Stricter data breach reporting rules for telcos introduced by FCC

Telecommunications firms across the U.S. will be required to inform the Federal Communications Commission, the FBI, and the U.S. Secret Service regarding data breaches within seven days of identifying compromise under the finalized data breach reporting rule issued by the FCC, according to The Register. Data breaches should also be reported to customers within 30 days of discovering that a compromise was likely, said the FCC. Moreover, the FCC has also required breach notifications for the compromise of personally identifiable information, including names, email addresses and passwords, and authentication data, under the new rule, which is in contrast to the previous disclosure requirement that covered only customer proprietary network information. "Without an FCC rule requiring breach notifications for the above categories of PII, there would be no requirement in Federal law that telecommunications carriers report non-CPNI breaches to their customers," noted the FCC, which added that telecommunications carriers could be exempted from providing breach disclosures to customers should they determine that the impacted data would not cause any harm.