Phone companies may have to follow new rules about how they inform customers and the government after a data breach if a proposal from Federal Communication Commission chair Jessica Rosenworcel is passed. The notification of proposed regulation, released Wednesday, cites the “increasing frequency and severity of security breaches involving customer information” as a risk to consumers.
The current rules give telecommunications providers seven business days to notify the FBI and the Secret Service of data breaches involving the leakage of proprietary customer network information, or CPNI. In most cases, the company will not be able to notify customers of the breach until seven business days after the information has been passed to federal law enforcement agencies. The proposal proposes to abolish that mandatory waiting period and adds the FCC to the list of agencies companies must report in the event of a data breach. It also says that they should send notifications even in the case of accidental breaches.
CPNI is “some of the most sensitive personal information carriers and carriers have about their customers”, according to the FCC. It can contain data such as who a customer called and when and where those calls were made. It may also include the customer’s billing account name, phone number and account number, and information about their subscription. The proposed update would “better align the Commission’s rules” with rules recently introduced by federal and state governments for other industries, the report said.
This proposal is not made in a vacuum. In late December, news came that a data breach had exposed the CPNI of some T-Mobile customers. The carrier had also suffered a much larger cybersecurity incident in 2021, affecting more than 50 million people, and it was already the carrier’s fifth breach in four years. Although T-Mobile says it notified affected customers after the December breach, the FCC’s proposed rules would have imposed stricter requirements on how and when those notifications went out.
It may be a while before we see these requirements actually apply to phone companies — the FCC is currently at a political deadlock, with two Democratic members (including Rosenworcel) and two Republican members. The White House has nominated Gigi Sohn to fill the committee’s fifth seat, which would tip the scales, but there is currently a stalemate with the Senate to actually get her confirmed. Even if the Senate manages to confirm Sohn despite vows by some Republican senators to block her nomination, the proposal is only the beginning of the process to change the rules.