Breach Notification , Governance & Risk Management , Privacy

FCC Approves Major Updates to Data Breach Notification Rules

New FCC Disclosure Rules Cover All Personal Information of Telecom Customers
FCC Approves Major Updates to Data Breach Notification Rules
Image: Shutterstock

The U.S. Federal Communications Commission voted Wednesday along party lines to update 16-year-old privacy protection rules and expand breach notification requirements as part of an effort to provide law enforcement and the public with real-time information about harmful data breaches.

See Also: The Present and Future of Security Operations

The new rule expands the scope of the FCC's breach notification requirements to cover all personal identifiable information that carriers and telecommunications relay service providers maintain on their customers. Those organizations will be tasked with providing individual, per-breach notifications "no later than seven business days after reasonable determination of a breach" affecting 500 or more customers, according to the guidelines.

The three Democrats on the commission voted for the measure, and the two Republicans dissented.

In approving the updated rules, outlined in a report and order, the agency said data breaches have only grown in frequency and severity over the past two decades.

The FCC first circulated a public draft of the revised breach notification rules in November and eliminated certain requirements from its updated rules, including notifying customers of breaches in instances so long as the telecom can reasonably determine that no harm to customers is likely to occur. Also, organizations are no longer required to file annual summaries of breaches affecting fewer than 500 customers in which no harm is likely to occur.

The updated data breach notification rules garnered swift praise from the think tank Public Knowledge, which said that the rule "will require carriers to treat customer data with the care it deserves and will allow the FCC to punish carriers that fail to take their responsibility to protect customer data seriously or who skimp on precautions to inflate their bottom line."

The group pointed out that broadband providers are exempt from the new rule - a result of the FCC's 2017 revocation during the Trump administration of net neutrality, limiting its regulatory power over telecom offerings classified as "information services." The agency on Oct. 19 initiated a notice of proposed rule-making that would reestablish authority over broadband providers.

The FCC first adopted its breach notification rules in 2007 to protect Americans from fraud through "pretexting," which is when criminals use social engineering techniques to obtain sensitive information from victims, such as passwords, Social Security numbers or financial information. The FCC attempted to include updated protections for broadband internet access service providers in 2016, but Congress nullified those revisions a year later under a statute that allows lawmakers to overturn agency regulation.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.