The U.S. Federal Communications Commission has proposed a new rule for data breach reporting that would require telecommunications providers to notify consumers and agencies of any data breach immediately.
Under the proposed rule change, the existing seven business day rule to inform customers of a breach would be abolished. The new rule will require that all identified data breaches be reported to consumers, the FCC, the Federal Bureau of Investigation and the Secret Service as soon as they are identified unless otherwise directed by federal officials.
According to NextGov, the proposal would also expand the FCC’s definition of a data breach “to include inadvertent access use or disclosures of customer information.” Previously, a data breach only needed to be disclosed when an outside actor gained unauthorized access to sensitive information.
“We propose to revise our definition to define a breach as any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed [customer proprietary network information],” the Notice of Proposed Rulemaking states.
Having gained the unanimous support of the full commission, the proposed rule change now goes to a review period in which the FCC is seeking comments and will gather further information. In addition, the FCC is asking for comment on whether to require customer breach notices to include specific categories of information to help ensure they contain actionable information useful to the consumer.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” FCC Chairwoman Jessica Rosenworcel said in a statement. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
While, in theory, the proposal sounds positive, security experts are concerned given the wording of the proposal and what will be covered.
“Whether the CIRCIA or the FCC’s newly proposed breach reporting rules, they are blurring the line between an ‘incident’ and a ‘breach,’” Sounil Yu, chief information security officer at cyber asset management company JupiterOne Inc., told SiliconANGLE. “A breach has specific legal meaning and obligations.”
Yu explains that incident handling and reporting have traditionally remained in the CISO’s realm of responsibility and many incidents result in no actual harm and do not constitute a material breach.
“However, if these rules lower that threshold and treat what was merely an ‘incident’ at the same level as a ‘breach’ in the eyes of the law, then legal teams may need to be involved in every incident going forward,” Yu added. “This can significantly hinder the progress of any incident investigation and encumber security teams with additional reporting requirements that do not meaningfully contribute to our collective situational awareness.”
Andrew Barratt, vice president at cybersecurity advisory services provider Coalfire Systems Inc., argues that the requirements “could make it very challenging for telecoms companies to provide meaningful responses to law enforcement and customers or potentially delay making a decision on formally categorizing a security event as a ‘data breach’.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.