The Federal Communications Commission has initiated a proceeding to strengthen the Commission’s rules governing notification of breaches of customer proprietary network information to customers and federal law enforcement (CPNI). The Commission will consider how to effectively integrate its rules with latest events in federal and state data breach laws affecting other industries.
The new rule would abolish the current seven-day waiting period for carriers to notify customers of a breach and mandate that all breaches be reported to the FCC, FBI, and US Secret Service. Instead, unless otherwise instructed by authorities, telecoms would be required to report breaches to law enforcement as soon as they are discovered, as well as to consumers.
The law would also broaden the definition of a breach to include accidental exposure of customer information rather than just outside hacks.
The FCC also admitted in the proposal that the original breach reporting rules implemented in 2007 were too narrow, accounting only for breaches involving pretexting crimes, which involve impersonating someone in order to gain unauthorized access to secure data.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said FCC Chairwoman Jessica Rosenworcel. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
The sources for this piece include an article in TheRegister.