On February 12, the U.S. Federal Communications Commission published a new rule that establishes a specific timeframe in which telecommunications companies must report data and cybersecurity breaches. 

Increasing transparency

Previously, when a telecom company discovered a cyberattack that compromised its customer data, the company had to observe a “seven business day mandatory waiting period” before informing customers of the incident. But that’s a significant amount of time during which cybercriminals could misuse or potentially sell customer data – and the sooner the customers are informed of a breach, the more quickly they can respond and take their own action to protect themselves.

That’s why over the last two years, the FCC has been developing a new set of regulations that require telecom companies to be more transparent. Now, telecom companies will have to inform customers of any unauthorized access to personally identifiable information (PII) or customer proprietary network information (CPNI) “as soon as practicable,” and no later than 30 days after the initial discovery, giving companies time to effectively respond to the threat while ensuring customers are not kept out of the loop.

As the rule states:

“TRS (Telecommunications Relay Service) providers require flexibility when addressing data breaches, and a standard requiring providers to notify customers of a breach as soon as practicable will allow TRS providers sufficient time to determine the nature of the incident…

The elimination of the mandatory seven business day waiting period and imposition of a 30-day backstop will ensure that customers receive notification of any such breach in a timely fashion.”

Keeping data regulations up to date

In recent years, millions of individuals’ data has been breached due to large-scale cyberattacks impacting telecom providers (such as Verizon, Comcast, and T-Mobile) so ensuring federal data breach reporting regulations are up to date is more essential than ever.

As FCC Chairwoman Jessica Rosenworcel, recently commented on the new protocols:

“Our mobile phones are in our palms, pockets, and purses. We rarely go anywhere without them. There is good reason for this—the convenience and safety of being able to reach out anytime and virtually anywhere is powerful…

But this always-on connectivity means that our carriers have access to a treasure trove of data about who we are, where we have traveled, and who we have talked to. It is vitally important that this deeply personal data does not fall into the wrong hands.”

The rule also outlines new requirements for telecom providers as they secure customers’ PII and CPNI, ensuring that they “provide customers with the tools needed to protect themselves in the event that their data is compromised.” The finalized proposal will go into effect on March 13, 2024.