The Federal Communications Commission on Friday announced it unanimously voted to pursue changes to how and when telecommunications network operators disclose data breaches.
The current rules, under Section 222 of the Communications Act, are more than 15 years old and require organizations to notify the U.S. Secret Service and FBI of breaches within seven days.
The FCC wants to “eliminate the outdated seven business day mandatory waiting period” and require operators to quickly notify the agency, law enforcement and customers of major data breaches, FCC Chair Jessica Rosenworcel said in a statement.
“Always-on connectivity means that our carriers have access to a treasure trove of data about who we are, where we have traveled, and who we have talked to,” Rosenworcel said. “It is vitally important that this deeply personal data does not fall into the wrong hands.”
Data breaches in the telecom industry have become more common and severe since disclosure rules were last updated in 2007. The nation’s largest carriers have all been hit with breaches, but T-Mobile in August 2021 suffered a massive data breach widely considered the largest carrier breach on record.
The cyberattack on T-Mobile, which at the time marked its fifth disclosed incident since 2018, exposed personal data of at least 76.6 million people. T-Mobile in July 2022 agreed to pay $500 million to settle a class-action lawsuit stemming from the incident.
Subsequent incidents bring the total to seven publicly acknowledged breaches at T-Mobile since 2018, including an attack initiated last year by Lapsu$, a high profile and prolific ransomware group that targeted other major companies such as Microsoft, Nvidia, Samsung and Uber.
“Like most things with the FCC, this is a long overdue change,” Zeus Kerravala, founder and principal analyst at ZK Research, said via email.
FCC details next steps for breach notification changes
The FCC first proposed changes to bolster data breach regulations in January 2022.
“Threat actors have certainly advanced the way they attack consumers, and the rules of reporting should be changed as well. Focusing on telco is a good thing as they remain a main focal point for hackers,” Kerravala said.
The agency should revisit these rules annually, considering network operators are a “critical component of the way we live,” he said.
The FCC intends to expand the definition of “breach” to include inadvertent disclosures of customer information and is seeking comment on whether it should adopt minimum requirements for the details operators must share when a breach occurs.
“The majority of consumers only care that their data was lost and could be misused. The specifics of who is behind it are often lost,” Jason Rebholz, CISO at Corvus Insurance, said via email.
By including accidental breaches under the new notification rules, the FCC said it hopes to encourage telecom carriers to adopt stronger data security practices and help the industry identify and confront systemic network vulnerabilities.
The agency is also seeking comment on how its breach reporting regulations can work alongside a forthcoming mandate for critical infrastructure providers to promptly report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency.
Those reporting rules, passed by Congress under the Cyber Incident Reporting for Critical Infrastructure Act, require organizations in critical infrastructure to alert CISA within 72 hours of a major cyberattack or 24 hours of ransom payment.