Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Proposed FCC Rule Redefines Data Breaches for Communications Carriers

If the proposed rule is approved, organizations would need to disclose all data breaches, even ones that don't cause any harm, to affected customers.

Stephen Lawton, Contributing Writer

March 10, 2023

4 Min Read
Entrance to Federal Communications Commission office in Washington, DC; glass doors, white brick walls, brass fittings
Source: JHVEPhoto via Adobe Stock

A proposed rule change at the Federal Communications Commission (FCC) would expand the definition of a data breach for communications carriers. If approved by the agency, the rule would cover any incident that affects the confidentiality of customer information, even if no harm to customers results.

"This [rule] means [communications] carriers would be required to report any unauthorized access or disclosure of customer information, even if the breach was unintentional or not malicious," says Venkat Gupta, data estate modernization portfolio leader at Sogeti, part of the Capgemini group. "Everyone should care because data breaches can occur in many different ways, and even unintentional breaches can have profound consequences."

According to the FCC, the rule change aligns with recent developments in federal and state data breach laws covering other industry sectors.

"The law requires carriers to protect sensitive consumer information, but given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements," said FCC Chairwoman Jessica Rosenworcel in a prepared statement. "This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches."

Reporting to the FCC and Consumers

Under the current rule, Gupta says, telecommunications carriers must notify federal law enforcement — the US Secret Service and the FBI — within seven business days of all breaches that involve customer proprietary network information (CPNI). Consumers are to be informed of such breaches seven days after carriers notify those agencies.

The proposed rule update requires carriers to notify the FCC contemporaneously with law enforcement agencies as soon as practicable after discovery of a breach, and it would eliminate the current seven-day waiting period between notifying law enforcement and notifying consumers.

Part of the incentive of updating the regulation is that if the FCC is going to make the definition of a breach broader, companies will reassess their cybersecurity policies and procedures to prevent the breaches in the first place, notes Ali Jessani, a senior associate at law firm Wilmer Cutler Pickering Hale and Dorr LLP (WilmerHale).

When a data breach occurs, such as an individual attack on a cell phone account, the attackers could monetize that attack in a matter of hours or minutes. Such an attack "is exactly why the notification rule exists — to give the consumer the ability to limit potential damage to their personal information being compromised," Jessani says.

However, he points out, while the carrier might report such breaches to the authorities right away, if law enforcement asks the carrier not to alert customers at the same time in order to preserve evidence for the investigation, the updated rule still protects the company.

The delay allows carriers to assess the scope and impact of the breach, including the number of customers affected and the type of information that was compromised, Gupta adds.

"This information is important for determining the appropriate response to the breach and for assessing the potential harm to customers," he says. "The waiting period also enables carriers to take any necessary steps to mitigate the effects of the breach and prevent further damage."

Having carriers notify the FCC, Secret Service, and FBI at the same time will minimize burdens on carriers, eliminate confusion regarding obligations, and streamline the reporting process, allowing carriers to free up resources that can be used to address the breach and prevent further harm, Gupta says.

A Push to Improve Processes

The proposed rule change could have a direct impact on carriers' operations as they are forced to change their processes and procedures.

"Carriers will need to implement new procedures for identifying and reporting breaches that affect the confidentiality of customer information," Gupta notes. "This may include changes to the carrier's incident response plan, which outlines the steps to be taken in the event of a data breach."

Carriers might also need to invest in new technology or security measures to prevent breaches and detect unauthorized access to customer information. For example, some carriers might need to implement multifactor authentication, encryption, and other controls to protect sensitive customer data.

"Overall the proposed rule change will require carriers to take a more proactive approach to data security and breach reporting," Gupta says, "This may result in additional costs and resources for carriers, but it is ultimately designed to better protect customer privacy and prevent future breaches in the telecommunications industry."

Public comments on the FCC data breach reporting requirements are due by March 24.

About the Author

Stephen Lawton

Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights