Regulator Eyes Revamped Data Breach Reporting RequirementsUpdate Would Be First Revision of Rules for Telecommunications Sector Since 2007
Citing the mounting severity of data breaches, the Federal Communications Commission on Friday initiated a rule-making process to update breach reporting requirements for telecommunications carriers.
The proposed updates to existing telecom breach reporting requirements would expand them to include disclosures such as Verizon's 2017 breach caused by a misconfigured cloud server, which affected 6 million customers. It would eliminate the current seven-day window for reporting breaches that applies to all but the smallest of carriers in favor of a standard directing them to report a breach "as soon as practicable" or within a 24-hour to 72-hour time frame.
The agency says it might be willing to forgo breach notifications if telecoms can reasonably determine that the incident won't result in any harm to customers - a "harm-based" standard for which the FCC says it seeks further comment. It also wants telecoms to send data breach reports to agency staff and not just the FBI and Secret Service as regulations now dictate.
The rule-making process "will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security and reduce the impact of future breaches," said FCC Chairwoman Jessica Rosenworcel. Last January, she previewed an update to the agency's data breach regulations, which were last revised in 2007.
All four members of the commission, which remains evenly divided between Democrats and Republicans, unanimously agreed to issue the notice of proposed rule-making.
The FCC's proposals arrive as major data breaches pose a continuing risk to consumers. In 2021, Florida-based Syniverse, which routes text messages for the world's top mobile carriers, revealed that it had suffered a five-year data breach.
The same year, T-Mobile suffered a data breach that affected 77 million individuals and led to more than 100 million company records being offered for sale on cybercrime forums, including such information as Social Security numbers, driver's license numbers, names, addresses, birthdates and security PINs. T-Mobile reached a $350 million agreement to settle the resulting class action lawsuit, which could be approved at a court hearing scheduled for Jan. 20.
The proposal's backdrop includes rising awareness in official Washington circles about the need for stronger consumer privacy protections that has yet to be matched with congressional consensus over the shape of a national privacy law. A 2021 staff report from the Federal Trade Commission concluded that internet service providers collect "significant amounts of consumer information" and that they combine data taken from different sources to create detailed pictures of web browsing history, viewing habits and location.
The FCC attempted during the last year of the Obama administration to impose strong privacy requirements on broadband providers by preventing them from selling customers' information without customers' express consent. A Republican-dominated Congress during the first months of the Trump administration overturned the rule amid a broader effort to undo the FCC's effort to more closely regulate ISPs, advanced under the agency's rubric of "net neutrality."
Democrats under the Biden administration vowed to revive net neutrality, so far without success. Without a third Democratic commissioner confirmed by the Senate, the FCC is unable to initiate a new net neutrality rule-making process that could result in new consumer privacy protections.
First Update Since 2007
The FCC's proceeding aims to update rules that were last refined in 2007. Changes implemented at that time included requiring telecommunications carriers, including Voice over Internet Protocol providers, to notify customers and federal law enforcement of any breaches of customer data.
The main driver of the 2007 data breach laws was "pretexting" - the practice of a third party obtaining customer data by pretending to be an authorized party to the data. At the time, some data brokers advertised their ability to sell information such as calls made or received from a particular telephone number. The 2007 rule required carriers to release that information only after obtaining a customer-created password.
With the new proceeding, the commission says it hopes to harmonize its rules with federal and state-level breach laws, which have evolved since 2007, but says the new rules would not preempt any other laws. The commission also wants to ensure all rules also apply to telecommunications relay services, which enable anyone with hearing or speech disabilities to place and receive telephone calls.
Progressive advocacy group Public Knowledge has praised the proposed rule. "While most people think about data privacy as an internet thing, our phones and phone information remain some of our most sensitive personal information," said Howard Feld, senior vice president.
President Joe Biden nominated Public Knowledge co-founder Gigi Sohn in October 2021 to fill the third Democratic seat on the FCC. Her confirmation has been bogged down by Republican opposition and a telecom lobbying campaign against Sohn, who's a well-known supporter of net neutrality.