FCC Proposes Updated Data Breach Reporting Requirements

The U.S. Federal Communications Commission (FCC) has proposed updating its rules requiring telecommunications operators to notify customers and law enforcement of breaches of confidential consumer information.

The proposed rule changes were detailed in a Notice of Proposed Rulemaking issued by the Commission in early January. In brief, the proposed changes would eliminate the current seven business day mandatory waiting period to issue notifications of a breach, and would also require notification of all reportable breaches to the FCC, the Federal Bureau of Investigation (FBI), and the U.S. Secret Service.

The Commission also seeks to expand the definition of “breach” to include any inadvertent access, use, or disclosure of customer information. This change would help to protect customers not just from malicious breaches by third parties but also from accidental access, use, or disclosures.

If adopted, the proposed changes would dramatically overhaul Commission rules first enacted in 2007. The Commission acknowledged in its Notice that the threat landscape facing telecommunications operators has changed dramatically over the past 15 years and that its proposed changes are necessary to keep pace with emerging challenges to data security.

Read the text of the Commission’s Notice of Proposed Rulemaking regarding its data breach regulations.

Comments on the FCC’s proposed rules can be filed electronically through the Commission’s Electronic Comment Filing System (ECFS) (reference Docket No. 22-21).

Leave a Reply

Your email address will not be published.