The FCC voted 3-2 on Wednesday to expand its 16-year-old data breach notification rules. The point is for carriers to better protect sensitive customer information. The action would also enable customers to protect themselves if their data is compromised.
The Commission’s existing breach notification rules provide protections against the risk of improper access, use, or disclosure of customer data, helping to ensure that carriers are held accountable when breaches occur, and that they provide customers with adequate and timely notice. However, with the increase in frequency and severity of data breaches over recent years, officials feel these rules need to be updated.
FCC Chairwoman Jessica Rosenworcel said a lot has changed in the 16 years since the data breach notification rules went into effect. She said the rules “remain stuck in the analog age.”
“Find a consumer with a phone anywhere and they would tell you every one of these changes make sense,” said Rosenworcel. “Our phones now know so much about where we go and who we are, we need rules on the books that make sure carriers keep our information safe and cybersecure.”
GOP Commissioners Brendan Carr and Nathon Simington dissented from the Democratic majority, saying the new rules basically mimic changes adopted in 2016 that were nullified by Congress and the president. Carr called that, “a rare rebuke of an agency action.” The new version, “plainly violates the law,” he asserted.
CTIA agreed with Carr and Simington. “The wireless industry prioritizes protecting consumers’ data and is supportive of providing timely notifications of data breaches to consumers and regulators. We also support updates to the FCC’s existing data breach reporting requirements,” the association said.
However, CTIA explained, “Unfortunately, the action taken by the FCC today goes beyond the bounds of the Commission’s authority and is not harmonized with other reporting approaches. The overbreadth of these rules will also present operational challenges for wireless providers while doing little to enhance consumer protection.”
The updates widen the scope of the Commission’s breach notification rules to cover certain personally identifiable information that carriers and telecommunications relay services (TRS) providers hold concerning their customers. They expand the definition of “breach” to include inadvertent access, use, or disclosure of customer information. An exception would be in cases where such information is acquired in good faith by an employee or agent of a carrier or TRS provider and isn’t used improperly or further disclosed.
The Report and Order requires carriers and TRS providers to notify the Commission of data breaches, in addition to their current obligation to notify the U.S. Secret Service and FBI. The action eliminates the requirement to notify customers of a breach in instances where a carrier or TRS provider can reasonably determine that no harm to customers is likely to occur due to the breach. They also no longer need to notify customers when the breach solely involves encrypted data and the carrier has evidence that the encryption key was not accessed, used, or disclosed.
The new rules eliminate the mandatory waiting period for carriers and TRS providers to notify customers. Instead, they require carriers and TRS providers to notify customers of breaches of covered data without unreasonable delay after notification to the Commission and law enforcement agencies, and in no case more than 30 days after discovery of a breach, unless law enforcement asks for a delay.
By Leslie Stimson, Inside Towers Washington Bureau Chief
Reader Interactions