The Federal Communications Commission (FCC) is upping the game a bit for data breaches incurred by telecommunications carriers, coming closer to the requirements under most state breach notification laws. For example, the new rules cover more types of data and expands the definition of a "breach" to include inadvertent access, use, or disclosure, as many state data breach notification laws do.

Under the new rules, most telecommunications carriers will have to notify the FCC as well as the U.S. Secret Service and FBI through a central reporting facility. However, the new rules also add an element of harm requirement for notice to consumers - telecommunications carriers will not be required to notify consumers if they reasonably determine that there will not be any harm to the consumer or when the breach only involves encrypted data (and the encryption key is still secure) - again mirroring many state data breach notification laws. While the previous rules required the telecommunications carriers to wait before notifying affected consumers, notification now matches many state laws in requiring notice to consumers "without unreasonable delay" after notification to the FCC and law enforcement agencies, and generally within 30 days of the reasonable determination of the breach.

WASHINGTON, December 13, 2023—The Federal Communications Commission today adopted rules to modify the Commission's 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) adequately safeguard sensitive customer information. Today's action would hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.