Illustration by Alex Castro / The Verge
Phone companies could have to follow new rules about how they notify customers and the government following a data breach if a proposal from the Federal Communication Commissionâs chairwoman Jessica Rosenworcel passes. The notice of proposed rulemaking, released on Wednesday, cites the âincreasing frequency and severity of security breaches involving customer informationâ as a risk to consumers.
The current rules give telecommunication providers seven business days to notify the FBI and Secret Service of data breaches that leak customer proprietary network information, or CPNI. In most cases, the company cannot notify customers about the breach until seven business days after information has been relayed to federal law enforcement. The proposal suggests doing away with that mandatory waiting period and adds the FCC to the list of agencies that companies will have to notify in the case of a data breach. It also says that they would have to send out notifications even in the case of inadvertent breaches.
CPNI is âsome of the most sensitive personal information that carriers and providers have about their customers,â according to the FCC. It can include data like who a customer made calls to and when and where those calls were made. It can also include customersâ billing account name, phone and account number, and info about their plan. The proposed update would âbetter align the Commissionâs rulesâ with the ones that have recently been put in place for other industries by federal and state governments, according to the notice.
This proposal isnât being made in a vacuum. In late December, news broke that a data breach had exposed some T-Mobile customersâ CPNI. The carrier had also suffered a much larger cybersecurity incident earlier in 2021, which affected over 50 million people and was already the carrierâs fifth breach in four years. While T-Mobile says it informed affected customers after the December breach, the FCCâs proposed rules wouldâve placed stricter requirements on how and when those notifications went out.
It may be a while before we see these requirements actually apply to phone companies â the FCC is currently in a political deadlock, with two Democrat members (including Rosenworcel) and two Republican members. The White House has nominated Gigi Sohn to fill the commissionâs fifth seat, which would tip the scales, but thereâs currently a stalemate with the Senate on actually getting her confirmed. Even if the Senate manages to confirm Sohn despite some Republican senatorsâ vows to block her nomination, the proposal is just the beginning of the rule-changing process.