The Federal Communications Commission (FCC) has updated its data breach rules for the first time in 16 years, expanding the definition of a breach and specifying whom to alert. In a 3-2 party-line vote, the FCC order broadens breach notification rules to include certain personally identifiable information held by telecommunications carriers and providers.
The new rule defines a breach to encompass the “inadvertent access, use, or disclosure of customer information,” with exceptions for cases where employees obtain information during their job duties without improper use or disclosure. Customers must now receive breach notifications within 30 days, with law enforcement having the option to request a delay. The FCC emphasized the importance of updating rules due to the sensitive nature of the data carriers have access to, including details that could reveal medical conditions, religious beliefs, and other private aspects of an individual’s life.
The expanded rules also require carriers and providers to notify the FCC of breaches in addition to their existing obligations, such as contacting the FBI. This move aligns with recent federal data breach reporting requirements from the Securities and Exchange Commission (SEC) and the Federal Trade Commission. The decision faced opposition from Congressional Republicans, with Sen. Ted Cruz expressing concern in a letter and claiming that the FCC is overstepping its authority by issuing requirements similar to those rejected by Congress in 2016.
The letter, co-signed by three additional senators, criticizes the FCC’s action as a “jurisdictional power grab” and challenges the agency’s ability to ignore Congress’ previous order. The FCC’s move comes amid a broader trend of strengthening data breach reporting requirements across federal agencies, with the SEC’s rules, in particular, drawing industry and GOP backlash.
