February 12, 2024 at 04:56PM
Telecom companies are now required to report data breaches affecting customers’ personally identifiable information within 30 days under the FCC’s updated rule. This follows years of proposals and aims to expand breach notification requirements and hold providers accountable. The stricter rules have been prompted by major breaches at major U.S. telecom carriers in recent years.
Based on the meeting notes, the key takeaways are:
1. Starting March 13th, telecommunications companies are required to report data breaches impacting customers’ personally identifiable information (PII) within 30 days as per the FCC’s updated data breach reporting requirements.
2. The updated rules aim to hold providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) accountable for safeguarding sensitive customer information and providing customers with the necessary tools to protect themselves in case of data compromise.
3. The scope of breach notification requirements has been expanded to include PII and “inadvertent access, use, or disclosure of customer information,” going beyond the previous requirement for customer proprietary network information (CPNI).
4. The FCC has removed the obligatory waiting period for carriers to inform customers, mandating them to promptly notify customers of breaches involving covered data after alerting relevant federal agencies.
5. FCC Chairwoman Jessica Rosenworcel emphasized the importance of safeguarding personal data and the need to prevent it from falling into the wrong hands due to the extensive connectivity and data carriers have access to.
6. The need for updating FCC’s data breach rules is highlighted by the major breaches experienced by major U.S. telecom carriers in recent years, demonstrating the urgency to align the rules with federal and state data breach laws applying to other sectors.
7. The FCC previously adopted a rule requiring telecoms and VoIP providers to notify federal law enforcement agencies and their customers of any data breaches.
These takeaways capture the essential points discussed in the meeting notes regarding the updated data breach reporting requirements and the context surrounding the need for these rules based on recent breaches in the telecommunications industry.