FCC Regulation Would Require Telecoms to Instantly Report Data Breaches to Customers and Agencies

Highlights:

• The Federal Communications Commission has proposed a new rule that would compel telecommunications companies to quickly inform customers and government agencies of any data breach.
• According to NextGov, the plan would also broaden the FCC’s definition of a data breach to encompass accidental access, use, or disclosure of consumer data.

The Federal Communications Commission (FCC) has proposed a new rule that would compel telecommunications companies to inform customers and government agencies of any data breach instantly.

Under the proposed regulation change published recently, the current seven business-day provisions for notifying consumers of a data breach would be eliminated. Unless otherwise instructed by federal officials, the new regulation will mandate that any detected data breaches be reported to customers, the FCC, the Federal Bureau of Investigation, and the Secret Service as soon as they are discovered.

According to NextGov, the plan would also broaden the FCC’s definition of a data breach to encompass accidental access, use, or disclosure of consumer data. Previously, a data breach only had to be reported when an external entity obtained unauthorized access to sensitive data.

Notice of Proposed Rulemaking states, “We propose to revise our definition to define a breach as any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed [customer proprietary network information].”

Having received the unanimous backing of the whole commission, the proposed rule change will now undergo a review period during which the FCC will solicit feedback and collect further data. In addition, the FCC is requesting input on whether specified categories of information should be required to be included in customer breach notifications to ensure that they contain actionable information that is beneficial to the consumer.

FCC Chairwoman Jessica Rosenworcel said, “The law requires carriers to protect sensitive consumer information, but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements. This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

Although the idea seems optimistic, security experts are concerned due to the proposal’s phrasing and scope.

Sounil Yu, a chief information security officer at cyber asset management company JupiterOne Inc., said, “Whether the CIRCIA or the FCC’s newly proposed breach reporting rules, they are blurring the line between an ‘incident’ and a ‘breach. A breach has specific legal meaning and obligations.”

Yu notes that incident handling and reporting have historically been within the purview of the CISO and that many occurrences do not result in actual damage and do not constitute a serious breach.

Yu further stated, “However, if these rules lower that threshold and treat what was merely an ‘incident’ at the same level as a ‘breach’ in the eyes of the law, then legal teams may need to be involved in every incident going forward. This can significantly hinder the progress of any incident investigation and encumber security teams with additional reporting requirements that do not meaningfully contribute to our collective situational awareness.”

Andrew Barratt, vice president of Coalfire Systems, Inc.’s cybersecurity advisory services, feels that the criteria are insufficient and “could make it very challenging for telecoms companies to provide meaningful responses to law enforcement and customers or potentially delay deciding on formally categorizing a security event as a ‘data breach’.”