The FCC’s updated reporting requirements mean telcos in America will have just seven days to officially disclose that a criminal has broken into their systems.
After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC’s final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission’s 16-year old security “breach” reporting duties.
Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers.
The FCC now “requires carriers to notify customers of breaches of covered data without unreasonable delay … and in no case more than 30 days following reasonable determination of a breach.”
“Reasonable determination” of a data blurt is further defined as “when the carrier has information indicating that it is more likely than not that there was a breach” and “does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach.”
In other words, if customers are affected then they had better be notified post-haste.
The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world.
CPNI, for those unfamiliar, is all the data a cellular carrier retains about phone calls and service agreements – i.e., the data that appears on a bill. Personal identifiable information (PII) wasn’t included in previous reporting requirements, meaning carriers whose customer records were exposed, didn’t have to tell customers if CPNI wasn’t accessed.
“Without an FCC rule requiring breach notifications for the above categories of PII, there would be no requirement in Federal law that telecommunications carriers report non-CPNI breaches to their customers,” the FCC said of the new rule.
Starting now, names, government ID numbers, data used for authentication purposes, email addresses/passwords and biometric data is all included in the FCC’s reporting requirements. Dissociated data, if linkable to an individual using other data criminals accessed during a break-in, has to be reported as well.
The new rules add an exception for customer notifications as well. If a carrier can “determine that no harm to customers is reasonably likely to occur,” then it doesn’t have to inform subscribers of the incident.
Along with increased reporting rules for the content of data leaks, the new rule also expands the FCC’s definition of “breach” to include “inadvertent access, use or disclosure of customer information.”
Inadvertent, much like the exposure of 63k employee records Verizon reported last week.
Luckily for Verizon it won’t have to worry about falling foul of the new rules, which don’t go into effect until March 13.
Telecom relay service providers, which provide assistance for hearing-impaired phone users, will be covered under the new rule as well.
Here a breach, there a breach, everywhere a breach report
The FCC’s updated directive is the latest in a string of federal agency breach reporting requirements, with rules passed by the FTC and SEC set to go into effect later this year, and federal contractors getting their own set of newly-proposed IT security breach reporting rules too.
As has been the case with those other rules, the FCC’s requirements, when formally proposed last month, ran up against opposition.
Per the FCC, the Cellular Telecommunications Industry Association raised an objection on several grounds, including that the FCC rule would create a system of dual jurisdiction between the FCC and FTC once the latter’s rule goes into effect.
As has been the case with objections raised to the wide and varying data leak reporting requirements now enacted by the US federal government, the FCC said it finds industry objections “unpersuasive.”
Congress has even raised objections to some of the new reporting rules, with bills introduced in the House and Senate to overturn the SEC’s four-day reporting deadline for data break-ins that could have a “material” effect on a company’s finances and, by extension, its investors.
The feds were generally dismissive of the complaints, with the Biden administration saying it would veto any attempts to undo the SEC’s reporting rules.
Industry figures, and congressional representatives, have pointed to the Cybersecurity and Infrastructure Security Agency’s forthcoming rules for security breach requirements as a potential inter-agency standard. It’s not clear whether CISA’s rules, a draft of which is expected to be published next month, will harmonize standards or otherwise eliminate the need for companies covered under multiple rules to make multiple reports. ®