FCC Proposes Stronger Rules for Reporting Data Breaches
Last week, the FCC announced it was looking to strengthen their rules regarding the reporting of data breaches from telecommunications companies such as providers of phone service, both cell and landline, and related services.
According to the Notice of Proposed Rulemaking issued by the FCC, a rule was instituted in 2007 requiring service providers notify customers and federal law enforcement about data breaches involving customer information. The FCC is now looking to update their rule to be on par with federal and state laws on data breaches.
Here's an synopsis of things as they stand currently. Under the current FCC breach notification rule:
1. A provider must notify the Secret Service and FBI of a breach within seven business days.
2. Seven business days after notifying both agencies, the provider may inform customers or go public about the breach, provided the Secret Service or FBI don't ask them to postpone disclosure. NOTE: They don't have to disclose the breach at this point, it's just the earliest point where it can be done.
3. A provider may immediately disclose the breach to their customers or the public if the investigating agency agrees and "only if the carrier believes that there is an extraordinarily urgent need to notify a customer or class of customers in order to avoid immediate and irreparable harm."
If I'm reading the Notice correctly, Internet providers aren't currently subject to the breach notification rule. ISPs were classified as telecommunication providers in 2015. In 2016, the FCC tried to revise the rule to include ISPs, but Congress nullified the revisions in 2017.
The Notice also includes the proposed new language for the revision.
Obviously, there's a lot more to it than this, but I wanted to highlight the parts you'll probably find the most important. I highly encourage you to read the Notice for yourself and make your own conclusions. Seriously, don't just take my word for it. I'm far from an expert on the subject, I freely admit I could have misunderstood something.