FCC Proposes new reporting rules for the telecom sector in response to increased data breaches


Network repeaters, base transceiver.

By Courtney M. Knight

On January 6, 2023, the Federal Communications Commission (“FCC”) proposed new rules for data breach reporting in the telecommunications industry.  

The Notice of Proposed Rulemaking recognizes that “[i]n the telecommunications industry, the public has suffered an increasing number of security breaches of customer information in recent years,” and cites to examples of multiple breaches that together have affected tens of millions of people since 2015.  As the proposed reporting requirements are in addition to, and would not replace any State requirements that may be applicable to a given breach, part of the FCC’s goal appears to become better aligned with other applicable reporting requirements that have evolved since it last set reporting rules in 2007.  They also seek comments on how, if possible, to avoid duplicate reporting to Federal agencies and to minimize the burden on carriers.  

Presently, whenever an unauthorized person intentionally obtains access to, uses customer proprietary network information (“CPNI”), or there is an unauthorized disclosure of CPNI, the carrier/provider is required to notify the FCC, Federal Bureau of Investigation and U.S. Secret Service, and to wait seven days following the law enforcement notification before then notifying affected customers. Unlike notification rules in other industries and in many states, the FCC does not currently identify specific information that must be included in customer notification and there are no exceptions as to what data breach events are reportable or require customer notification.  

The most notable proposed changes include the following:  

  1. The expansion of the definition of “breach” to also include inadvertent disclosure of customer information; 
  1. the removal of the mandatory waiting period before customer notification after law enforcement is informed, so that customers be notified without unreasonable delay, unless actually requested by law enforcement;  
  1. the adoption of a threshold trigger as to the number of customers affected before a breach report to law enforcement or the commission is required; 
  1. the adoption of minimum requirements for the content of customer breach notifications; and  
  1. the adoption of a harm-based notification trigger, which would allow carriers to forgo notification to customers where they “can reasonably determine that no harm to customers is likely to occur as a result of the breach.” 

The public comment period will be open for thirty days, and reply comment period for sixty days thereafter. The progression of this rulemaking will be important to watch for both those in the telecom industry and data security professionals.   

If you have questions about data breach reporting requirements, please contact your FMG attorney for more information.