Unanimous FCC Agrees to Seek Comment on Data Breach Reporting Rules
The FCC is seeking comment on revised rules for carriers to report data breaches. The NPRM, released Friday and approved 4-0 last month, proposes eliminating the “outdated” seven-business-day mandatory waiting period before notifying customers of a breach and requiring the reporting of inadvertent but harmful breaches to the FCC, FBI and Secret Service.
The NPRM follows several high-profile data breaches, most recently a 2021 T-Mobile breach that included information from about 7.8 million postpaid customer accounts and the records of more than 40 million former or prospective customers (see 2108180062). The NPRM also mentions a 2015 AT&T breach and a 2017 Verizon breach. Comment deadlines will be set in a Federal Register notice.
“Our mobile phones are in our palms, pockets, and purses,” said Chairwoman Jessica Rosenworcel: “We rarely go anywhere without them ... But this always-on connectivity means that our carriers have access to a treasure trove of data about who we are, where we have traveled, and who we have talked to.”
It’s “vitally important that this deeply personal data does not fall into the wrong hands,” but the FCC’s rules for protecting data are more than 15 years old, Rosenworcel said: “We also seek comment on how our breach reporting obligations can work alongside those forthcoming from the Cybersecurity and Infrastructure Security Agency under the Cyber Incident Reporting for Critical Infrastructure Act.” Only Rosenworcel released a statement.
“It will be very helpful for consumers -- and for the carriers -- to have carrier obligations spelled out more clearly and to have the notification to customers take place more quickly,” emailed Public Knowledge Senior Vice President Harold Feld. “It is no longer 2007, and these days consumers need to move as quickly as possible to protect themselves after a data breach,” he said. Data thieves are “highly sophisticated” and can potentially use customer proprietary network information (CPNI) “combined with other data to steal money or otherwise leverage the information,” Feld said: “Waiting an entire week before informing customers that their data has been compromised, and what data has been compromised, exposes people to all kinds of risks.”
Feld also welcomed the 4-0 vote, noting privacy was always a bipartisan issue until recent years. “Few people remember … it was Republican [Chairman] Kevin Martin who established the initial data breach disclosure rules, and that Martin did so well before data breach notification was a widely accepted practice,” he said.
“Under both Republican and Democratic chairs, the FCC has moved more into the cyber and privacy protection space,” said a former senior FCC official: “In recent years that has been through enforcement, so it’s not surprising that the commission would want to examine updating its rules. The dynamics surrounding cybersecurity and privacy change every day for consumers.”
Free Press welcomes the NPRM, emailed Vice President-Policy Matt Wood: “We've also supported a comprehensive privacy law update in Congress. But however that develops in the brand new Congress, there is every reason for the FCC to fulfill its mandate by updating its protections against telecom carriers' privacy breaches.” The group hopes “the FCC can follow through on adopting and then enforcing good rules,” but “without Gigi Sohn and a fully functioning majority, the Republican commissioners have been able to drag their feet and prevent the agency from collecting the hundreds of millions of dollars in privacy penalties that the FCC levied against carriers on a bipartisan basis nearly three years ago,” he said. President Joe Biden renominated Sohn to the commission Tuesday.
Not a Surprise
The NPRM's release wasn’t a surprise, with experts predicting further action by the FCC (see 2209090028). Questions remain whether the proposed changes will protect consumers, some experts said.
Many state data breach laws require notification within 30, 45 or 60 days, compared with the FCC’s seven days, noted Daniel Castro, director of the Center for Data Innovation's Information Technology and Innovation Foundation. “When it comes to learning about security risks, timeliness is essential,” Castro said: “But any notification requirement needs to be realistic too. There’s often uncertainty when data breaches are discovered. It takes time to sort through logs and determine what occurred and who is affected. It takes time to contain a data breach and respond to the incident. And it takes time to determine how to best communicate the findings to customers.”
The FCC should avoid setting rules “that could serve as a distraction to carriers who are victims of cyberattacks,” Castro said. “They should avoid a reporting deadline that could force carriers to share incomplete or confusing information with customers.” Castro said a shorter deadline, such as three or five business days may make sense, but carriers do need some time.
Said Digital Progress Institute President Joel Thayer: “It's important to refresh the record on these issues, but my feeling is that it won't really solve the problem of preventing or limiting the harm from a breach given that the prime culprits for data breaches occur on the edge as opposed to network operators." “Depending on how the commission ultimately shapes the rule, it could run the risk of causing more friction with the FTC, which also has jurisdiction over the same entities and subject matter.” Data breaches also can be difficult to detect, Thayer said: “The FCC's current rules are fairly vague, and this proceeding may serve as a great way for the commission to provide meaningful updates and guidance on how best to move forward on these important issues that affect so many consumers.
“We propose to expand the Commission’s definition of ‘breach’ to include inadvertent access, use, or disclosures of customer information and seek comment on our proposal,” the NPRM says: “The intervening years since the adoption of our existing rule have demonstrated that the inadvertent exposure of customer information can result in the loss and misuse of sensitive information by scammers and phishers, and trigger a need to inform the affected individuals so that they can take appropriate steps to protect themselves and their information.”
“Is there an alternative timeframe we should adopt for reporting CPNI breaches to the Commission and other federal law enforcement such as 24 hours or 72 hours as has been proposed in other contexts, or should we consider adopting a graduated timeframe?” the NPRM asks.