FCC: Telecom Providers Have 30 Days to Disclose Breaches

fcc provider, fcc, provider, telecom, PII

As of March 13th, the FCC will force a telecom provider to promptly disclose data breaches affecting consumers’ personally identifiable information.

  • Telcos are now mandated to report breaches of both CNIP and PII.
  • The new regulations eliminate the obligatory waiting period for carriers to inform customers, compelling expedited disclosure.

The Federal Communications Commission (FCC) is enforcing new regulations that force a telecom provider to disclose data breaches, effective as of March 13th.

The set of stringent new regulations has been in the works since January 2022. The FCC’s final rule makes it clear that telcos are to report breaches encompassing personally identifiable information (PII) within a strict 30-day timeframe. The list of telcos also includes those offering Voice over Internet Protocol (VoIP) and telecom relay services (TSR).

Before this, telcos were only required to notify the FCC of Customer Proprietary Network Information (CPNI) breaches. Those encompass billing information, call records, and other service-related details.

Now, not only do they have to disclose CNIP breaches but also PII breaches. And those include social security numbers (SSNs), driver’s license numbers, passwords or other authentication credentials, health information, and financial account information.

One would think that stolen SSNs are more of a priority than one’s call records, considering SSNs are the key element needed for identity theft.

Also, the new requirements eliminate the obligatory waiting period for carriers to inform customers. They are compelling expedited disclosures following breach detection unless instructed otherwise by law enforcement.

The FCC would now also require an even more expedited disclosure if 500 or more customers are affected. According to the document, “for breaches that affect 500 or more customers, or for which a TRS provider cannot determine how many customers are affected, the Commission requires providers to file individual, per-breach notifications as soon as practicable, but no later than seven business days after reasonable determination of a breach.”

This FCC news should not surprise you. T-Mobile alone has had nine reported incidents since 2018.  Cybersecurity threats are escalating. Data thieves are attracted to PII like moths to a flame and the telecom industry is a prime hoarding ground for information. So, no wonder the FCC and other federal agencies are trying to contain the damage.

Can you imagine what would happen if, let’s say, China got access to the PII of American governmental higher-ups? Or, in a more ground level scenario, someone is stealing the identity of an important researcher to get access to their material via the cloud?

Every day, we put our trust in some faceless telecom operator, but the truth is that a major security breach could compromise millions of people.


Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Telecom sections to stay informed and up-to-date with our daily articles.