The Federal Communications Commission (FCC) is upping the game a bit for data breaches incurred by telecommunications carriers, coming closer to the requirements under most state breach notification laws. For example, the new rules cover more types of data and expands the definition of a “breach” to include inadvertent access, use, or disclosure, as many state data breach notification laws do.
Under the new rules, most telecommunications carriers will have to notify the FCC as well as the U.S. Secret Service and FBI through a central reporting facility. However, the new rules also add an element of harm requirement for notice to consumers - telecommunications carriers will not be required to notify consumers if they reasonably determine that there will not be any harm to the consumer or when the breach only involves encrypted data (and the encryption key is still secure) - again mirroring many state data breach notification laws. While the previous rules required the telecommunications carriers to wait before notifying affected consumers, notification now matches many state laws in requiring notice to consumers “without unreasonable delay” after notification to the FCC and law enforcement agencies, and generally within 30 days of the reasonable determination of the breach.