FCC Requires Telcos To Disclose When Your Personal Info Is Stolen 13
Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties.
Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach."
"Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world.
Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach."
"Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world.
But if your ISP sells your browsing history... (Score:5, Insightful)
Why just telcos? (Score:5, Interesting)
Wrong threat model (Score:3)
Are they going to disclose when they are sending my call record data to the NSA? No, of course not, but they're doing it anyway.
Re: (Score:3)
When they use that data to obtain convictions, they produce a falsified chain of evidence leading to the conviction. It's called parallel construction [wikipedia.org]. So you can't point to it, because they've been hiding it.
When ... (Score:2)
1996. That's when Congress passed a law [wikipedia.org] allowing telcos to take over, buy and sell our call metadata.
Re: (Score:2)
They were very explicit in using the word "inadvertent" in the text of the new rules. "I meant to do that" is a complete exclusion from the new rules.
Notifications are for amateurs (Score:3)
Re: (Score:2)
Indeed. And put an automatic $500 compensation in place for each person hit, unless they can demonstrate higher damage. In that case, make the compensation 3x the damage done. That would put an end to cheap, ineffective IT security where the customer bears the damage.
Note well the reporting aspect (Score:4, Interesting)
Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register.
So the FBI and SS get a heads up, but not the general public. Which, I would argue, should be required withing 60 days unless given authorization by both the FBI and SS to maintain a moratorium. Further, it should apply to anyone at all that has PII on others beside themselves, their family, or their legal wards below ten in number. Any more than ten, they need to report. (I'm thinking states maintain a large number of wards, orphans and the insane for example. They need to be accoutable)
Are there others that occurred that we don't know about? I couldn't say. How many cases of fraud and loss have people suffered because they were victims, but that the banks or institutions involved were allowed or required to keep silent?
How pathetic (Score:1)
The EU is currently making this mandatory and with much shorter deadlines for any enterprise with some criticality to society as part of the KRITIS initiative. Disclosure is already mandatory via the GDPR, but with more time to do it. It is vitally important in capitalism to have actual data on the performance of any service or goods providers or the market fails to regulate things.
New Notification (Score:2)
We regret to inform you that your personal info has once again been stolen during the last 29 days.
All of your data was compromised, and we are working hard to ensure the next notification 29 days from now will not be sent out.
This mandatory notification has been sent as per the FCC mandates.
Regards, $TELCO.
They'll just pay the fine (Score:2)
Telcos are, if anything, always willing to waste customer money paying fines instead of playing by rules, so expect the next discovered breach to be reported a few months after it happens as said telco looks for a big news story to try to hide the event under.