The Federal Communications Commission of the United States intends to improve federal law enforcement and modernise breach notification needs for telecommunications firms so that customers are notified of security breaches as soon as possible.
The FCC's proposals (first made public in January 2022) call for getting rid of the current requirement that telecoms wait seven days before notifying customers of a data breach.
Additionally, the Commission wants telecommunications providers to notify the FBI, Secret Service, and FCC of any significant breaches.
According to FCC Chairwoman Jessica Rosenworcel, "We propose to eliminate the antiquated seven business day mandatory waiting period before notifying customers, require the reporting of accidental but harmful data breaches, and ensure that the agency is informed of major data breaches."
In a separate press release, the FCC stated that it was considering "clarifying its rules to require consumer notification by carriers of inadvertent breaches and to require notification of all reportable breaches to the FCC, FBI, and U.S. Secret Service."
In 2007, the Commission passed the first regulation mandating that telecoms and interconnected VoIP service providers notify federal law enforcement agencies and their clients of data breaches.
The severity of recent telecom hacks demonstrates the need for an update to the FCC's data breach rules to bring them into compliance with federal and state data breach laws governing other industries.
For instance, Comcast Xfinity customers reported in December that their accounts had been compromised as a result of widespread attacks that avoided two-factor authentication.
Verizon informed its prepaid customers in October that their accounts had been compromised and that SIM swapping attacks had used the exposed credit card information.
According to reports, T-Mobile has also experienced at least seven breaches since 2018. The most recent one was made public after Lapsus$ hackers broke into the business' internal systems and stole confidential T-Mobile source code.
Finally, in order to end an FCC investigation into three separate data breaches that affected hundreds of thousands of customers, AT&T paid $25 million in April 2016.
"The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements," Rosenworcel stated.
"To better protect consumers, boost security, and lessen the impact of future breaches, this new proceeding will take a much-needed, fresh look at our data breach reporting rules."
