FCC orders telecom carriers to report PII data breaches within 30 days

Starting March 13th, telecommunications companies must report data breaches impacting customers' personally identifiable information within 30 days, as required by FCC's updated data breach reporting requirements.

FCC's final rule follows several proposals published in January 2024, one year earlier in January 2023, and first circulated in January 2022, focused on modernizing the commission's breach notification rules so that telecom carriers have to notify customers of security breaches as fast as possible.

The updated data breach reporting rules aim to ensure that "providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) are held accountable in their obligations to safeguard sensitive customer information, and to provide customers with the tools needed to protect themselves in the event that their data is compromised."

They expand the scope of breach notification requirements beyond customer proprietary network information (CPNI) to personally identifiable information (PII), as well as to include "inadvertent access, use, or disclosure of customer information."

"Without an FCC rule requiring breach notifications for the above categories of PII, there would be no requirement in Federal law that telecommunications carriers report non-CPNI breaches to their customers," the FCC said.

The U.S. communications regulator also removed the obligatory waiting period for carriers to inform customers, mandating them to promptly notify customers of breaches involving covered data after alerting relevant federal agencies.

However, the notification delay must not exceed 30 days after a breach is identified unless a longer delay is mandated by law enforcement.

"Our mobile phones are in our palms, pockets, and purses. We rarely go anywhere without them. There is good reason for this—the convenience and safety of being able to reach out anytime and virtually anywhere is powerful," said FCC Chairwoman Jessica Rosenworcel in January.

"But this always-on connectivity means that our carriers have access to a treasure trove of data about who we are, where we have traveled, and who we have talked to. It is vitally important that this deeply personal data does not fall into the wrong hands."

All major U.S. telecom carriers hit by major breaches

Massive telecom data breaches in recent years have highlighted the need to update the FCC's data breach rules to align them with federal and state data breach laws that apply to other sectors.

For example, in December 2022, widespread attacks bypassed two-factor authentication and hijacked Comcast Xfinity customers' accounts.

Two months earlier, Verizon notified prepaid customers of a breach that exposed their credit card information, later used in SIM swapping attacks.

T-Mobile has also been hit by at least nine breaches since 2018, with the most recent one—and the least damaging—being disclosed in May 2023 after threat actors had access to the personal information of hundreds of customers for more than a month since February 2023.

In January 2023, T-Mobile alerted customers of another data breach after the sensitive info of 37 million individuals was stolen by abusing one of its Application Programming Interfaces (APIs).

Finally, in April 2016, AT&T paid $25 million to settle an FCC investigation into three data breaches that impacted hundreds of thousands of customers.

The FCC adopted its first rule requiring telecoms and VoIP providers to notify federal law enforcement agencies and their customers of any data breaches.