FCC takes new look at data breach rules

The Federal Communications Commission (FCC) is interested in taking a fresh look at its reporting rules in light of recent security breaches at telecom carriers.

FCC Chairwoman Jessica Rosenworcel is circulating a Notice of Proposed Rulemaking (NPRM) that would begin the process of strengthening the commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).

The updates would better align the commission’s rules with recent developments in federal and state data breach laws covering other sectors, according to a press release.   

“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers,” Rosenworcel said in a statement.

“Customers deserve to be protected against the increase in frequency, sophistication and scale of these data leaks, and the consequences that can last years after an exposure of personal information,” she added. “I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

Here are some of the updates being considered:

  • Eliminating the current seven business day mandatory waiting period for notifying customers of a breach.
  • Expanding customer protections by requiring notification of inadvertent breaches.
  • Requiring carriers to notify the FCC of all reportable breaches in addition to the FBI and U.S. Secret Service.

The FCC’s announcement Wednesday didn’t name any specific carriers, but a description said the proposal came in response to “recent security breaches in the telecommunications industry.”

RELATED: T-Mobile CEO says hacker used ‘brute force’ attacks to breach IT servers

Last fall, an FCC spokesperson told Reuters the agency would investigate T-Mobile after the operator reported a data breach involving the theft of personal information for more than 54 million people, including Social Security numbers, names, phone numbers and addresses. Device identifiers and PINs also were obtained for certain accounts.