The U.S. Federal Communications Commission wants to strengthen federal law enforcement and modernize breach notification requirements for telecommunications companies so they notify customers of security breaches more quickly.
FCC’s proposals (aired for the first time in January 2022) include the removal of the current mandatory seven-day time limit that telecoms must meet before alerting consumers to a data breach.
The Commission also wants telecommunications carriers to report all material violations to several federal agencies, including the FBI, the Secret Service and the FCC.
“We are proposing to eliminate the outdated mandatory seven-business-day waiting period before notifying clients, to require the reporting of unintended but harmful data breaches, and to ensure that the agency is notified of data breaches. major,” FCC Chairman Jessica Rosenworcel said. said.
“The FCC is also proposing to clarify its rules to require carriers to notify consumers of unintentional violations and require notification of all violations to be reported to the FCC, FBI and US Secret Service,” the agency said. said in a separate press release.
The first rule requiring interconnected telecommunications and VoIP providers to alert federal law enforcement authorities and their customers of data breaches was passed by the Commission in 2007.
The FCC’s data breach rules are 15 years old. An update is way overdue. It starts now. https://t.co/Lzul0Fkfja
— Jessica Rosenworcel (@JRosenworcel) January 6, 2023
The severity of recent telecom hacks shows that the FCC’s data breach rules need updating to align with federal and state data breach laws covering other industries.
For example, in December, Comcast Xfinity customers reported that their accounts were hacked in widespread attacks bypassing two-factor authentication.
In October, Verizon informed prepaid customers that their accounts were hacked and the exposed credit card information was used in SIM card swapping attacks.
T-Mobile has also been hit by at least seven breaches since 2018, with the most recent being disclosed after Lapsus$ hackers hacked the company’s internal systems and stole proprietary source code from T-Mobile, according to reports.
Finally, AT&T paid $25 million in April 2016 to settle an FCC investigation into three separate data breaches affecting hundreds of thousands of customers.
“The law requires carriers to protect sensitive consumer information, but given the increased frequency, sophistication and scale of data leaks, we need to update our rules to protect consumers and strengthen reporting requirements,” Rosenworcel said.
“This new procedure will take a fresh and much-needed look at our rules for reporting data breaches to better protect consumers, increase security and reduce the impact of future breaches.”