FCC updates data breach notification rules

keyboard with pink, orange and blue lighting

Image via Unsplash

The Federal Communications Commission (FCC) has officially adopted changes to data breach notification rules. The change is to ensure telecommunications, interconnected Voice over Internet Protocol (VoIP) and telecommunications relay services (TRS) adequately safeguard sensitive customer information.

The FCC action would hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised.

The action will expand the scope of the FCC’s breach notification rules to cover certain personally identifiable information that carriers and TRS providers hold with respect to their customers. It also expands the definition of “breach” to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.

In addition, the order will require carriers and TRS providers to notify the FCC of breaches, in addition to their current obligation to notify the United States Secret Service and Federal Bureau of Investigation, via the existing central reporting facility.

The action will also eliminate the requirement to notify customers of a breach in those instances where a carrier or TRS provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed.

It will also eliminate the mandatory waiting period for carriers and TRS providers to notify customers. Instead, it will require carriers and TRS providers to notify customers of breaches of covered data without unreasonable delay after notification to the FCC and law enforcement agencies, and in no case more than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.