FCC updates data breach rules, with consumers in mind
The Federal Communications Commission updated its data breach rules for the first time in 16 years Wednesday, expanding how a breach is defined and who to alert when there is one.
The FCC order, decided in a 3-2 party-line vote, will broaden the commission’s breach notification rules to include certain personally identifiable information belonging to customers that is held by telecommunications carriers and providers, according to a press release.
The new rule defines a breach as including “inadvertent access, use, or disclosure of customer information,” making an exception for cases where carriers’ and providers’ employees obtain the information in the course of doing their jobs and do not improperly use or disclose the information.
Customers will now receive notice of a breach within 30 days unless law enforcement asks for a delay, the press release said. Carriers and providers also will be required to alert the FCC of breaches in addition to their current responsibilities, which include contacting the FBI.
The FCC’s press release noted that carriers have access to reams of personal data, including telephone numbers called and mobile phone location data.
“This information could provide insights into medical conditions, religious beliefs, and other aspects of a person’s private life,” the release said.
The vote follows other new and controversial federal data breach reporting requirements from the Securities and Exchange Commission (SEC) and the Federal Trade Commission. The SEC rules, which have prompted significant industry and GOP backlash, take effect later this month.
Congressional Republicans also have opposed the new FCC’s rules shift. Sen. Ted Cruz (R-TX) wrote a letter criticizing the anticipated decision on Tuesday, saying the regulations would undermine a 2016 Congressional order squashing similar expanded FCC privacy restrictions.
A Cruz spokesperson declined to comment, instead supplying the letter, which said the FCC has “no authority” to ignore Congress’ 2016 order prohibiting the substance of the FCC’s Wednesday action.
“The FCC is defying clear and specific direction not to issue requirements that are substantially similar to parts of a rule disapproved by Congress,” said the letter, which was co-signed by three additional senators including Minority Leader Mitch McConnell (R-KY).
The letter called the similar, and overturned, 2016 FCC rules change a “jurisdictional power grab by issuing legally suspect privacy and data security rules that created asymmetric burdens for the broadband industry.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.