Federal Communications Commission	"FCC  XX-XXX"


STATEMENT OF
CHAIRWOMAN JESSICA ROSENWORCEL

Re: 	Data Breach Reporting Requirements, WC Docket No. 22-21, Notice of Proposed Rulemaking (January 5, 2023).

Our mobile phones are in our palms, pockets, and purses.  We rarely go anywhere without them.  There is good reason for this—the convenience and safety of being able to reach out anytime and virtually anywhere is powerful.  But this always-on connectivity means that our carriers have access to a treasure trove of data about who we are, where we have traveled, and who we have talked to.
It is vitally important that this deeply personal data does not fall into the wrong hands.  That is why the Federal Communications Commission has long had rules that require carriers to protect the privacy and security of data, under Section 222 of the Communications Act.  But the rules this agency has on the books that require carriers to notify consumers and law enforcement of data breaches under Section 222 are more than 15 years old.  
That is why we kick off a proceeding to modernize our data breach rules here.  We propose to eliminate the outdated seven business day mandatory waiting period before notifying customers, require the reporting of inadvertent but harmful data breaches, and ensure that the agency is notified of major data breaches.  We also seek comment on how our breach reporting obligations can work alongside those forthcoming from the Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act.  I look forward to the record that develops—and updating our policies under the law.



2