The US Federal Communications Commission (FCC) on January 12 proposed new rules on how telecom companies must notify customers and the government about a data breach.
In proposing the new rules, FCC Chairwoman Jessica Rosenworcel said:
“Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information. I look forward to having my colleagues join me in taking a fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
The proposed rules come in the aftermath of some high profile data breaches involving US telecom companies, specifically T-Mobile, which has suffered six data breaches in the last five years with the most recent breach taking place last month, and Syniverse, a company that routes billions of text messages of major US carriers.
What are the proposed rules?
The proposal outlines several updates to current FCC rules:
- No seven days waiting period to inform customers: FCC has proposed eliminating the current seven business day mandatory waiting period for notifying customers of a breach. Currently, telecom companies have seven days to inform the FBI and Secret Service of data breaches that leak customer proprietary network information (CPNI), after which they can notify customers.
- Inadvertent breaches must also be covered: The FCC has suggested expanding customer protections by requiring notification even in case of inadvertent breaches.
- FCC must be notified along with other law enforcement agencies: Carriers must also notify FCC of all reportable breaches in addition to the FBI and US Secret Service, the Commission proposed.
- Should specific categories of information be disclosed? FCC said that it is also seeking comments on whether customer breach notices should include specific categories of information to help provide actionable information useful to the consumer.
What is CPNI? The above-proposed rules concern data breaches that leak customer proprietary network information (CPNI), which FCC describes as “some of the most sensitive personal information that carriers and providers have about their customers as a result of their business relationship (e.g., phone numbers called; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting).”
Why the new rules? Although there already exists rules to “protect the privacy and security of sensitive customer information,” these “need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers,” FCC Chairwoman Jessica Rosenworcel said. The updates will also better align FCC’s rules with recent developments in federal and state data breach laws covering other sectors, the Commission said.
Also Read:
- Text Message Routing Company Syniverse’s Data Breach And Why It Matters, Briefly Explained
- T-Mobile Suffers Fifth Data Breach In Four Years As Hackers Get Away With Sensitive Data Of 100 Million Users: Report
- Hacker Group Infected 13 Telecom Companies With Malware, Flags US Cybersecurity Firm
- Finance Ministry Identifies Weak Link In CDSL That Put Sensitive Data Of Investors At Risk
Have something to add? Post your comment and gift someone a MediaNama subscription.
