FCC Calls for Changes to Telecommunications Carriers’ Reporting of Data Breaches

Kelly Melchiondo
Bilzin Sumberg
Contact
LinkedIn
Facebook
X
Send
Embed

Bilzin Sumberg

The Federal Communications Commission (“FCC”) circulated internally a Notice of Proposed Rulemaking (“NPRM”) last week that would, among other things, enable telecommunications carriers to report breaches to their customers without having to wait until after notifying federal authorities.  Citing consumer protection as paramount, FCC Chairwoman Jessica Rosenworcel’s proposal would eliminate the existing seven (7) day mandatory waiting period for carriers to notify affected customers of a breach.  

Current FCC rules require that carriers notify the FBI and United States Secret Service within seven (7) business days for breaches that affect 5,000 or more customers, and within 30 days for any breaches that affect fewer than 5,000 customers.  Under the current structure, carriers cannot notify their customers about breaches until after they notify federal law enforcement.  Chairwoman Rosenworcel’s proposal would eliminate that waiting period.

The proposal aims to expand consumer protection further by also requiring carriers to notify customers even in instances of inadvertent or accidental breach.  The FCC only requires reporting of “inadvertent breaches”now for circumstances that are likely to result in harm to the customer.

Chairwoman Rosenworcel’s proposal is the latest in a series of federal government attempts to address cybersecurity threats.  The FCC proposal comes in the wake of Congress failing to pass rules that would have required private sector infrastructure entities to report data breach incidents to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours and ransomware attacks within 24 hours. The Biden Administration settled for including in the National Defense Authorization Act of 2022 provisions that encouraged the voluntary participation of private sector infrastructure organizations.

The next step for Chairwoman Rosenworcel’s NPRM would be publication in the Federal Register, followed by a period for public comment and replies, peer review, and, ultimately, a final vote from the full FCC on the proposed rule.  This may take some time.  The FCC is currently operating without a full deck of commissioners, as the confirmation process for Gigi Sohn, President Biden’s pick to fill a vacant seat on the commission, is stalled in the Senate Commerce Committee. Whatever the timeframe, the regulatory trend is clearly toward faster customer notification, which carriers should keep on their radar as they monitor and update their data security policies and practices.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bilzin Sumberg | Attorney Advertising

Written by:

Bilzin Sumberg
Bilzin Sumberg
Contact
more
less

Bilzin Sumberg on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide