FCC Proposes Stricter Telecom Breach Notification MeasuresMove Comes as Administration Officials Push for Broader Incident Reporting
The U.S. Federal Communications Commission is considering changes to breach notification requirements for telecommunication companies. FCC Chairwoman Jessica Rosenworcel confirmed in a statement this week that the agency is strengthening its rules for both customer and federal law enforcement notification of breaches involving customer proprietary network information.
The agency, which regulates communication across the U.S., says its update "would better align the commission's rules with recent developments in federal and state data breach laws covering other sectors."
The FCC's proposal, initiated through its formal rule-making process, would:
- Eliminate the current seven-business-day mandatory waiting period for notifying customers of a breach;
- Expand customer protections by requiring notification of inadvertent breaches;
- Require carriers to notify the commission of all reportable breaches, in addition to notifying the FBI and U.S. Secret Service.
Rosenworcel said in the statement on Wednesday: "Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected customers.
"Customers deserve to be protected against the increase in frequency, sophistication and scale of these data leaks, and the consequences that can last years after an exposure of personal information." Rosenworcel also said she will be "taking a fresh look" at the agency's reporting rules to "better protect consumers and increase security."
To some security experts, the FCC's proposal reflects the added pressure now on government agencies to act on cybersecurity measures.
"Carriers collect an enormous amount of information about their customers, much of it consisting of private and highly sensitive data, so ensuring that these businesses respond responsibly and rapidly to any data breach - intentional hack or inadvertent data leak - helps to create a better collective culture of data privacy and security, and incidentally nurtures public trust," says Trevor Morgan, a data security specialist with the firm comforte AG.
As part of its response to data breach concerns, the FCC said this week, it proposed rules in September 2021 targeting SIM swapping scams and port-out fraud.
In a September announcement, the FCC indicated it had begun the formal rule-making process to "confront subscriber identity module swapping scams and port-out fraud, both of which bad actors use to steal consumers' cellphone accounts without ever gaining physical control of a consumer's phone."
Officials wrote at the time: "Recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks." The proposal requires carriers to adopt secure methods of authenticating customers before redirecting phone numbers to a new device or carrier. It also proposes requiring "immediate notification" to customers whenever a SIM change or port request is made.
The agency also said this week that its notification update ensures the FCC and other federal law enforcement agencies "receive the information they need in a timely manner."
Its proposal seeks comment on whether it should require breach notices to include specific categories of information, and aims to "make consistent revisions."
Rosenworcel's move comes as mandatory cyber incident reporting remains a top legislative priority for the early part of 2022. Congress, which for months has focused on finalizing a reporting mandate for critical infrastructure providers, failed to advance a provision in the annual defense spending bill in late 2021 (see: Cyber Incident Reporting Mandate Excluded From Final NDAA).
Nevertheless, both Sen. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, along with Ranking Member Rob Portman, R-Ohio, have endeavored to pass related legislation in 2022 - recently indicating that they may embed it in another must-pass package.
It remains top of mind for CISA Director Jen Easterly, too. In a press conference this week, she said that having a law on the books for reliable incident reporting will be paramount to orchestrating the federal response to cyberthreats (see: CISA: Federal Response to Log4j Has Been 'Exceptional').
"It won't surprise you that we were all disappointed that the cyber incident reporting bill was not included in the NDAA," Easterly said on Monday. "We have continued to stress the urgency of passing that legislation.
"We are concerned that threat actors are going to start taking advantage of [Apache's Log4j vulnerability]. … And because there is no legislation in place, we will likely not know about it. It's important that our partners receive timely information about successful exploitations … after they are discovered, to enable us to really help victims to mitigate the effects and to stop the spread to additional victims."
FBI Seeks Reporting Data
As the Biden administration continues to push for a reporting mechanism - likely a 72-hour window for critical infrastructure operators to report a cyberattack and 24 hours if a ransom payment was made - officials at the FBI say the language should be adjusted so that they have a proper say.
Speaking at an event hosted by the think tank Silverado Policy Accelerator, FBI Cyber Division Assistant Director Bryan Vorndran said: "There seems to be a misunderstanding that the FBI specifically is looking for a dual seal program with the [reporting] legislation, meaning that companies would have to report to both CISA and the FBI, and that isn't true.
"What the Department of Justice and FBI are looking for is legislation that includes language about the FBI having real-time and unfiltered access to incident information that is reporting to CISA."
Vorndran said that could be attained by simply adding "a few words or a sentence" to proposed legislation.