FCC wants new data breach reporting rules for telecom carriers

The Federal Communications Commission (FCC) has proposed more rigorous data breach reporting requirements for telecom carriers in response to breaches that recently hit the telecommunications industry.

On Wednesday, Chairwoman Jessica Rosenworcel shared the proposal in the form of a Notice of Proposed Rulemaking (NPRM), the first step in changing the FCC's rules for alerting federal agencies and customers of data breaches.

"Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information," Chairwoman Rosenworcel said [PDF].

"I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches."

Updates proposed by the FCC to its current data breach reporting rules for mobile carriers include:

• Eliminating the current seven business day mandatory waiting period for notifying customers of a breach
• Expanding customer protections by requiring notification of inadvertent breaches
• Requiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service

The FCC also wants feedback regarding the inclusion of specific categories of information in breach alerts carriers sent to customers, which would help ensure the breach notifications come with actionable info for consumers.

The NPRM also proposes revisions to the Commission’s telecommunications relay services (TRS) data breach reporting requirements.

"Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information," Rosenworcel added.

"But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers."

As part of this same effort, the FCC proposed new rules to fend off SIM-swapping attacks and port-out fraud in September to further reduce the risk of telecom customers' information being improperly exposed.

In February, T-Mobile learned of a data breach following reports from multiple customers who became victims of SIM-swapping attacks.

In August, the same carrier disclosed a massive data breach after attackers brute-forced their way through its network and gained access to testing environments, allowing them to steal records belonging to 54.6 million current, former, or prospective customers.