• by Wendy Davis  @wendyndavis, December 13, 2023

The FCC on Wednesday voted 3-2 in favor of regulations imposing new obligations on telecoms that experience data breaches.

“Today’s action would hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised,” the agency stated after the vote.

Among other mandates, the new rules require telecoms to notify consumers, federal law enforcement agencies and the agency about all data breaches, including “inadvertent” ones. The new regulations also generally require carriers to notify consumers about data breaches within 30 days of learning about the breach.

The last time the FCC updated rules regarding data breach notifications was in 2007.

The vote came one day after four senators urged the agency to abandon the proposal, arguing that the FCC lacks authority to issue data security rules. Ted Cruz (R-Texas) and others specifically argued that the agency was stripped of that authority in 2017, when Congress repealed a different set of privacy regulations that had been issued by the FCC.

Congress issued the repeal under the Congressional Review Act -- a 1990s era law that allows Congress to nullify some agency regulations, and also provides that agencies can't replace those regulations with “substantially” similar ones.

The lawmakers argued that the new data breach notification rules include provisions that are “substantially” the same as the privacy rules that were revoked in 2017.

Commissioners Nathan Simington and Brendan Carr agreed with the Senate Republicans. Both FCC members said Wednesday that the agency lacked authority to issue new rules regarding data breaches.