IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FCC plans strict overhaul of 15-year-old US data breach regulations

Telcos could no longer be able to use negligence as a defence for data breaches as the FCC also seeks to hasten public notification of breaches

The Federal Communications Commission (FCC) has proposed an overhaul of 15-year-old legislation which could drastically shorten the amount of time telecoms firms have to report data breaches to customers and authorities.

Current laws require telcos to report breaches within a maximum of seven days after discovery to the relevant authorities, and customers can be notified as soon as possible after this period. Authorities that receive the breach reports include the United States Secret Service (Secret Service) and the Federal Bureau of Investigation (FBI).

However, this rule may be eliminated and reporting guidance changed to "as soon as practicable".

At present, customers can only be notified after this seven-day period and in the absence of any Secret Service or FBI objection. In the proposal, the FCC also suggests that customers should be made aware of a data breach “without unreasonable delay”, unless law enforcement has requested otherwise.

The definition of 'breach' would also be expanded under the proposed changes, to include “inadvertent access, use, or disclosures of customer information”. Since 2007, the FCC has only considered data breaches that have come about as a result of intentional access to data without or exceeding authorisation.

If the proposals are passed, this updated definition would impact companies who have suffered a breach as the result of negligence rather than a cyber attack, pulling them into scope, and could motivate US telcos to protect customer data more judiciously.

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said FCC Chairwoman Jessica Rosenworcel. 

“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

The agency has sought comment on the published proposals for 30 days. Specific insight was requested for changes such as the timeframe for reporting, and a precise definition of when a firm has “reasonably determined” that a data breach has occurred.

It also seeks to determine whether the contents of data breach notifications are sufficient, or whether there is additional information that carriers could provide.

The FCC cited other legislation such as rules set out by the Cybersecurity and Infrastructure Security Agency (CISA) requiring critical infrastructure owners to report cyber attacks within 72 hours, as well as GDPR which requires data breaches to be reported in the same timeframe.

Related Resource

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Whitepaper with title and textFree Download

As part of the comment period, the FCC has also openly questioned whether a numerical threshold for the number of customers affected by a breach before it needs to be reported might be beneficial.

It noted that smaller incidents may not constitute coordinated attacks on consumer data, and that such a threshold could free up the resources of both telcos and regulators currently strained by over-reporting of small breaches.

Australia is one country which has felt the brunt of the increased frequency and sophistication in cyber attacks during the past year,

Data breaches at Australian telcos have dominated headlines in recent months. Optus' incident in October was one such major case which led to ‘systemic ID problems’ for 10 million customers.

December also saw Australia’s largest telco Telstra suffer a major data breach as the result of an IT error, following an attack on a third party in October that leaked the data of 30,000 former and current company employees.

Reacting to the increased targeting of telcos in the region, the Australian government has increased the maximum fine for a breach from $2.2 million (£1.25 million) to $50 million (AUD) (£28.5 million), or the greater of the benefits obtained through the breach or 30% of company turnover across a specific period.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

CISA: Phishing campaign targeting US federal agencies went undetected for months
phishing

CISA: Phishing campaign targeting US federal agencies went undetected for months

26 Jan 2023
AWS splashes $35 billion to expand data centres in Virginia
data centres

AWS splashes $35 billion to expand data centres in Virginia

23 Jan 2023
Tech industry takes vast lead in green energy spending, biggest companies vie for top spot
Business strategy

Tech industry takes vast lead in green energy spending, biggest companies vie for top spot

19 Jan 2023
US 5G operators welcome new freedoms as FAA, airport concerns approach end
Policy & legislation

US 5G operators welcome new freedoms as FAA, airport concerns approach end

10 Jan 2023

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023