Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

FCC Requires Telcos To Disclose When Your Personal Info Is Stolen 13

Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register. From the report: After releasing a proposed rule in early January and giving the industry 30 days to respond, the FCC's final rule was published today. It solidifies what the agency proposed a little more than a month ago, and what was teased in early 2022 when FCC chairwoman Jessica Rosenworcel drafted initial changes to the commission's 16-year old security "breach" reporting duties.

Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service as well. As the FCC planned, the new rule also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers. The FCC now "requires carriers to notify customers of breaches of covered data without unreasonable delay ... and in no case more than 30 days following reasonable determination of a breach."

"Reasonable determination" of a data blurt is further defined as "when the carrier has information indicating that it is more likely than not that there was a breach" and "does not mean reaching a conclusion regarding every fact surrounding a data security incident that may constitute a breach." In other words, if customers are affected then they had better be notified post-haste. The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of. Prior to the passage of the new rule customers only had to be told if Customer proprietary network information (CPNI) was exposed to the world.
This discussion has been archived. No new comments can be posted.

FCC Requires Telcos To Disclose When Your Personal Info Is Stolen

Comments Filter:
  • by Rujiel ( 1632063 ) on Monday February 12, 2024 @06:37PM (#64235348)
    be it to the govt or advertizers.. that's still totally chill
  • Why just telcos? (Score:5, Interesting)

    by fph il quozientatore ( 971015 ) on Monday February 12, 2024 @06:38PM (#64235352)
    Why just them? Almost every firm stores personal data, and all breaches seem equally dangerous.
  • by russotto ( 537200 ) on Monday February 12, 2024 @06:47PM (#64235364) Journal

    Are they going to disclose when they are sending my call record data to the NSA? No, of course not, but they're doing it anyway.

  • ... your personal information is stolen.

    1996. That's when Congress passed a law [wikipedia.org] allowing telcos to take over, buy and sell our call metadata.

    • They were very explicit in using the word "inadvertent" in the text of the new rules. "I meant to do that" is a complete exclusion from the new rules.

  • by kmoser ( 1469707 ) on Monday February 12, 2024 @07:41PM (#64235428)
    They should get fined, with the amount going up significantly with each subsequent breach.
    • by gweihir ( 88907 )

      Indeed. And put an automatic $500 compensation in place for each person hit, unless they can demonstrate higher damage. In that case, make the compensation 3x the damage done. That would put an end to cheap, ineffective IT security where the customer bears the damage.

  • by buss_error ( 142273 ) on Monday February 12, 2024 @07:57PM (#64235456) Homepage Journal

    Starting today, telcos in American will need to disclose system break-ins within seven days. "[T]he same deadline now exists to report any data leaks to the FBI and US Secret Service as well," adds The Register.

    So the FBI and SS get a heads up, but not the general public. Which, I would argue, should be required withing 60 days unless given authorization by both the FBI and SS to maintain a moratorium. Further, it should apply to anyone at all that has PII on others beside themselves, their family, or their legal wards below ten in number. Any more than ten, they need to report. (I'm thinking states maintain a large number of wards, orphans and the insane for example. They need to be accoutable)

    Are there others that occurred that we don't know about? I couldn't say. How many cases of fraud and loss have people suffered because they were victims, but that the banks or institutions involved were allowed or required to keep silent?

  • The EU is currently making this mandatory and with much shorter deadlines for any enterprise with some criticality to society as part of the KRITIS initiative. Disclosure is already mandatory via the GDPR, but with more time to do it. It is vitally important in capitalism to have actual data on the performance of any service or goods providers or the market fails to regulate things.

  • Hello $USER,

    We regret to inform you that your personal info has once again been stolen during the last 29 days.
    All of your data was compromised, and we are working hard to ensure the next notification 29 days from now will not be sent out.
    This mandatory notification has been sent as per the FCC mandates.

    Regards, $TELCO.

    /s
  • Telcos are, if anything, always willing to waste customer money paying fines instead of playing by rules, so expect the next discovered breach to be reported a few months after it happens as said telco looks for a big news story to try to hide the event under.

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...