FCC Wins Legal Battle: Telecoms Must Report Data Breaches Including PII

The United States Sixth Circuit Court has upheld the Federal Communications Commission's (FCC) authority to require telecommunications carriers to report data breaches involving both Customer Proprietary Network Information (CPNI) and Personally Identifiable Information (PII). The August 2025 ruling marks a significant expansion of cybersecurity reporting requirements for the telecom industry.

The decision comes amid increasing cyber threats to telecommunications infrastructure, including recent Chinese-backed Salt Typhoon and Volt Typhoon campaigns, highlighting the critical need for enhanced security measures in the sector. Organizations must now implement robust data protection measures to safeguard sensitive information.

Expanded Scope of Reporting Requirements

The court's opinion, delivered by Judge Jane B. Stranch, affirmed the FCC's regulatory authority under two key sections of the Communications Act. The ruling determined that "proprietary information" under Section 222(a) encompasses PII, while Section 201(b) supports the FCC's broad regulatory powers over data breach reporting practices.

The new requirements eliminate the previous seven-day waiting period for customer notification, instead mandating carriers to inform affected individuals without "unreasonable delay." This change requires telecommunications companies to develop comprehensive data breach response strategies.

Impact on Telecommunications Industry

The ruling directly affects several key areas:

• Broadband internet service providers must now report breaches involving customer personal data
• Telecommunications carriers face increased scrutiny over their data protection measures
• Companies must revise their incident response plans to accommodate faster reporting timelines

Legal Context and Industry Opposition

Industry groups, including the Ohio Telecom Association and CTIA, challenged the FCC's authority, arguing regulatory overreach. However, the court distinguished the 2024 rule from a previously rejected 2016 regulation, noting the new requirements are more focused and less prescriptive.

The court addressed concerns about a prior Congressional disapproval of similar rules, determining that the current regulations are substantially different from the broader privacy order rejected in 2016. Organizations must now establish clear protocols for managing data breaches and customer notifications.

According to the Federal Communications Commission's official guidance, telecommunications providers must maintain strict data security protocols and incident response procedures to comply with these new requirements.

The ruling represents a significant step forward in protecting consumer data while establishing clear guidelines for telecommunications providers. As cyber threats continue to evolve, these requirements provide a framework for maintaining data security and ensuring prompt notification when breaches occur.