Telecoms would be required to notify consumers, law enforcement and the Federal Communications Commission about all data breaches, even “inadvertent” ones, under new rules floated Wednesday by Chair Jessica Rosenworcel.
“Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information,” Rosenworcel stated Wednesday.
She stated that the current rules need to be updated “to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.”
Currently, telecoms must notify the FBI, U.S. Secret Service and customers about data breaches resulting from cyberattacks, but don't necessarily need to provide notifications about accidental data leaks.
Another rule change floated by Rosenworcel would eliminate a requirement that telecoms hold off on notifying consumers until at least seven business days had passed since law enforcement was notified.
A third the proposed rule change would add the FCC to the list of government entities that need to be informed of data breaches.
Rosenworcel is circulating the potential rules around two weeks after T-Mobile reported it had been hacked again -- for at least the fourth time in four years.
T-Mobile's most recent data breach affected a “very small number” of customers, a spokesperson said.
In some instances, the hacker or hackers obtained SIM cards as well customers' names, phone numbers and other data related to their billing plans, according to T-Mo Report, which first reported on the breach. In other cases, hackers obtained just SIM cards, or just the plan-related data.
Last August, a separate cyberattack resulted in hackers obtaining full names, birthdates, Social Security Numbers and driver's license information for more than 40 million former or prospective customers, as well as 7.8 million current customers.