After a brief period of consultation late last year, the FCC has voted unanimously to launch proceedings to change the way customer data breaches are reported in the United States.
Chief among the proposed changes is removing the mandatory seven-day waiting period before telcos are required to contact their customers.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said Jessica Rosenworcel, Federal Communications Commission (FCC) chairwoman, in an announcement.
The FCC is proposing to make a raft of other changes to the reporting of what it calls customer proprietary network information, or CPNI. The Notice of Proposed Rulemaking is looking at seven areas of reporting it wishes to update, including what exactly defines a breach, how customers are notified, and to whom breaches are reported to.
Previously, the FCC only considered breaches that revolve around purposeful, unauthorised access to data. The new proposal now seeks to include “inadvertent access, use, or disclosures of customer information”.
“We anticipate that requiring notification for accidental breaches will encourage telecommunications carriers to adopt stronger data security practices and will help us identify and confront systemic network vulnerabilities,” The Notice adds.
The proposal also looks to define breaches by the harm they may cause to victims and what impact more specific reporting might have for consumers. The FCC also proposes making reporting to the FBI and US Secret Service a part of mandatory reporting.
“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches,” Rosenworcel said.
