The amended rules follow the Biden Administration’s “whole of government” approach to maximizing notifications to executive agencies of cybersecurity events.

By Jennifer C. Archie, Matthew A. Brill, Gabriela Aroca Montaner, Chad Kenney, and Molly Whitman

On December 21, 2023, a divided Federal Communications Commission (FCC or the Commission) released a Report and Order updating its data breach reporting rules for certain telecommunications providers. The updated rules require that providers of telecommunications services, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) adequately safeguard sensitive customer information and report data breaches to the Commission. The rules will also likely apply to providers of broadband Internet access services when the Commission completes its recently initiated rulemaking proposing to reclassify broadband as a telecommunications service covered by the data breach rules.

In a 3-2 vote, the Commission expanded the breach notification regulations to cover breaches that involve personally identifiable information (PII), in addition to customer proprietary network information (CPNI). Both PII and CPNI are now considered “covered data” under the applicable rules. Further, the rules now extend to inadvertent disclosures of covered data, along with intentional disclosures without authorization. Upon determining that a breach has occurred, carriers must notify the Commission via the FCC’s existing central reporting facility in addition to notifying the FBI and the Secret Service.

Federal agency notifications must be submitted “as soon as practicable,” but no later than seven business days after determination of a breach. The Commission emphasized that, depending on the circumstances, a “failure to swiftly report breaches may … be untimely and unreasonable, even if within the seven business day timeline.” Carriers must also notify affected data subjects in a timely manner — eliminating the mandatory seven-day waiting period after notifying law enforcement that previously applied before a carrier could begin notifying customers.

Learn more in this Client Alert.