Starting next month, telecom and VoIP providers will have to issue data breach notifications to customers whenever there's personally identifiable information caught up in a cyber incident.
That's according to new rules issued yesterday by the Federal Communications Commission, which will now also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery.
The Commission's definition of PII is broad and encompasses not only names, contact information, dates of birth, and Social Security numbers, but also biometrics and a slew of other data.
Previously, the FCC required customer notifications only when Customer Proprietary Network Information data was impacted; CPNI can be thought of as phone bill information, i.e., subscription plan data, usage charges, numbers called or messaged, and so on.
The last update to the FCC's breach reporting requirements was 16 years ago.
Most recently, a Verizon insider threat breach revealed earlier this month exposed information for tens of thousands of employees; T-Mobile saw three different customer breaches in 2023; and a vendor breach last March led to the exposure of data for 9 million AT&T wireless customers.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 13 Feb 2024 21:50:08 +0000