After multiple data breaches, the FCC proposes new data breach rules for carriers
The FCC proposed a new set of rules for carriers to follow in the event of a data breach (via The Verge). The FCC proposed eliminating the current seven-day waiting time for customers to be notified of a data breach and mandating that carriers begin notifying their customers even if an inadvertent data breach occurs. Furthermore, the FCC also proposed that carriers inform the Commission of all reportable data breaches.
Jessica Rosenworcel, the chairwoman of the FCC, said, "Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers. Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information."
Currently, a carrier, in case of a data breach, can make an exception and tell its customers before the mandatory period, only if the situation is extraordinarily urgent and needs to prevent immediate and irreparable damage. But before informing customers, the carrier must first seek permission from the investigating agency.
The FCC proposal comes on the heels of another data breach in December 2021, in which some T-Mobile customers' personal information was leaked yet again. The December data breach wasn't as severe as the summer 2021 breach, which impacted approximately 50 million T-Mobile customers.
The current law obligates telecommunication providers to notify the FBI and Secret Service of a data breach within seven business days. Carriers must also wait for another seven business days after informing federal law enforcement before telling their clients about the data leak.
Things that are NOT allowed: