- within Privacy topic(s)
In today's connected world, data breaches seem to be a near-daily occurrence. Communications providers in particular maintain sensitive information about their customers that make them an attractive target for bad actors that seek to gain access to that information. As laws and regulations at the federal and state level evolve to improve data security protections and reduce harms when data breaches occur, communications providers have to evaluate how such changes affect them and develop policies and practices to adhere to applicable requirements.
At the federal level, the Communications Act imposes data privacy obligations on cable companies and providers of telecommunications services. For the latter category, the FCC's rules require providers to safeguard certain information about their customers and notify law enforcement and customers of breaches. Historically, the FCC's data breach rule has applied only to consumer data known as "customer proprietary network information" (CPNI), which may include information such as phone numbers called, call frequency, duration, and timing, services purchased, and call location information. But over the last decade, the FCC has attempted to expand the scope of the rule and change the conditions that trigger reporting requirements.
Most recently, in December 2023, the FCC amended the data breach rule to cover both CPNI and "personally identifiable information" such as an individual's name in combination with government-issued identification numbers or password information, and unique biometric, genetic, or medical data. The rule would require notice to customers within 30 days of a breach, as well as notice to the FCC, U.S. Secret Service, and the FBI if a breach affects 500 or more customers. For both notice requirements, the FCC included a carveout if the carrier reasonably determines that no harm to customers is reasonably likely to occur as a result of the breach. The 2023 data breach rule was challenged in court and upheld by a three-judge panel for the Sixth Circuit Court of Appeals in August 2025. But even after that decision, the amended rule has not yet taken effect for other procedural reasons. It's also worth noting that current FCC Chairman Brendan Carr opposed the amended rule, and in a recent court filing, the FCC said that the rule was the subject of an "ongoing internal review" by the agency. The appellate court has since agreed to hold the pending case in abeyance pending that review. So, it's possible that the amended rule will not go into effect at all, and carriers' reporting obligations will remain confined to CPNI breaches.
This kind of regulatory whiplash can be frustrating for businesses, especially smaller providers that have limited compliance resources. Further adding to the complexity are data breach notification laws in every U.S. state and territory, each of which set their own standards in terms of the types of covered data and thresholds and processes for reporting a breach. There is no one-size-fits-all approach to data security. But in general, creating a written data breach response plan, and training key decision-makers on their roles under the plan, are important steps businesses can take in advance because real incidents often afford little time to respond. Other helpful steps may include mapping stores of personal data that are subject to notification requirements and establishing a process to notify vendors, customers, and regulators of an incident. Providers also may wish to evaluate options for cybersecurity insurance. In the end, each communications provider should, in consultation with legal counsel, evaluate how best to implement its overall data security obligations in a way that appropriately identifies and mitigates risks.
Originally published by Independent Communications News.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
