FCC plans strict overhaul of 15-year-old US data breach regulations

FCC Chairwoman Jessica Rosenworcel, sat at a podium speaking into a microphone
(Image credit: Getty Images)

The Federal Communications Commission (FCC) has proposed an overhaul of 15-year-old legislation which could drastically shorten the amount of time telecoms firms have to report data breaches to customers and authorities.

Current laws require telcos to report breaches within a maximum of seven days after discovery to the relevant authorities, and customers can be notified as soon as possible after this period. Authorities that receive the breach reports include the United States Secret Service (Secret Service) and the Federal Bureau of Investigation (FBI).

However, this rule may be eliminated and reporting guidance changed to "as soon as practicable".

At present, customers can only be notified after this seven-day period and in the absence of any Secret Service or FBI objection. In the proposal, the FCC also suggests that customers should be made aware of a data breach “without unreasonable delay”, unless law enforcement has requested otherwise.

The definition of 'breach' would also be expanded under the proposed changes, to include “inadvertent access, use, or disclosures of customer information”. Since 2007, the FCC has only considered data breaches that have come about as a result of intentional access to data without or exceeding authorisation.

If the proposals are passed, this updated definition would impact companies who have suffered a breach as the result of negligence rather than a cyber attack, pulling them into scope, and could motivate US telcos to protect customer data more judiciously.

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said FCC Chairwoman Jessica Rosenworcel.

“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”

The agency has sought comment on the published proposals for 30 days. Specific insight was requested for changes such as the timeframe for reporting, and a precise definition of when a firm has “reasonably determined” that a data breach has occurred.

It also seeks to determine whether the contents of data breach notifications are sufficient, or whether there is additional information that carriers could provide.

The FCC cited other legislation such as rules set out by the Cybersecurity and Infrastructure Security Agency (CISA) requiring critical infrastructure owners to report cyber attacks within 72 hours, as well as GDPR which requires data breaches to be reported in the same timeframe.


2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms


As part of the comment period, the FCC has also openly questioned whether a numerical threshold for the number of customers affected by a breach before it needs to be reported might be beneficial.

It noted that smaller incidents may not constitute coordinated attacks on consumer data, and that such a threshold could free up the resources of both telcos and regulators currently strained by over-reporting of small breaches.

Australia is one country which has felt the brunt of the increased frequency and sophistication in cyber attacks during the past year,

Data breaches at Australian telcos have dominated headlines in recent months. Optus' incident in October was one such major case which led to ‘systemic ID problems’ for 10 million customers.

December also saw Australia’s largest telco Telstra suffer a major data breach as the result of an IT error, following an attack on a third party in October that leaked the data of 30,000 former and current company employees.

Reacting to the increased targeting of telcos in the region, the Australian government has increased the maximum fine for a breach from $2.2 million (£1.25 million) to $50 million (AUD) (£28.5 million), or the greater of the benefits obtained through the breach or 30% of company turnover across a specific period.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.