Starting next month, telecom and VoIP providers will be required to issue data breach notifications to customers whenever personally identifiable information (PII) is involved in a cyber incident.
That’s according to new rules issued yesterday by the Federal Communications Commission (FCC), which will now also require carriers and service providers to report any violations to the FCC, FBI and Secret Service within seven days of discovery. The Commission’s definition of PII is broad and includes not only names, contact information, dates of birth, and Social Security numbers, but also biometric data and a variety of other data.
Previously, the FCC only required customer notifications when Customer Proprietary Network Information (CPNI) data has been affected; CPNI can be thought of as phone bill information, i.e. data about your subscription plan, usage charges, numbers called or texted, and so on.
“The Commission considers that unauthorized exposure of sensitive personal information… is reasonably likely to pose a risk of harm to customers,” according to the FCC’s new data breach rules. “Consumers expect to be notified of material breaches that endanger their privacy, and companies that handle sensitive personal information should expect to be required to report such breaches.”
Telephone carriers are unable to contact customers, however, if they can reasonably determine that the incident is unlikely to harm customers, although the definition of “breach” has been expanded by the agency to include “access, use or disclosure inadvertent disclosure of customer information.”
The FCC’s breach reporting requirements were last updated 16 years ago.
“THE pervasiveness of data breaches and the frequency of breach notifications have evolved and increased since the Commission first adopted the breach notification rule in 2007,” according to the FCC. He added: “This rising wave of data breaches has affected the telecommunications sector Also. As the Electronic Privacy Information Center (EPIC) points out, the proprietary information of subscribers at each of the three major carriers has been breached at least once in the past five years.”
More recently, a Insider Threat Breach at Verizon disclosed exposed information on tens of thousands of employees earlier this month; T-Mobile found three separate customer violations in 2023; and a vendor breach last March led to data exposure for 9 million AT&T wireless customers.