Proposed FCC Rule Redefines Data Breaches for Communications Carriers

A proposed rule change at the Federal Communications Commission (FCC) would expand the definition of a data breach for communications carriers. If approved by the agency, the rule would cover any incident that affects the confidentiality of customer information, even if no harm to customers results.

"This [rule] means [communications] carriers would be required to report any unauthorized access or disclosure of customer information, even if the breach was unintentional or not malicious," says Venkat Gupta, data estate modernization portfolio leader at Sogeti, part of the Capgemini group. "Everyone should care because data breaches can occur in many different ways, and even unintentional breaches can have profound consequences."

According to the FCC, the rule change aligns with recent developments in federal and state data breach laws covering other industry sectors.

"The law requires carriers to protect sensitive consumer information, but given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements," said FCC Chairwoman Jessica Rosenworcel in a prepared statement. "This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches."

Reporting to the FCC and Consumers

Under the current rule, Gupta says, telecommunications carriers must notify federal law enforcement — the US Secret Service and the FBI — within seven business days of all breaches that involve customer proprietary network information (CPNI). Consumers are to be informed of such breaches seven days after carriers notify those agencies.

The proposed rule update requires carriers to notify the FCC contemporaneously with law enforcement agencies as soon as practicable after discovery of a breach, and it would eliminate the current seven-day waiting period between notifying law enforcement and notifying consumers.

Part of the incentive of updating the regulation is that if the FCC is going to make the definition of a breach broader, companies will reassess their cybersecurity policies and procedures to prevent the breaches in the first place, notes Ali Jessani, a senior associate at law firm Wilmer Cutler Pickering Hale and Dorr LLP (WilmerHale).

When a data breach occurs, such as an individual attack on a cell phone account, the attackers could monetize that attack in a matter of hours or minutes. Such an attack "is exactly why the notification rule exists — to give the consumer the ability to limit potential damage to their personal information being compromised," Jessani says.

However, he points out, while the carrier might report such breaches to the authorities right away, if law enforcement asks the carrier not to alert customers at the same time in order to preserve evidence for the investigation, the updated rule still protects the company.

The delay allows carriers to assess the scope and impact of the breach, including the number of customers affected and the type of information that was compromised, Gupta adds.

"This information is important for determining the appropriate response to the breach and for assessing the potential harm to customers," he says. "The waiting period also enables carriers to take any necessary steps to mitigate the effects of the breach and prevent further damage."

Having carriers notify the FCC, Secret Service, and FBI at the same time will minimize burdens on carriers, eliminate confusion regarding obligations, and streamline the reporting process, allowing carriers to free up resources that can be used to address the breach and prevent further harm, Gupta says.

A Push to Improve Processes

The proposed rule change could have a direct impact on carriers' operations as they are forced to change their processes and procedures.

"Carriers will need to implement new procedures for identifying and reporting breaches that affect the confidentiality of customer information," Gupta notes. "This may include changes to the carrier's incident response plan, which outlines the steps to be taken in the event of a data breach."

Carriers might also need to invest in new technology or security measures to prevent breaches and detect unauthorized access to customer information. For example, some carriers might need to implement multifactor authentication, encryption, and other controls to protect sensitive customer data.

"Overall the proposed rule change will require carriers to take a more proactive approach to data security and breach reporting," Gupta says, "This may result in additional costs and resources for carriers, but it is ultimately designed to better protect customer privacy and prevent future breaches in the telecommunications industry."

Public comments on the FCC data breach reporting requirements are due by March 24.