The FCC proposes new data breach rules for phone companies

Illustration by Alex Castro / The Verge

Phone companies could have to follow new rules about how they notify customers and the government following a data breach if a proposal from the Federal Communication Commission’s chairwoman Jessica Rosenworcel passes. The notice of proposed rulemaking, released on Wednesday, cites the “increasing frequency and severity of security breaches involving customer information” as a risk to consumers.

The current rules give telecommunication providers seven business days to notify the FBI and Secret Service of data breaches that leak customer proprietary network information, or CPNI. In most cases, the company cannot notify customers about the breach until seven business days after information has been relayed to federal law enforcement. The proposal suggests doing away with that mandatory waiting period and adds the FCC to the list of agencies that companies will have to notify in the case of a data breach. It also says that they would have to send out notifications even in the case of inadvertent breaches.

CPNI is “some of the most sensitive personal information that carriers and providers have about their customers,” according to the FCC. It can include data like who a customer made calls to and when and where those calls were made. It can also include customers’ billing account name, phone and account number, and info about their plan. The proposed update would “better align the Commission’s rules” with the ones that have recently been put in place for other industries by federal and state governments, according to the notice.

This proposal isn’t being made in a vacuum. In late December, news broke that a data breach had exposed some T-Mobile customers’ CPNI. The carrier had also suffered a much larger cybersecurity incident earlier in 2021, which affected over 50 million people and was already the carrier’s fifth breach in four years. While T-Mobile says it informed affected customers after the December breach, the FCC’s proposed rules would’ve placed stricter requirements on how and when those notifications went out.

It may be a while before we see these requirements actually apply to phone companies — the FCC is currently in a political deadlock, with two Democrat members (including Rosenworcel) and two Republican members. The White House has nominated Gigi Sohn to fill the commission’s fifth seat, which would tip the scales, but there’s currently a stalemate with the Senate on actually getting her confirmed. Even if the Senate manages to confirm Sohn despite some Republican senators’ vows to block her nomination, the proposal is just the beginning of the rule-changing process.