FCC: Possible Data Breach Rules for Phone Companies
If the proposal from Federal Communication Commission's chairwoman Jessica Rosenworcel passes, phone companies will have to follow new rules about how they notify customers and the government following a data breach. This is because of the "increasing frequency and severity of security breaches involving customer information".
The regulations now require telecommunication companies to notify the FBI and Secret Service of data breaches that leak customer proprietary network information, or CPNI, within seven business days. In many situations, businesses are not permitted to inform consumers about the breach until seven days after information has been passed on to federal law enforcement. The proposal suggests doing away with the waiting period that companies have to go through before they tell people about a data breach. The FCC would also be on the list of agencies companies have to tell in the case of a data breach. Even if it's an accidental breach, the company would still have to send out notifications.
The FCC says that CPNI (Customer Proprietary Network Information) is some of the most sensitive personal information that carriers and providers have about their customers. This information can include data like who a customer called and when, as well as the customer's billing account name, phone number, and account information. The proposed update would put the
T-Mobile had two data breaches in late 2021. The first breach affected some of their customers' CPNI. The second breach affected over 50 million people and was the carrier's fifth breach in four years. Even though T-Mobile said they told the customers that were affected by the December breach,
The FCC is currently in a political deadlock with two Democrat members and two Republican members. The White House has nominated Gigi Sohn to fill the commission’s fifth seat, but there’s currently a stalemate with the Senate on actually getting her confirmed. Even if the Senate manages to confirm Sohn, the proposal is likely to face opposition from Republicans who do not believe that there is a need for new data breach notification rules.