FCC Proposes Stricter Regulations for Data Breach Disclosure 

The Federal Communications Commission (FCC) has proposed stricter requirements for companies to disclose data breaches.

According to the proposal, companies would be required to notify customers affected by inadvertent breaches, and the one-week waiting period before disclosure would be eliminated.

The updates would better align the FCCs rules with recent developments in federal and state data breach laws covering other sectors.    

Lisa Plaggemier, interim executive director of the National Cyber Security Alliance, explained the Biden administration—and government in general—have been making a lot of positive attempts to build more modern and effective cybersecurity protocols in the wake of last year’s news cycle dominated by several high-profile breaches.

“These new guidelines fall right in line with these overarching intentions, and similar measures will likely follow suit in the months and years to come,” she said. 

Unfortunately, last year’s hectic breach-centric news cycle laid bare just how fragmented the government’s oversight and reporting procedures are for the cybersecurity industry.

Moreover, Plaggemier said those constant reports highlighted how important it is for the public and private sector to rethink the way we collectively approach cybersecurity and report cybersecurity incidents.

FCC Addresses Breach Notification Requirements

The proposal outlines several updates to current FCC rules addressing telecommunications carriers’ breach notification requirements, including requiring carriers to notify the commission of all reportable breaches in addition to the FBI and U.S. Secret Service.

The FCC proposal also seeks comment on whether the commission should require customer breach notices to include specific categories of information to help ensure they contain actionable information useful to the consumer, and proposes to make consistent revisions to the commission’s telecommunications relay services (TRS) data breach reporting rule.  

“Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information,” FCC chairwoman Jessica Rosenworcel said in a statement. “But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers.”

Plaggemier predicted a lot of attention would likely be paid to the “inadvertent breach” reporting requirement; however, arguably the most important impacts of this proposed framework pertain to what it could mean for intra-governmental collaboration.

“Cybersecurity threats can have far-reaching impacts and, therefore, collaboration between all impacted stakeholders is essential if we are going to tackle cybersecurity issues as well as possible,” she said. “And these requirements lay the groundwork for that collaboration to take place between the FCC and other oversight bodies.”

Cybersecurity Collaboration is Essential

Plaggemier added the importance of collaboration in cybersecurity really cannot be understated.

“Whether it comes from opening up more lines of communication between governmental departments or from striking new public-private partnerships, the cybersecurity industry needs to make fostering cooperation a priority in the year ahead,” she said. “So, any sort of action that can create this environment will be hugely beneficial.”

Rosenworcel added that customers deserve to be protected against the increase in frequency, sophistication and scale of these data leaks, and the long-lasting consequences of exposure of personal information.

“I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches,” she said. 

The increasing frequency and severity of security breaches involving customer information can have lasting detrimental impacts on the economy and on consumers whose information has been improperly exposed. Sometimes, these negative impacts can last years and impact consumers’ credit, among other things.

To reduce the risk of this harm, in September 2021 the FCC also proposed rules targeting SIM swapping scams and port-out fraud.  

The FCC said it plans to move quickly to require mobile companies to adopt more secure methods of authenticating customers before redirecting their phone number to a new device or carrier.

 

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy