Starting March 13th, telecommunications companies must report data breaches impacting customers’ personally identifiable information within 30 days, as required by FCC’s updated data breach reporting requirements.
“Without an FCC rule requiring breach notifications for the above categories of PII, there would be no requirement in Federal law that telecommunications carriers report non-CPNI breaches to their customers,” the FCC said.
The U.S. communications regulator also removed the obligatory waiting period for carriers to inform customers, mandating them to promptly notify customers of breaches involving covered data after alerting relevant federal agencies.
Massive telecom data breaches in recent years have highlighted the need to update the FCC’s data breach rules to align them with federal and state data breach laws that apply to other sectors.
Finally, in April 2016, AT&T paid $25 million to settle an FCC investigation into three data breaches that impacted hundreds of thousands of customers.
The FCC adopted its first rule requiring telecoms and VoIP providers to notify federal law enforcement agencies and their customers of any data breaches.
