InfoBytes Blog
FCC adopts updated data breach notification rules
On December 21, 2023, the FCC announced it adopted an updated data breach notifications rule. The rule was formerly designed to protect consumers against pretexting, “a practice in which a scammer pretends to be a particular customer or other authorized person to obtain access to that customer’s call detail or other private communications records.” As previously covered by InfoBytes, the FCC promulgated its notice of proposed rulemaking in January 2023. The rule has been updated to expand the data breach notification requirements to, among other things: (i) cover different categories of personally identifiable information that carriers hold; (ii) expand the definition of “breach” to cover unintended disclosures of consumer information, except in situations where such information is obtained in good faith by an employee or representative of a carrier or telecommunications relay service (“TRS”) provider, and where there’s no improper use or further disclosure of that information; (iii) require TRS providers and carriers to notify the FCC, FBI, and U.S. Secret Service as soon as practicable and no later than seven business days after the reasonable determination of a breach; (iv) no longer require TRS providers and carriers to notify consumers of a data breach if they reasonably determine no harm to consumers is reasonably likely; and (v) no longer require carriers to follow a mandatory waiting period to notify consumers of a breach. FCC Chairwoman Jessica Rosenworcel said in her statement that the update to the data breach policy is the first in 16 years and that under the Communications Act, “carriers have a duty to protect the privacy and security of consumer data.” The rule was adopted on December 13, 2023.