FCC requires telecom companies to report data breaches within 30 days

The FCC has updated its reporting requirements, requiring telecommunications companies to report data breaches affecting customers' personally identifiable information within 30 days.

The FCC's revised data breach reporting regulations take effect on March 13 and mandate that telecommunications businesses report data breaches affecting consumers' personally identifiable information within 30 days.

The FCC's final rule is the result of many proposals that were first circulated in January 2022, published in January 2024, and one year earlier in January 2023. These proposals aimed to update the commission's breach notification regulations to require telecom providers to promptly notify customers of security breaches.

The revised data breach reporting regulations are intended to make sure that telecom, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) providers are held responsible for their duties to protect confidential client data and to give clients the resources they need to protect themselves in the event that their data is compromised.

They include unintended access, use, or disclosure of customer information, as well as the expansion of breach reporting requirements beyond customer proprietary network information (CPNI) to personally identifiable information (PII).

The U.S. communications regulator also eliminated the requirement that carriers wait a certain amount of time before notifying customers about breaches affecting covered data; now, they must notify customers as soon as possible after notifying the appropriate federal agencies. But unless law enforcement specifies a longer wait, the notification delay after a breach is discovered cannot be longer than 30 days.