WASHINGTON, December 13, 2023—The Federal Communications Commission today adopted rules to modify the Commission’s 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) adequately safeguard sensitive customer information. Today’s action would hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised.
Americans should have confidence that when they use communications services, their personal information is protected. These services are an integrated and critical part of modern life, and provide a vital lifeline for consumers. In providing these services, telecommunications carriers, interconnected VoIP providers, and TRS providers often collect large quantities of sensitive customer data, including telephone numbers a person has called and mobile phone location data showing the places they have been. This information could provide insights into medical conditions, religious beliefs, and other aspects of a person’s private life.
The Commission’s existing breach notification rules provide important protections against the risk of improper access, use, or disclosure of customer data, helping to ensure that carriers are held accountable when breaches occur, and that they provide customers with adequate and timely notice. However with the increase in frequency and severity of data breaches over recent years, these rules needed to be updated to reflect the current security landscape.
Today’s action will expand the scope of the Commission’s breach notification rules to cover certain personally identifiable information that carriers and TRS providers hold with respect to their customers. It also expands the definition of “breach” to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.
In addition, today’s Report and Order will require carriers and TRS providers to notify the Commission of breaches, in addition to their current obligation to notify the United States Secret Service and Federal Bureau of Investigation, via the existing central reporting facility. Today’s action will also eliminate the requirement to notify customers of a breach in those instances where a carrier or TRS provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed.
It will also eliminate the mandatory waiting period for carriers and TRS providers to notify customers. Instead, it will require carriers and TRS providers to notify customers of breaches of covered data without unreasonable delay after notification to the Commission and law enforcement agencies, and in no case more than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement.
Action by the Commission December 13, 2023 by Report and Order (FCC 23-111). Chairwoman Rosenworcel, Commissioners Starks and Gomez approving. Commissioners Carr and Simington dissenting. Chairwoman Rosenworcel, Commissioners Carr, Starks, Simington, and Gomez issuing separate statements.
WC Docket No. 22-21