The FCC’s Privacy and Data Protection Task Force is an FCC staff working group created by Chairwoman Rosenworcel. The Task Force is led by the Chief of the FCC’s Enforcement Bureau, Loyaan A. Egal, and coordinates across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches (such as those involving telecommunications providers) and vulnerabilities involving third-party vendors that service regulated communications providers.
The always-on nature of connectivity in our culture has made the communications industry a lynchpin of society and critical infrastructure. Consumers entrust their personal information to the regulated communications industry on a daily basis, and the FCC has an important role to play in ensuring consumers enjoy the data privacy they both demand and deserve. For example, the FCC leads investigations into the use of customer location data that impact consumers’ privacy, oversight of vendors’ retention and the protection of sensitive data, and protecting against the exploitation of network and software vulnerabilities that result in cyber intrusions.
To address problems that erode the public’s trust in data protection requires a whole-of-government and public-private approach, including:
- telecom carrier, interconnected VoIP, cable, and satellite provider responsibilities for privacy and data protection;
- the important connection between privacy and data protection and supply chain integrity;
- supply chain vulnerabilities;
- the consequences of a breach in the supply chain (both to consumer privacy and entities that do not take reasonable steps to protect consumer information); and,
- potential risks to national security through compromised supply chains.
A Top Priority
Privacy and data protection are critical to all Americans. When consumer information is exposed (whether through outside attack, insider malfeasance, or company negligence), that information can be used for myriad harmful purposes. For instance, illegal robocalls and scam texting schemes can use stolen and harvested sensitive information to target and trick consumers. Notably, consumers are sharing ever-increasing information – including highly personal information – with communications providers: 97% of Americans have a mobile phone, and they carry that device with them nearly everywhere. Thus it is crucial that the regulated communications sector live up to their privacy and data protection obligations.
The FCC under Chairwoman Rosenworcel has implemented policies and taken actions to help protect Americans’ data and privacy. The agency has launched rulemakings, taken enforcement actions, warned providers of their responsibilities, and more.
Privacy & Consumer Data
Data privacy is hugely consequential for consumers and our economy as whole. You could argue that the indispensable ingredient for our digital economy is trust. It’s foundational. A Pew survey found that half of Americans have chosen not to use a product or service because of privacy concerns.
And yet, in this always-online world, where technology and economic forces have created a marketplace where for a growing number of parties your data equals dollar signs, we simply have not done a good enough job of protecting the public. But we are now working to change that.
In addition to the new Task Force, we are taking other specific actions. For example, to further protect consumers’ privacy, the FCC has looked to crack down on SIM swapping, an increasingly popular scam where a fraudster calls up your wireless provider and convinces the customer service representative that they are you and need your phone number switched to a new SIM card that they control. The FCC proposed requiring carriers to authenticate a customer before transferring a phone number to a new device or carrier.
In addition, the FCC voted to explore ways our Lifeline and Affordable Connectivity Programs can better support survivors of domestic violence and to make sure they are able to communicate safely with abuse hotlines and shelters. That’s because survivors of domestic violence and sexual violence uniquely rely on access to private communications, while, at the same time, facing unique challenges securing reliable, private phone and internet service.
Then-Commissioner Rosenworcel also supported the FCC’s 2016 rule to protect consumer data on broadband networks which Congress and President Trump went out of their way to block in order to allow broadband providers access to consumer data.
The FCC launched a proceeding to strengthen the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI), and adopted rules in December to modify the Commission’s 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) adequately safeguard sensitive customer information. The new rules will hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised.
The Commission’s existing breach notification rules provide important protections against the risk of improper access, use, or disclosure of customer data, helping to ensure that carriers are held accountable when breaches occur, and that they provide customers with adequate and timely notice. However with the increase in frequency and severity of data breaches over recent years, these rules needed to be updated to reflect the current security landscape.
The new rules will expand the scope of the Commission’s breach notification rules to cover certain personally identifiable information that carriers and TRS providers hold with respect to their customers. It also expands the definition of “breach” to include inadvertent access, use, or disclosure of customer information, except in those cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider, and such information is not used improperly or further disclosed.
