FCC Calls for Changes to Telecommunications Carriers’ Reporting of Data Breaches

The Federal Communications Commission (“FCC”) circulated internally a Notice of Proposed Rulemaking (“NPRM”) last week that would, among other things, enable telecommunications carriers to report breaches to their customers without having to wait until after notifying federal authorities.  Citing consumer protection as paramount, FCC Chairwoman Jessica Rosenworcel’s proposal would eliminate the existing seven (7) day mandatory waiting period for carriers to notify affected customers of a breach.  

Current FCC rules require that carriers notify the FBI and United States Secret Service within seven (7) business days for breaches that affect 5,000 or more customers, and within 30 days for any breaches that affect fewer than 5,000 customers.  Under the current structure, carriers cannot notify their customers about breaches until after they notify federal law enforcement.  Chairwoman Rosenworcel’s proposal would eliminate that waiting period.

The proposal aims to expand consumer protection further by also requiring carriers to notify customers even in instances of inadvertent or accidental breach.  The FCC only requires reporting of “inadvertent breaches”now for circumstances that are likely to result in harm to the customer.

Chairwoman Rosenworcel’s proposal is the latest in a series of federal government attempts to address cybersecurity threats.  The FCC proposal comes in the wake of Congress failing to pass rules that would have required private sector infrastructure entities to report data breach incidents to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours and ransomware attacks within 24 hours. The Biden Administration settled for including in the National Defense Authorization Act of 2022 provisions that encouraged the voluntary participation of private sector infrastructure organizations.

The next step for Chairwoman Rosenworcel’s NPRM would be publication in the Federal Register, followed by a period for public comment and replies, peer review, and, ultimately, a final vote from the full FCC on the proposed rule.  This may take some time.  The FCC is currently operating without a full deck of commissioners, as the confirmation process for Gigi Sohn, President Biden’s pick to fill a vacant seat on the commission, is stalled in the Senate Commerce Committee. Whatever the timeframe, the regulatory trend is clearly toward faster customer notification, which carriers should keep on their radar as they monitor and update their data security policies and practices.