The FCC Wants to Make Telecom Carriers Disclose Hacks Sooner

The days of finding out about a data breach impacting your personal data months after the fact may soon become a thing of the past—at least when it comes to hacks affecting telecom carriers. The Federal Communications Commission has proposed a new rule, requiring phone and internet providers to notify customers of breaches much more quickly.

“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches,” said FCC Chair Jessica Rosenworcel in a press statement. Though state laws, like those in California, have more current and stringent standards, the pre-existing federal rule is 15 years old, and likely in dire need of updating.

Currently, there is a federally mandated seven business day minimum waiting period between discovery of a breach and when companies can tell their customers about it. The FCC’s recommended change would scrap that waiting period and instead require carriers to notify customers of hacks and other security issues “without unreasonable delay after discovery.”

In other words: the amount of time between when hackers get ahold of peoples’ sensitive data and when those impacted know about it could become much shorter—making it easier to take early protective action like canceling credit cards or changing passwords.

The reasoning behind that 7-day wait is so that telecom companies have time to report breaches to “relevant investigative agencies” before they tell customers, and so that the investigative bodies can gauge the risk to the public, according to the proposal. However, hackers are targeting telecom carriers more than ever before, and what’s at stake for the public has become progressively more apparent.

We live nearly our whole lives on our phones or over the internet and telecom companies are in possession of extensive information about their customers, including (but not limited to) call data, location, hardware details, and billing and financial info. Stolen data can end up bought and sold on the dark web in a flash, leaving victims at risk of identity theft and other major financial and privacy repercussions.

“In the telecommunications industry, the public has suffered an increasing number of security breaches of customer information in recent years,” the rule proposal notes. Data breaches across all sectors rose 70% in just the last few months of 2022, according to one analysis from Infosecurity Magazine.

And things were already pretty bad before that. In 2021, a separate analysis found that more than 13 different global telecom providers had been infiltrated by a single hacker group in just two years. Both T-Mobile and AT&T have reportedly suffered data hacks impacting tens of millions of customers, and revealing sensitive data including social security numbers, and driver’s license info. AT&T denied any breach, but T-Mobile ended up settling for $500 million over its own incident. Previously, T-Mobile customers ended up victims of similar breaches in 2019 and 2015.

Gizmodo reached out to T-Mobile, AT&T, Verizon, and Comcast to see what the U.S.’s largest telecoms providers think about the FCC proposal, but none of the companies immediately responded.

On top of ensuring customers learn about hacks more quickly, the proposed change would also broaden the definition of data breaches, among other small adjustments. Accidental or unintended disclosures of customer info would newly fall under the data breach umbrella. So, if a carrier screws up—even without external meddling—it would need to notify customers.

But instituting these changes isn’t 100% straightforward. The FCC proposal notes concerns about jeopardizing criminal investigations if carriers are forced to notify customers of breaches right away. As a loophole, the new rule could allow federal agencies to delay notices for up to 30 days—which wouldn’t exactly solve the timeliness issue. The commission is also working thought how to handle smaller carriers and if/how to institute a notification period time limit. Further, the FCC is asking for public input on whether or not breach notifications should include specific information about what was leaked and how to best manage it. Soon, the proposal will be open for comment, and you can tell the FCC your thoughts.

The days of finding out about a data breach impacting your personal data months after the fact may soon become a thing of the past—at least when it comes to hacks affecting telecom carriers. The Federal Communications Commission has proposed a new rule, requiring phone and internet providers to notify customers of breaches much more quickly.

“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches,” said FCC Chair Jessica Rosenworcel in a press statement. Though state laws, like those in California, have more current and stringent standards, the pre-existing federal rule is 15 years old, and likely in dire need of updating.

Currently, there is a federally mandated seven business day minimum waiting period between discovery of a breach and when companies can tell their customers about it. The FCC’s recommended change would scrap that waiting period and instead require carriers to notify customers of hacks and other security issues “without unreasonable delay after discovery.”

In other words: the amount of time between when hackers get ahold of peoples’ sensitive data and when those impacted know about it could become much shorter—making it easier to take early protective action like canceling credit cards or changing passwords.

The reasoning behind that 7-day wait is so that telecom companies have time to report breaches to “relevant investigative agencies” before they tell customers, and so that the investigative bodies can gauge the risk to the public, according to the proposal. However, hackers are targeting telecom carriers more than ever before, and what’s at stake for the public has become progressively more apparent.

We live nearly our whole lives on our phones or over the internet and telecom companies are in possession of extensive information about their customers, including (but not limited to) call data, location, hardware details, and billing and financial info. Stolen data can end up bought and sold on the dark web in a flash, leaving victims at risk of identity theft and other major financial and privacy repercussions.

“In the telecommunications industry, the public has suffered an increasing number of security breaches of customer information in recent years,” the rule proposal notes. Data breaches across all sectors rose 70% in just the last few months of 2022, according to one analysis from Infosecurity Magazine.

And things were already pretty bad before that. In 2021, a separate analysis found that more than 13 different global telecom providers had been infiltrated by a single hacker group in just two years. Both T-Mobile and AT&T have reportedly suffered data hacks impacting tens of millions of customers, and revealing sensitive data including social security numbers, and driver’s license info. AT&T denied any breach, but T-Mobile ended up settling for $500 million over its own incident. Previously, T-Mobile customers ended up victims of similar breaches in 2019 and 2015.

Gizmodo reached out to T-Mobile, AT&T, Verizon, and Comcast to see what the U.S.’s largest telecoms providers think about the FCC proposal, but none of the companies immediately responded.

On top of ensuring customers learn about hacks more quickly, the proposed change would also broaden the definition of data breaches, among other small adjustments. Accidental or unintended disclosures of customer info would newly fall under the data breach umbrella. So, if a carrier screws up—even without external meddling—it would need to notify customers.

But instituting these changes isn’t 100% straightforward. The FCC proposal notes concerns about jeopardizing criminal investigations if carriers are forced to notify customers of breaches right away. As a loophole, the new rule could allow federal agencies to delay notices for up to 30 days—which wouldn’t exactly solve the timeliness issue. The commission is also working thought how to handle smaller carriers and if/how to institute a notification period time limit. Further, the FCC is asking for public input on whether or not breach notifications should include specific information about what was leaked and how to best manage it. Soon, the proposal will be open for comment, and you can tell the FCC your thoughts.