In addition, the Report and Order will require carriers and TRS providers to notify the Commission of breaches, in addition to their current obligation to notify the United States Secret Service and Federal Bureau of Investigation, via the existing central reporting facility. It will also eliminate the requirement to notify customers of a breach in those instances where a carrier or TRS provider can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier or provider has definitive evidence that the encryption key was not also accessed, used, or disclosed. It will also eliminate the mandatory waiting period for carriers and TRS providers to notify customers. Instead, it will require carriers and TRS providers to notify customers of breaches of covered data without unreasonable delay after notification to the Commission and law enforcement agencies, and in no case more than 30 days after reasonable determination of a breach, unless a delay is requested by law enforcement.
A thorough and swift response to these breaches is important because the telecommunications industry, in addition to being identified as critical infrastructure, affects nearly every individual, community, and business. Breaches can, and have, resulted in serious problems for consumers, including theft of sensitive personal data like social security numbers and financial information. Breaches also facilitate more technically complex fraud schemes such as fraudulent porting of a customer’s phone number to another phone, called a SIM swap, which allows bad actors to subvert 2-factor authentication and could allow them to access highly sensitive information, including financial and social media accounts. These breaches have economic ripple effects and can impact U.S. national security and law enforcement interests. Half of Americans have forgone a product or service based on privacy concerns. And that figure increases among those who have been the victim of a data breach. Given regulated communications providers’ status as critical infrastructure and proximity to the most intimate aspects of consumers’ lives (e.g., telecommunications providers access to granular location data), it is important that the FCC ensures carriers, cable providers, and satellite providers are living up to their privacy and data protection obligations.
The FCC has dedicated a team in the Enforcement Bureau specifically to investigate and enforce violations of the Commission’s privacy and data protection laws and rules. That team has been expanded and will continue to add necessary resources to address this critical and growing concern. In addition, the Enforcement Bureau has increased the number of personnel with data protection, and national security experience, including those with TS/SCI clearances in order to review classified information and better coordinate with national security colleagues in assessing risks involving the communications (including telecom, cable, and satellite) services and supply chain sectors. The Enforcement Bureau will use its resources and the FCC’s discovery and subpoena authorities to procure information not only from regulated communications providers, but also from relevant third parties, including companies that are part of the communications supply chain and who handle customer data to address privacy and data security issues that arise with regulated communications providers and their supply chains. This work spans all areas of communications and involves broad topics, such as customer location data and captioned communications services for those with disabilities. When appropriate, the FCC will exercise its monetary penalty authority to ensure compliance with the Act and its rules. Companies must know that violating our rules is not merely an acceptable cost of doing business.
Secure Supply Chain
Trust in our communications systems requires that we identify threats to this trust and take actions to address them. The FCC published the first-ever Covered List of communications and services that pose an unacceptable risk to national security as required under the Secure and Trusted Communications Networks Act. The FCC also launched the Secure and Trusted Communications Networks Reimbursement Program to remove untrusted equipment from our networks and replace them with secure alternatives. And the FCC worked with its national security colleagues and revoked the section 214 operating authorities of Chinese state-owned carriers who were providing service in the United States.
The FCC has a unique role in securing the nation’s communications supply chain. In addition to the actions listed above, the FCC plays a critical role with the USF Supply Chain and as a named member of the departments and agencies the Commerce department consults with to determine risks presented to the U.S. information and communications technology and services (ICTS) supply chain pursuant to Executive Order 13873. We remind the public and industry about the importance of securing the supply chain through reasonable efforts: “know your vendor” due diligence such as who owns the vendor; where does the third-party perform support; and what level of oversight is used to monitor third-party access levels within your networks.
Statutes & Regulations
Under the Telecommunications Act, carriers must protect the privacy and security of their customers’ service-related and billing information, and may only use, disclose, or permit access to CPNI under these conditions:
- As required by law.
- With customer approval.
- While providing the service for which the customer information was obtained.
- When providing a 911 caller's location information to a 911 call center.
If you believe your carrier or provider is selling or sharing your location or other CPNI protected information, you can file privacy complaint with the FCC online, by visiting https://consumercomplaints.fcc.gov; or call 1-888-CALL-FCC (1-888-225-5322); ASL: 1-844-432-2275.
The FCC requires telecommunications carriers and interconnected Voice over Internet Protocol (VoIP) providers to notify customers and federal law enforcement of breaches that expose CPNI data. Carriers are also required to submit to the FCC an annual summary of all consumer complaints received regarding unauthorized release of customer information and certify it is compliant with FCC rules.
