The US Federal Communications Commission (FCC) launched a proceeding to strengthen data breach notification laws for telecommunications companies to ensure faster reporting.
FCC said it wants to “address telecommunications carriers’ breach notification requirements” by eliminating the seven-day mandatory waiting period before companies can notify customers of a breach. FCC also introduced other proposals to harmonize federal telecommunications’ data breach notification rules with states’ and other sectors.
The proposed amendments to the 15-year-old law passed unanimously on a 4-0 vote and will enter a 30-day comment period to gather public input.
Proposed changes to the federal data breach notification rules
The FCC has published a Notice of Proposed Rulemaking (NPRM) to begin the process of reviewing the rules for notifying customers and federal law enforcement of breaches involving customer proprietary network information (CPNI).
Initially, companies with 5,000 or more customers were supposed to report data breaches within seven business days, while telecoms must report data breaches affecting more than 5,000 customers within 30 days.
If the proposals become law, it will eliminate the waiting period allowing customers to be notified immediately after telecommunications companies detect data breaches unless otherwise advised by federal authorities. Additionally, telecommunication carriers must notify customers of all inadvertent breaches and disclose all reportable data breaches to the FCC, FBI, and US Secret Service.
The proposal will also redefine “data breaches” to include inadvertent data exposures, not just external hacks.
According to FCC’s Chairwoman Jessica Rosenworcel, data breach notification laws should adequately protect sensitive customer information in the face of increased frequency and sophistication of data breaches.
She warned that the current data breach notification laws were outdated in a world where carriers stored information that could identify people, their location, and the people they contact. Some states, such as California, have more modern data breach notification laws than the federal government.
“Every state, generally, already has data breach laws requiring public and private companies to notify consumers (and in some cases regulators of their state) of data leaks that contain personally identifiable information (PII). However, the reporting timeframes vary. Most are between 30-45 days,” said Sounil Yu, Chief Information Security Officer at JupiterOne.
Thus, the proposed changes will harmonize federal telecom notification regulations with state data breach laws covering other sectors. Other federal agencies have undertaken similar efforts to improve transparency in data breach reporting.
In March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) passed similar laws requiring critical infrastructure agencies to report cyber intrusions and ransom payments.
If passed, FCC’s notification rules mirror CISAs Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires reporting within 72 hours from when the organization reasonably believes the incident occurred.
“This comes as no surprise,” said Timothy Morris, Chief Security Advisor at Tanium, a Kirkland, Washington-based provider of converged endpoint management (XEM). “Almost every agency has, or will update, the reporting times of cyber security incidents that include breaches and attacks.”
Unresolved issues in the proposed data breach notification regulations
The proposed regulations still allow federal law enforcement agencies to prevent telecommunication companies from notifying customers for 30 days to avoid jeopardizing national security or ongoing investigations.
Thus, FCC wants to know whether a fixed reporting period should exist and if smaller carriers should be allowed more time to report. Additionally, the FCC wants to know whether data breach notifications should include specific information, such as the nature of the leaked data, to assist the victims in preventing identity theft.
Meanwhile, FCC’s Chairwoman believes that updating the current data breach notification rules will reduce the impact of such data breaches.
“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches,” Rosenworcel said in a published statement.
While the proposed data breach notification laws are unlikely to stop the attacks, they will ensure that customers can timely respond to data breaches and protect their accounts to reduce the impact of information exposures.
Roger Grimes, a data-driven defense evangelist at KnowBe4, believes that ambitious data reporting laws could be difficult to implement.
“This is all good news for consumers, but the requirement to immediately report could prove onerous,” Grimes said. “By requiring covered companies to have to report breaches right away, it’s going to make it more difficult for those companies to get all of the facts exactly right, right away.”
Grimes questioned if companies will be held responsible for the accuracy of the information if they report immediately before getting their facts right.
Yu also believes that FCC rules will introduce complications by reducing the reporting threshold and treating a “breach” like an “incident.”
“Whether the CIRCIA or the FCC’s newly proposed breach reporting rules, they are blurring the line between an “incident” and a “breach,” Yu said. “A breach has specific legal meaning and obligations. Furthermore, as we discovered in U.S. v. Joe Sullivan, breach reporting may be best left to legal teams to handle.”
Yu warns that lowering the threshold would require legal teams’ involvement in every incident and encumber security teams with additional reporting requirements without contributing meaningfully to the collective situational awareness.