The Federal Communications Commission’s regulations requiring telecom companies to report breaches of customers’ personally identifiable information (PII) have survived a court challenge. 

A federal appeals court panel voted 2-1 on Wednesday against a petition from industry groups, who argued that the 2024 rules exceeded the FCC’s statutory authority. Under the regulations, telecom companies must report breaches involving 500 or more customers’ PII within seven business days.

The rules, approved in December 2023 and imposed in March 2024, represented the first update to the agency’s data breach reporting requirements in 16 years.

Previous regulations covered breaches of data such as call records or billing information — also known as customer proprietary network information” (CPNI) — but the update added PII such as Social Security numbers and email addresses.

Multiple trade associations had asked federal judges to block the new rules, and many of those cases were consolidated into the petition in the Ohio-based U.S. Court of Appeals for the Sixth Circuit. 

“We have determined that the FCC has the statutory authority to impose the 2024 data breach reporting rule on telecommunications carriers,” the majority judges said in their opinion. They also determined that the regulations did not violate the Congressional Review Act, which lawmakers had used to reject similar rules in 2017.

Several high-profile telecom company data breaches have led to settlements with the FCC in recent years.

T-Mobile agreed to pay $31.5 million and overhaul its cybersecurity practices after a series of incidents dating back to 2021. AT&T paid $13.3 million after a breach at one of its cloud vendors. And Verizon-owned TracFone settled for $16 million after the agency alleged the company had failed to safeguard customer data.