The US telecoms regulator has proposed strengthening breach notification requirements for incidents that compromise customer information.
The FCC announced that it is launching a “proceeding” to update its rules in line with breach notification laws covering other sectors at a federal and state level.
Specifically, it’s looking to eliminate the current seven-business-day mandatory waiting period for notifying customers of a breach. The regulator also wants to ensure that carriers notify customers of “inadvertent” breaches, and that they tell not only the FCC but also the FBI and US Secret Service about all reportable breaches.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said FCC Chairwoman, Jessica Rosenworcel.
“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
A Notice of Proposed Rulemaking was unanimously adopted by the commission. The next stage will be to gather more information on the issue and accept industry comments on the proposals.
The FCC said it wants to know from stakeholders whether breach notices should include specific categories of information to make them more useful to impacted customers.
Regulatory efforts like these can take some time. The FCC first proposed the changes almost a year ago.
However, there’s certainly a need to update telco breach reporting rules, which are now 15 years old, as industry players continue to be a major target for threat actors.
Last year, T-Mobile agreed to pay $350m to settle class action claims related to a 2021 cyber-attack that impacted an estimated 80 million US residents.