The Federal Communications Commission (FCC) has issued updates to its data breach rules for the first time in 16 years. This shift, marked by a 3-2 party-line vote, implements a comprehensive redefinition of breaches, encompassing various forms of unauthorized access to customer information held by telecommunications carriers and providers.
This expanded definition now includes inadvertent access, use, or disclosure of customer information, a significant broadening from the previous interpretation, with companies required to inform both consumers and the agency within 30 days of discovery. The reporting requirement aims to arm citizens with awareness surrounding cyber incidents while shoring up accountability across the telecom industry.
Why it matters: By demanding that providers hastily loop in users and regulators after security failures, the FCC seeks to create timely awareness of digital threats. Understanding the impact of these changes is crucial for effective leadership and compliance in this new regulatory environment.
- The new rule now includes “inadvertent access, use, or disclosure of customer information” as a breach. However, there’s an exception for cases where carriers’ and providers’ employees obtain the information in the course of their jobs without improper use or disclosure.
- Customers must be notified of a breach within 30 days unless law enforcement requests a delay. Additionally, carriers and providers are now required to alert the FCC about breaches, in addition to their existing obligation to contact the FBI.
- The new rules have faced opposition from Congress. Senator Ted Cruz (R-TX) criticized the decision, stating that the FCC is defying a 2016 order that prohibited similar expanded FCC privacy restrictions. The letter co-signed by Cruz and other senators, including Minority Leader Mitch McConnell (R-KY), referred to the 2016 FCC rules change as a “jurisdictional power grab” and legally suspect.
Go Deeper –> FCC updates data breach rules, with consumers in mind – The Record