FCC To Revamp Breach Reporting, Shorten Waiting Period
The Federal Communications Commission (FCC) is stepping up the pressure on telecom companies to immediately report breaches to law enforcement and consumers.
Until now, telecoms have enjoyed a seven-day waiting period between discovering an intrusion and reporting it to users. In the nearly 15 years since the commission set reporting requirements, breaches have “increased in both frequency and severity in all industries.” In the telecommunications industry in particular, “the public has suffered an increasing number of security breaches of customer information,” the FCC said in a notice of proposed rulemaking and added that the “time is ripe” to revamp its own breach notification rule.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” FCC chairwoman Jessica Rosenworcel said in a release. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security and reduce the impact of future breaches.”
The action “comes as no surprise. Almost every agency has, or will update, the reporting times of cybersecurity incidents that include breaches and attacks. Similar actions have already been taken, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) legislation that was signed into law in March 2022,” which requires organizations to report cybersecurity incidents within 72 hours, said Timothy Morris, chief security advisor at Tanium.
“The FCC announcement proposes that the current seven business day mandatory waiting period be eliminated. It doesn’t state what the new reporting requirement will be. While keeping users’ data secure is paramount, there is inconsistency among the current regulations,” said Morris.
“According to the announcement, the FCC is attempting to remedy that by aligning its rules with other federal and state data breach reporting laws that cover other sectors,” he said. “Every state, generally, already has data breach laws requiring public and private companies to notify consumers (and, in some cases, regulators of their state) of data leaks that contain personally identifiable information (PII),” said Morris. “However, the reporting timeframes vary. Most are between 30 and 45 days.”
The proposed changes to the FCC rules will put the commission in line with other federal agencies like the Federal Reserve, the FDIC and the SEC, which have compressed—or have proposed to compress—reporting wait periods.
Sounil Yu, CISO at JupiterOne, contended that the FCC, like CIRCIA, is “blurring the line between an ‘incident’ and a ‘breach.’” Yu pointed out that “a breach has specific legal meaning and obligations” and, as “discovered in U.S. versus Joe Sullivan, reporting may be best left to legal teams. Incident handling and reporting has traditionally remained in the CISO’s realm of responsibility, and many incidents result in no actual harm and do not constitute a material breach.”
If agency “rules lower that threshold and treat what was merely an ‘incident’ at the same level as a ‘breach’ in the eyes of the law, then legal teams may need to be involved in every incident going forward,” said Yu. “This can significantly hinder the progress of any incident investigation and encumber security teams with additional reporting requirements that do not meaningfully contribute to our collective situational awareness.”
Andrew Barratt, vice president at Coalfire, said the stricter requirements “could make it very challenging for telecom companies to provide meaningful responses to law enforcement and customers or potentially delay making a decision on whether to formally categorize a security event as a ‘data breach.’”
But that’s not the only challenge. “With inadvertent access, there is often a requirement for self-reporting down to an individual level. For this to be managed seriously, there needs to be a degree of acceptance that people make mistakes,” said Barratt. “Modeling the approach along the same lines as pilots and safety concerns might be a good approach—as long as a person acknowledges a mistake or ‘inadvertently accessing something’ quickly—they’re not personally censured.”
Although “telcos are often monster-sized organizations with lots of data and it’s important for them to be held accountable,” said Barratt, “it’s also important to recognize that this is often a somewhat huge endeavor due to aging and complex systems married with modern cloud adoption.”
Still, more stringent requirements are likely needed. “Unfortunately, many organizations still bumble their data breach notification and public communications about the incident,” said Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems. “This miscommunication has created additional unnecessary PR chaos and mainly due to lack of forensic level detail on how data was accessed and by who in a breach.”
