The telecommunications industry has faced a surge in the frequency and severity of data breaches, which the Federal Communications Commission (FCC) has addressed with its Notice of Proposed Rulemaking.
This release aims to broaden and strengthen the breach notification rules faced due to unauthorized disclosure of CPNI (customer proprietary network information). All telecom services must apply these rules, allowing FCC to align the data breach notification rules with state and federal data breach notification laws.
FCC Proposes the Following Rules:
- Eradicating the compulsory 7-day waiting period before notifying customers of the breach.
- Expanding the meaning of “breach” to include inadvertent disclosure, access, or use of customers’ information.
- Adding FCC to the list of notified parties along with federal law enforcement in case of breaches in a timely manner.
Other Proposed Rules:
Besides these three rules, FCC has proposed several other rules to make equivalent amendments that apply to TRS (telecommunications relay services). TRS enables people with disabilities like deafness, speech difficulties, blindness, or hard of hearing to communicate using telephone services just like people without disabilities communicate.
Furthermore, FCC is looking forward to receiving feedback on if it should include breach-specific information. For instance, a description of the customer information that was stolen, used, accessed or disclosed.
It also looks forward to receiving a comment on whether this information should be presented in a mail, telephone, or email.
The Bottom Line:
These rules proposed by FCC have come to fruition after unstoppable efforts to modernize the CPNI data breach notifications requirements and align them better with state and federal level laws.
This also reflects the industry’s best practices used in rule-making. The unanimous vote from the FCC shows how concerning and damaging these data breaches can be for customers and the telecommunications industry.
However, the comments to these propositions are still due a month after the NPRM gets published in the Federal Register, with reply comments due two months after the publication. The publication will take place within the next few weeks, making the comments and reply comments due in March and somewhere in April, respectively.