The proposal moved by FCC Chairwoman Jessica Rosenworcel comes in light of recent data breaches and seeks to overhaul the current rules given the increased frequency, sophistication, and scale of the data leaks.   “The FCC’s new proposals are a step in the right direction,” Jack Chapman, VP of Threat Intelligence with security vendor Egress, told Lifewire over email. “[They’ll] strengthen protection for data subjects and improve transparency between carriers, consumers, and the regulator itself, which should help to support the rights of data subjects in the current threat landscape.”

Evolving Threat Landscape

According to the FCC’s press release, the proposed updates aim to bring the rules that govern the telecommunication industry on par with laws governing the other sectors.  “Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers,” noted Rosenworcel in the proposal. Chapman agrees, saying the updates address the reality that the telecom industry is being targeted by a “tidal wave of sophisticated cyberattacks,” citing the example of T-Mobile, which recently suffered a breach that exposed the data of over 50 million of its customers.  The FCC’s proposal outlines three significant updates to the current breach notification rules. The first seeks to eliminate the mandatory requirement of the seven-day waiting period for notifying customers of a breach. Arguing for removing the waiting period, Rosenworcel said customers need to be protected against data leaks whose consequences can last years after the initial exposure.  Seeing merit in the move, Chapman said that if customers are made aware of a breach immediately rather than over a week later, they can be more vigilant to follow-up attacks, such as phishing and vishing. He believed this is critical and could help users protect themselves against attacks that could lead to users losing more data. “By eliminating the seven-day waiting period for carriers to notify customers of a data breach, the FCC is putting power back in the hands of the people, helping them to take steps to protect themselves if their data has been breached,” opined Chapman.

Determining Guilt

The FCC also wants to expand the scope of customer protection by forcing companies to share details about “inadvertent breaches” as well.  Calling the move a “welcome step,” Chapman told Lifewire that inadvertent breaches could be just as serious as cyberattacks. He argued that once the damage is done, it makes little difference to users whether their information was stolen via a network hack or from an insecure server. The third change the FCC proposed calls upon the affected telecommunications company to notify the individuals and the FCC, the FBI, and the US Secret Service. Again, Chapman sees merit in the move and reasons roping in the other federal agencies could provide longer-term benefit to consumers by strengthening the regulatory response to breaches. He said the measure would ensure that the regulator can respond more swiftly and effectively and help ensure organizations at fault are properly reprimanded.  “Carriers collect an enormous amount of information about their customers, much of it consisting of private and highly sensitive data,” Trevor J. Morgan, product manager with data security specialists comforte AG, told Lifewire over email. “Ensuring that these businesses respond responsibly and rapidly to any data breach—intentional hack or inadvertent data leak—helps to create a better collective culture of data privacy and security, and incidentally nurtures public trust.”