Skip to main content

FCC Calls for Changes to Telecommunications Carriers’ Reporting of Data Breaches

Kelly Ruane Melchiondo
Blog ImageThe Federal Communications Commission (“FCC”) circulated internally a Notice of Proposed Rulemaking (“NPRM”) last week that would, among other things, enable telecommunications carriers to report breaches to their customers without having to wait until after notifying federal authorities.  Citing consumer protection as paramount, FCC Chairwoman Jessica Rosenworcel’s proposal would eliminate the existing seven (7) day mandatory waiting period for carriers to notify affected customers of a breach.  

Current FCC rules require that carriers notify the FBI and United States Secret Service within seven (7) business days for breaches that affect 5,000 or more customers, and within 30 days for any breaches that affect fewer than 5,000 customers.  Under the current structure, carriers cannot notify their customers about breaches until after they notify federal law enforcement.  Chairwoman Rosenworcel’s proposal would eliminate that waiting period.

The proposal aims to expand consumer protection further by also requiring carriers to notify customers even in instances of inadvertent or accidental breach.  The FCC only requires reporting of “inadvertent breaches”now for circumstances that are likely to result in harm to the customer.

Chairwoman Rosenworcel’s proposal is the latest in a series of federal government attempts to address cybersecurity threats.  The FCC proposal comes in the wake of Congress failing to pass rules that would have required private sector infrastructure entities to report data breach incidents to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours and ransomware attacks within 24 hours. The Biden Administration settled for including in the National Defense Authorization Act of 2022 provisions that encouraged the voluntary participation of private sector infrastructure organizations.

The next step for Chairwoman Rosenworcel’s NPRM would be publication in the Federal Register, followed by a period for public comment and replies, peer review, and, ultimately, a final vote from the full FCC on the proposed rule.  This may take some time.  The FCC is currently operating without a full deck of commissioners, as the confirmation process for Gigi Sohn, President Biden’s pick to fill a vacant seat on the commission, is stalled in the Senate Commerce Committee. Whatever the timeframe, the regulatory trend is clearly toward faster customer notification, which carriers should keep on their radar as they monitor and update their data security policies and practices.
Publication December 11, 2014
The Interstate Land Sales Full Disclosure Act (ILSA), which began life as an attempt to stop land sellers from selling swamp land in Florida and desert land in Arizona as home sites, morphed over time to become the principal tool for real estate speculators seeking to recover contract deposits follo...
Speaking Engagement March 4, 2024
Ryan J. Coyle speaks on the panel Stiff Winds, New Currents and Rough Seas: Navigating the Private Client World in Turbulent Times at the 29th Annual International Private Client Tax Conference. The panel discusses recent changes and salient topics in tax law in different jurisdictions, the use of a...
Publication November 30, 2023
Over the past decade, companies have increasingly turned to the collection of consumer personal data to help them better understand and adapt to the habits, preferences, and needs of consumers, engage in targeted marketing, and gain insight into the broader marketplace—that is, to better compe...