FCC Requires Telecom & VoIP Providers to Report PII Breaches

The Commission's breach rules for voice and wireless providers, untouched since 2017, have finally been updated for the modern age.

red telephones hanging by cords
Source: Brian Jackson via Alamy Stock Photo

Starting next month, telecom and VoIP providers will have to issue data breach notifications to customers whenever there's personally identifiable information (PII) caught up in a cyber incident.

That's according to new rules issued yesterday by the Federal Communications Commission (FCC), which will now also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery. The Commission's definition of PII is broad and encompasses not only names, contact information, dates of birth, and Social Security numbers, but also biometrics and a slew of other data.

Previously, the FCC required customer notifications only when Customer Proprietary Network Information (CPNI) data was impacted; CPNI can be thought of as phone bill information, i.e., subscription plan data, usage charges, numbers called or messaged, and so on.

"The Commission believes that the unauthorized exposure of sensitive personal information … is reasonably likely to pose risk of customer harm," according to the FCC's new data breach rules. "Consumers expect that they will be notified of substantial breaches that endanger their privacy, and businesses that handle sensitive personal information should expect to be obligated to report such breaches."

Phone providers are off the hook for contacting customers, however, if they can reasonably determine the incident is unlikely to harm the customers, though the definition of a "breach" has been expanded by the agency to include "inadvertent access, use, or disclosure of customer information."

The last update to the FCC's breach reporting requirements was 16 years ago.

"The pervasiveness of data breaches and the frequency of breach notifications have evolved and increased since the Commission first adopted its breach notification rule in 2007," according to the FCC. It added, "This rising tide of data breaches has affected the telecommunications sector as well. As the Electronic Privacy Information Center (EPIC) points out, the proprietary information of subscribers of each of the three largest carriers has been breached at least once within the last five years."

Most recently, a Verizon insider threat breach revealed earlier this month exposed information for tens of thousands of employees; T-Mobile saw three different customer breaches in 2023; and a vendor breach last March led to the exposure of data for 9 million AT&T wireless customers.  

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights