FCC’s data breach reporting rules for telecoms are upheld in appeals court therecord.media/fcc-data-…

The Federal Communications Commission’s regulations requiring telecom companies to report breaches of customers’ personally identifiable information (PII) have survived a court challenge.

A federal appeals court panel voted 2-1 on Wednesday against a petition from industry groups, who argued that the 2024 rules exceeded the FCC’s statutory authority. Under the regulations, telecom companies must report breaches involving 500 or more customers’ PII within seven business days.

The rules, approved in December 2023 and imposed in March 2024, represented the first update to the agency’s data breach reporting requirements in 16 years.

Previous regulations covered breaches of data such as call records or billing information — also known as customer proprietary network information” (CPNI) — but the update added PII such as Social Security numbers and email addresses.