The US Federal Communications Commission (FCC) on January 12 proposed new rules on how telecom companies must notify customers and the government about a data breach. In proposing the new rules, FCC Chairwoman Jessica Rosenworcel said: “Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information. I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.” The proposed rules come in the aftermath of some high profile data breaches involving US telecom companies, specifically T-Mobile, which has suffered six data breaches in the last five years with the most recent breach taking place last month, and Syniverse, a company that routes billions of text messages of major US carriers. What are the proposed rules? The proposal outlines several updates to current FCC rules: No seven days waiting period to inform customers: FCC has proposed eliminating the current seven business day mandatory waiting period for notifying customers of a breach. Currently, telecom companies have seven days to inform the FBI and Secret Service of data breaches that leak customer proprietary network information (CPNI), after which they can notify customers. Inadvertent breaches must also be covered: The FCC has suggested expanding customer protections by requiring notification even in case of inadvertent breaches. FCC must be notified along with other law enforcement agencies: Carriers must…
