FCC proposes stricter data breach reporting rules
Following a series of hacks and data leaks at US telecom companies, the Federal Communications Commission has proposed today a series of changes to its data breach notification requirements.
FCC Chairwoman Jessica Rosenworcel, who published the proposed rules earlier today, said that the agency needs to update its existing reporting rules to "fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers," which often learn of breaches long after they have occurred.
"Customers deserve to be protected against the increase in
frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information," Rosenworcel said.
To achieve this, the FCC believes that by eliminating a seven-business-day waiting period that is granted to telecom companies before notifying customers of a breach is a good step to start. The direct consequence of removing this current waiting period will be that telecom companies can notify customers of a breach as soon as it happens—if they are in a capability of doing so and haven't been told by a law enforcement agency to wait until an investigation has been completed.
In addition, the FCC wants telecoms to be required to notify customers of inadvertent data leaks as well, and not only situations where a malicious and intentional act was involved. This means telecoms will have to notify customers of situations where they accidentally left personal data exposed online on unsecured servers, something that not all providers currently do.
Furthermore, the FCC wants telecommunications providers to notify its agency as well about any breach, and not just the FBI and the Secret Service.
The agency said that "the increasing frequency and severity of security breaches involving customer information can have lasting detrimental impacts on the economy and on consumers whose information has
been improperly exposed," and it feels that the proposed changes will help protect US consumers better than the current rules.
The proposal will be up for voting in a future meeting later this year, after a period of public consultation.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.