Skip to main content
close search
site logo
Dive Brief

Stronger FCC data breach reporting rules for telecom go live

The updated rules expand the scope of breach disclosure requirements to cover all PII and carriers have to notify customers within 30 days of determining a breach occurred.

Published March 15, 2024
Matt Kapko's headshot
Senior Reporter
The seal of the Federal Communications Commission.
The seal of the Federal Communications Commission inside the hearing room at the FCC headquarters February 26, 2015 in Washington, DC. Mark Wilson / Getty Images via Getty Images

Dive Brief:

  • New data breach reporting rules requiring U.S. telecommunications network operators to notify regulators, law enforcement agencies and customers of breaches more quickly took effect Wednesday.
  • The updated Federal Communications Commission rules, which were adopted in mid-December, cover the exposure of all personally identifiable information that could create a security risk for customers. The data breach reporting rules, which were last updated 16 years ago, were added to the Federal Register in February and took effect March 13. The rules cover any exposure of customers’ PII, including intentional and inadvertent data breaches.
  • “In the past, these rules have only prohibited the disclosure of information about who we call and when,” FCC Chair Jessica Rosenworcel said in a statement when the agency approved the rule change. “But consumers also deserve to know if their carrier has disclosed their Social Security number or financial data or other sensitive information that could put them in harm’s way. We fix that today — and it is overdue.”

Dive Insight:

The rule change at the FCC marks another federal, industrywide effort to compel businesses to disclose data breaches in a more explicit and timely manner. The Securities and Exchange Commission last year imposed new rules requiring companies to disclose any material security incident within four business days of determining materiality.

Wireless carrier data breaches are common. When a cyberattack hit T-Mobile in November 2022, exposing the records of 37 million customers, it marked the eighth publicly acknowledged data breach at the carrier since 2018. This included a massive data breach in August 2021 that exposed personal data of at least 76.6 million people.

Telecom operators are now required to notify the FCC, Secret Service and FBI “as soon as practicable, but not later than seven business days, after reasonable determination of a breach,” the agency said in the Federal Register. Public companies, including major network operators, are subject to the FCC and SEC disclosure rules.

“In the event of a data breach, your carrier has to tell the FCC and tell you in a timely way just what happened and what personal information may be at risk,” Rosenworcel said.

When PII is exposed by a breach, carriers must notify customers “without reasonable delay” and “in no case more than 30 days following reasonable determination of a breach,” the agency said. The FCC eliminated old rules requiring carriers to wait seven business days before notifying customers of a breach.

Filed Under: Policy & Regulation

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Policy & Regulation
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell