FCC Requires Telecom & VoIP Providers to Report PII Breaches

Starting next month, telecom and VoIP providers will have to issue data breach notifications to customers whenever there's personally identifiable information (PII) caught up in a cyber incident.

That's according to new rules issued yesterday by the Federal Communications Commission (FCC), which will now also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery. The Commission's definition of PII is broad and encompasses not only names, contact information, dates of birth, and Social Security numbers, but also biometrics and a slew of other data.

Previously, the FCC required customer notifications only when Customer Proprietary Network Information (CPNI) data was impacted; CPNI can be thought of as phone bill information, i.e., subscription plan data, usage charges, numbers called or messaged, and so on.

"The Commission believes that the unauthorized exposure of sensitive personal information … is reasonably likely to pose risk of customer harm," according to the FCC's new data breach rules. "Consumers expect that they will be notified of substantial breaches that endanger their privacy, and businesses that handle sensitive personal information should expect to be obligated to report such breaches."

Phone providers are off the hook for contacting customers, however, if they can reasonably determine the incident is unlikely to harm the customers, though the definition of a "breach" has been expanded by the agency to include "inadvertent access, use, or disclosure of customer information."

The last update to the FCC's breach reporting requirements was 16 years ago.

"The pervasiveness of data breaches and the frequency of breach notifications have evolved and increased since the Commission first adopted its breach notification rule in 2007," according to the FCC. It added, "This rising tide of data breaches has affected the telecommunications sector as well. As the Electronic Privacy Information Center (EPIC) points out, the proprietary information of subscribers of each of the three largest carriers has been breached at least once within the last five years."

Most recently, a Verizon insider threat breach revealed earlier this month exposed information for tens of thousands of employees; T-Mobile saw three different customer breaches in 2023; and a vendor breach last March led to the exposure of data for 9 million AT&T wireless customers.