The FCC’s rulemaking authority continues to be an important tool to address emerging issues, including those related to data and privacy, as shown by three recent notices of proposed rulemaking, one aimed at strengthening protections related to fraudulent SIM swaps (2021), another poised to strengthen data breach reporting rules (2023), and a third instituting periodic review of carriers providing international service to evaluate risks (including those related to national security, law enforcement, trade, and foreign policy). The FCC will continue responding to the everchanging privacy landscape through adopting new rules that align with industry best practices and modern technology.
The FCC is made up of various Offices and Bureaus which lead various policy, legal, and public service needs of the agency. The Task Force includes:
- The Office of the Chairwoman
- Enforcement Bureau
- Public Safety and Homeland Security Bureau
- Wireline Competition Bureau
- Consumer and Governmental Affairs Bureau
- Space Bureau
- Media Bureau
- Office of the General Counsel
- Office of the Managing Director
- Office of International Affairs
- Office of Engineering and Technology
- Office of Economics and Analytics
- FCC Adopts Updated Data Breach Notification Rules to Protect Consumers – December 21, 2023
- FCC Reminds Carriers of SIM Fraud Prevention Obligations – December 11, 2023
- FCC Launches First-Ever Enforcement Partnerships with State Attorneys General – December 6, 2023
- FCC Renews Robocall & Data Protection International Enforcement Partnership – September 21, 2023
- FCC Proposes Cybersecurity Labeling Program for Smart Devices – August 10, 2023
- FCC to Host Border Gateway Protocol Security Workshop – July 28, 2023
- FCC Proposes $20M Fine for Apparently Failing to Protect Consumer Data – July 28, 2023
- Chairwoman Proposes Rules to Protect Consumers' Cell Phone Accounts – July 11, 2023
- Chairwoman Rosenworcel Remarks at CDT Forum on Data Privacy – June 14, 2023
- Chairwoman Rosenworcel Launches Privacy and Data Protection Task Force – June 14, 2023
- FCC Proposes Periodic Reviews of International Telecom Authorizations – April 25, 2023
- FCC Proposes Updated Data Breach Reporting Requirements – January 6, 2023
- Rosenworcel Shares Mobile Carrier Responses to Data Privacy Probe – August 25, 2022
- Rosenworcel Probes Mobile Carriers on Data Privacy Practices – July 19, 2022
- FCC Proposes Rules to Prevent SIM Swapping and Port-Out Fraud – September 30, 2021
- Location Data NALs – February 28, 2020
Consumer Tips to Protect Your Data
Creating a strong password is an essential step to protecting yourself online. Using long and complex passwords is one of the easiest ways to defend yourself from cybercrime and to protect your data online.
- Make passwords hard to guess. Do not include personal information in your password, such as your name or pets’ names, birth dates, or favorite sports teams. These can easily be found on social media.
- Avoid using common words in your passwords.
- Keep your passwords a secret. Don’t tell anyone your passwords and watch for attackers trying to trick you into revealing your passwords through email or calls.
- Unique account, unique password. Having different passwords for various accounts helps prevent cyber criminals from gaining access to these accounts and can protect you in the event of a breach.
- Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in.
- Use a password manager to remember all your long passwords. The most secure way to store all of your unique passwords is by using a password manager. The Cybersecurity and Infrastructure Security Agency and the National Cybersecurity Alliance have partnered to provide SIMPLE TIPS for creating a password.
Think before you connect to Wi-Fi networks and Bluetooth. Unsecure connections may compromise sensitive information stored on your device and in online accounts. Take these steps to minimize the risk:
- If you regularly use a public Wi-Fi hotspot, consider using a virtual private network (VPN) that will encrypt your data.
- Adjust your device's settings so it does not automatically connect to nearby Wi-Fi networks.
- Websites that are secure use "https" at the beginning of their web address. If the “s” is missing, avoid sharing any sensitive data or information.
- When sending sensitive information, your mobile data plan may be more secure than Wi-Fi.
- Turn Bluetooth off when not in use. Use Bluetooth in "hidden" mode rather than "discoverable" mode. This prevents other unknown devices from finding your Bluetooth connection.
- If you connect your mobile phone to a rental car, be sure to unpair your phone and clear any personal data from the car before you return it. Take the same steps when selling a car.
- Check out FCC Consumer Guide: Wireless Connections and Bluetooth Security Tips.