Telecommunications companies now required to report data breaches more forcefully under new FCC guidelines.
In a bid to enhance transparency and cybersecurity, the Federal Communications Commission (FCC) has implemented updated data breach reporting rules for U.S. telecommunications network operators. The new rules, effective from March 13, 2023, aim to address the lack of disclosure about sensitive information in the past.
According to FCC Chair, Jessica Rosenworcel, in the event of a data breach, your carrier must notify both the FCC and customers in a timely manner. This includes disclosing what happened and what personal information may be at risk. Carriers are now required to notify customers "without reasonable delay" and "in no case more than 30 days following reasonable determination of a breach."
The new rules also mandate quicker notification of regulators, law enforcement agencies, and customers in case of data breaches. Telecom operators must notify the FCC, Secret Service, and FBI "as soon as practicable, but not later than seven business days, after reasonable determination of a breach."
The rules cover the exposure of all personally identifiable information (PII) that could create a security risk for customers. This includes sensitive information such as Social Security numbers, financial data, and other personal details.
The evolving role of CISOs (Chief Information Security Officers) suggests a shift towards a more proactive approach in managing cybersecurity risks. This trend indicates a growing awareness among corporations about the importance of cybersecurity.
In a related development, the Securities and Exchange Commission (SEC) imposed new rules last year requiring companies to disclose any material security incident within four business days of determining materiality. This rule applies to public companies, including major network operators.
The new data breach reporting rules for U.S. telecommunications network operators require that material cybersecurity incidents be disclosed within four business days after the operator determines the incident is material. This rule, specifically, adds Item 1.05 to Form 8-K for timely disclosure of cybersecurity incidents that have a substantial impact on operations or finances.
The effective date for these new rules was announced in 2025, with announcements and finalized rule adoption occurring around mid-2025, specifically publicized by July 2025. Thus, U.S. telecommunications network operators must understand these new breach reporting rules to disclose material cyber incidents within this four-business-day window starting in 2025, ensuring timely transparency and adherence to SEC requirements.
These changes come as corporate stakeholders increasingly seek to understand the risk calculus of their technology stacks, with the question being: "Are we a target?" The new FCC rules are a step towards addressing this concern, promoting a culture of proactive cybersecurity within the industry.
References:
[1] Federal Register, "Securities and Exchange Commission, Amendments to Form 8-K; Accelerated Filing of Reports of Material Information," February 2023.
[2] Federal Communications Commission, "FCC Adopts New Data Breach Reporting Rules for Telecom Network Operators," Press Release, March 2023.
[3] Securities and Exchange Commission, "Disclosure of Cybersecurity Incidents," Rule 105 of Regulation S-K, 2022.
The new FCC data breach reporting rules require telecom operators to disclose material cybersecurity incidents within four business days, similar to the disclosure requirements from the SEC. This mandate includes notifying both customers and regulators like the FCC in case of a data breach. The evolving role of CISOs suggests a shift towards a more proactive approach in managing cybersecurity risks, underscoring the importance of technology in maintaining cybersecurity.
