The FCC today published a Notice of Proposed Rulemaking (NPRM) designed to start the process of strengthening the agency’s requirements for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).
The agency pointed out that the increasing frequency and severity of security breaches involving customer information can have lasting detrimental impacts on the economy and on consumers whose information has been improperly exposed.
Various federal agencies are stepping in to try to protect consumers against the growing threats. In the fall, the Federal Trade Commission (FTC) strengthened its Safeguards Rule to include more specific criteria for what safeguards financial institutions must implement as part of their information security program.
Similarly, the FCC’s action is designed to strengthen the commission’s efforts to ensure its rules keep pace with evolving cybersecurity threats and to protect consumers. A 2021 Verizon report found that breaches had grown by one-third over the previous year.
Additionally, the proposal is designed to ensure that the commission and other federal law enforcement agencies receive the information they need quickly so they can mitigate the impact of the breach. The Notice also seeks comment on whether the commission should require customer breach notices to include specific categories of information.
Specifically, the proposed rules include:
- Eliminating the current seven business day mandatory waiting period for notifying customers of a breach;
- Expanding customer protections by requiring notification of inadvertent breaches
- Requiring carriers to notify the commission of all reportable breaches in addition to the FBI and U.S. Secret Service.
“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers,” said FCC Chairwoman Jessica Rosenworcel in a prepared statement about the proposed FCC data breach notification requirements.
“Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after exposure of personal information. I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
