FCC Suggests New Data Breach Rules for Phone Companies
Phone companies may have to follow new rules about how they notify customers and the government after a data breach if a proposal by Federal Communications Commission Chairman Jessica Rosenworcel passes. The proposed rulemaking notice, released Wednesday, cites the "increasing frequency and severity of security breaches involving customer information" as a risk to consumers.
Current rules give telecommunications providers seven business days to notify the FBI and Secret Service of data breaches that leak customer proprietary network information or CPNI. In most cases, the business cannot inform customers of the violation until seven business days after the information has been transmitted to federal law enforcement. The proposal suggests ending that mandatory waiting period and adds the FCC to the list of agencies that companies will have to notify in the event of a data breach. It also says that they need to send notifications even in the case of accidental violations.
CPNI is "some of the most sensitive personal information that carriers and providers have about their customers," according to the FCC. It can include data such as who a customer called and when and where those calls were made. It may also have the customer billing account name, phone and account number, and information about your plan. According to the notice, the proposed update would "better align the Commission's rules" with those that the federal and state governments have recently implemented for other industries.
This proposal is not made in a vacuum. In late December, news broke that a data breach had exposed the CPNI of some T-Mobile customers. The carrier had also suffered a much larger cybersecurity incident earlier in 2021, which affected more than 50 million people and was already the carrier's fifth breach in four years. While T-Mobile says it notified the affected customers after the December breach, the FCC's proposed rules would have put more stringent requirements on how and when those notifications were sent.
It may be a while before we see these requirements apply to phone companies: The FCC is currently in a political deadlock, with two Democratic members (including Rosenworcel) and two Republican members. The White House has nominated Gigi Sohn to fill the committee's fifth seat, which would tip the scales, but there is currently an impasse with the Senate to get her confirmed. Even if the Senate manages to confirm Sohn despite promises by some Republican senators to block his nomination, the proposal is only the beginning of the rule-changing process.