FCC Adopts Data Breach Rules Changes Expanding Definition and Notification Requirements

The Federal Communications Commission (FCC) made significant changes to data breach rules on Wednesday, expanding the definition of what constitutes a breach and who must be notified in the event of one. The approved order now includes “inadvertent access, use, or disclosure of customer information” in the definition of a breach, and extends notification rules to cover all customers’ personally identifiable information held by carriers and telecommunications relay services.

FCC Chair Jessica Rosenworcel emphasized the importance of protecting consumer information in the digital age, stating, “Our phones now know so much about where we go and who we are, we need rules on the books to make sure our carriers keep our information safe and cyber-secure.”

However, the rules update is expected to face opposition from Senate Republicans, particularly Sen. Ted Cruz, who criticized the proposed changes as potentially violating a Congressional order that killed expanded FCC privacy rules in 2017. The two Republican members of the commission also expressed concerns about the order exceeding the limits set by Congress on agency decision-making.

Under the new rules, carriers and providers must notify the FBI, Secret Service, and the FCC of breaches affecting 500 or more customers within seven business days of determining a breach. Breaches affecting fewer than 500 customers, where no harm is likely to occur, can be reported in an annual summary of breaches.

The FCC’s increased focus on privacy and data protection under Rosenworcel’s leadership includes the establishment of a Privacy and Data Protection Task Force and enforcement partnerships with state attorneys general. The vote on the data breach rules changes coincides with a wave of new federal data breach reporting requirements, including recent updates by the Federal Trade Commission and upcoming SEC breach notification rules.

Overall, the FCC’s updated data breach rules aim to enhance consumer protection and cybersecurity measures in an increasingly digital world, but are likely to face continued scrutiny and debate in the coming months.