers must be reported no later than 30 days.
The FCC proposal aims to “align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors,” according to an agency news release.
The proposal will be publicly released if adopted in a vote by the full Commission, Paloma Perez, press secretary to Rosenworcel, said in an email. The rulemaking process would include a period for public comment.
Efforts to overhaul data breach notification laws in the United States have surged alongside growing concerns about cybersecurity attacks. Members of both the Senate and the House have introduced legislation that would tighten reporting requirements for companies in critical industries. The House passed legislation that would establish mandatory cybersecurity incident reporting for critical infrastructure operators as part of the national defense spending bill for 2022. However, the provision was cut.
The FTC also recently sent a warning about data breaches, advising that it would pursue penalties against companies who fail to patch critical vulnerabilities, resulting in the breach or exposure of consumer information.
The rulemaking process will explore what kinds of information carriers should be required to report in customer breach notices, as well as the expansion of requirements for “inadvertent breaches.” Currently, the FCC only requires reporting of “inadvertent breaches” in instances where there is a likelihood of customer harm.
Such breaches have previously resulted in significant fines for telecom companies. In 2015 the FCC settled the investigation of a 2013 and 2014 data breach by AT&T with a $25 million civil penalty. In August, the agency said it was investigating a data breach disclosed by T-Mobile affecting more than 50 million current and former customers.
The FCC does not comment on ongoing investigations, Perez said.
The proposal is the latest example of the FCC’s mission to improve cybersecurity in the industry. In September the agency proposed rules requiring carriers to safeguard against cybercriminals porting numbers from a legitimate account to scammer-controlled devices, a technique known as “SIM-swapping” or “port-out fraud.”
There’s a possibility that a final vote on either rule could be slowed down by the standoff in Congress over approving a new Democratic commissioner. The commission is currently split 2-2 and Republicans have fiercely fought the confirmation of Biden nominee Gigi Sohn, who was recently renominated for consideration.
Updated 1/13/22: Updated to include comment from the FCC.