The FCC might force cellphone providers to report data breaches differently

Here’s how the federal agency is responding to an “increasing frequency” of breaches.
typing on cellphone
Major telecom companies may face new rules around reporting data breaches. Priscilla Du Preez / Unsplash

The Federal Communications Commission (FCC) is considering new rules to update how telecommunications companies report on data breaches. Some of the additional steps FCC Chairwoman Jessica Rosenworcel shared in a notice Wednesday would require carriers to notify the FCC, as well as the Federal Bureau of Investigations and the US Secret Service, of any inadvertent or unintentional breaches that put people’s personal information at risk. It would also get rid of the seven business-days waiting period companies observe between notifying authorities of a breach and telling the public. 

“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information,” Rosenworcel said in a press release about the proposal. “But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.” 

While this proposal starts the process towards actually changing the rules, the FCC did not offer a timeline for when to expect the next steps, such as a vote. The Commission has proposed a number of now-pending rules for telecom companies in recent months, including one in September month that would target what’s known as “SIM swapping” (a form of identity theft in which attackers take over your phone, often to get around two-factor authentication) and another in October month that would implement various measures to curb spam texts

[Related: The FCC is trying to crack down on those annoying spam texts]

Data breaches using these methods and others are happening more often and affecting more people, the FCC explained in its newest proposal. In 2021, multiple telecommunications companies reported significant breaches, including Syniverse, which provides services to large providers such as AT&T, Verizon, and T-Mobile. T-Mobile also reported two additional breaches of its own in August and December. Millions of customers were estimated to have been impacted by these combined attacks. 

Congress has taken note of the mounting data breaches this year, and on Thursday, a bipartisan coalition of lawmakers announced the Terms-of-service Labeling, Design, and Readability Act, referred to as the “TLDR” Act. While the bulk of the legislation focuses on simplifying terms-of-service agreements for website visitors and increasing transparency around how sites use visitor data, it would also require companies to list all of their reported data breaches over the past three years in those agreements.