Appeals Court Upholds FCC Data Breach Rules for Hacked Telecoms

Aug. 14, 2025, 12:15 AM UTC

A federal appeals court delivered a victory to the Federal Communications Commission on Wednesday by upholding new and controversial data breach reporting requirements for telecommunications companies targeted in cyberattacks.

The court rejected consolidated challenges, 2 to 1, from trade groups including the Ohio Telecom Association, Texas Association of Business and USTelecom. They argued the rules exceed the agency’s authority and violated congressional restrictions. Circuit Judge Jane Stranch found that the Communications Act of 1934’s prohibition on “unjust or unreasonable” practices provided adequate authority for the breach notification requirements by allowing the agency to “prescribe” regulations as necessary.

“There is a direct connection between a carrier’s failure to disclose breaches of customer’s ‘identifying information’ and its role in providing communication services,” read the opinion for the US Court of Appeals for the Sixth Circuit.

The disputed 2024 rule, authorized during the Biden administration, requires providers to notify the FCC of data breaches involving 500 or more customers’ personal data within seven business days. The policy represents a major expansion from previous requirements that were limited in scope, covering call records and billing data. The new rule now covers personally identifiable information, including Social Security numbers, email addresses and biometric data.

The FCC has repeatedly imposed penalties and reached settlements with targeted mobile carriers. In September 2024, the agency reached a $13 million deal with AT&T Inc. to resolve their dispute over a January 2023 data breach, which lost some 9 million customers’ data. Its reached similar deals with Verizon Communications Inc. and T-Mobile US Inc.

The rule’s opponents mounted a multi-pronged legal attack against the proposal, arguing that Congress had rejected a similar rule in 2017. They also claimed that key sections of the law didn’t provide sufficient authority for regulating PII. The telecommunications industry warned that the expanded requirements would impose burdensome compliance costs, while creating bureaucratic formalities for law enforcement agencies forced to account for each qualifying breach.

The court found that carriers’ failure to notify customers and authorities about data breaches constituted practices “in connection with” communication services. It rejected industry and dissenting arguments that this interpretation would grant the FCC unlimited regulatory scope.

Judge Raymond Griffin authored a fiery dissent, first arguing that Congress and President Donald Trump in 2017 both rejected a similar rule after the FCC issued data breach requirements a year earlier under President Barack Obama. Griffin also warned that the majority’s decision would allow agencies to circumvent Congressional disapproval through minor modifications, since Congress had already rejected a similar 2016 order.

The case is Ohio Telecom Association v. Federal Communications Commission, 6th Cir., 24-03133, 8/13/25.


To contact the reporter on this story: Kartikay Mehrotra at kmehrotra@bloombergindustry.com

To contact the editor responsible for this story: Adam Ramirez at aramirez@bloombergindustry.com

Learn more about Bloomberg Law or Log In to keep reading:

Learn About Bloomberg Law

AI-powered legal analytics, workflow tools and premium legal & business news.

Already a subscriber?

Log in to keep reading or access research tools.