Push to Accelerate Communications Incident Reporting Advances by FCC
The Federal Communications Commission (FCC) has unanimously voted to pursue changes to how and when telecommunications network operators disclose data breaches. This move comes in response to a growing number of significant data breaches in the telecom industry, with the August 2021 T-Mobile hack being the largest on record, affecting at least 76.6 million people.
Under the proposed changes, telecom operators would be required to alert the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a major cyberattack or 24 hours of ransom payment. This reporting requirement is part of the new rules for critical infrastructure, passed by Congress under the Cyber Incident Reporting for Critical Infrastructure Act.
Currently, under Section 222 of the Communications Act, organizations are required to notify the U.S. Secret Service and FBI of breaches within seven days. However, the FCC is seeking to expand the definition of "breach" to include inadvertent disclosures of customer information and may require operators to report minor breaches as well, in addition to major ones.
FCC Chair Jessica Rosenworcel emphasized the importance of protecting personal data, particularly as telecom operators have access to vast amounts of it. She stated, "It is vitally important that personal data does not fall into the wrong hands."
The FCC is also considering adopting minimum requirements for the details operators must share when a breach occurs. This could help ensure that all relevant agencies and affected individuals are notified promptly and thoroughly.
Jason Rebholz, CISO at Corvus Insurance, noted that most consumers are primarily concerned about their data being lost and potentially misused. He stressed the need for quick notification of major data breaches to prevent further harm.
The FCC plans to revisit the data breach rules annually, considering telecom operators as a critical component of daily life. This ongoing review will help ensure that the rules remain effective in protecting consumers' personal data.
The FCC is seeking public comment on how its breach reporting regulations can work alongside the forthcoming mandate for critical infrastructure providers to report cyberattacks and ransomware payments to the CISA. The Commission also wants to understand whether it should adopt additional requirements to strengthen data security practices among telecom operators.
As hackers continue to target telecom operators, focusing on this sector is a strategic step towards improving data security. Kerravala, an industry analyst, stated that telecom operators remain a main focal point for hackers. By requiring prompt reporting of data breaches and adopting stricter data security practices, the FCC aims to encourage telecom carriers to adopt stronger data security measures.
The FCC first proposed changes to bolster data breach regulations in January 2022. The Commission's efforts to protect consumers' personal data come as a response to the increasing number and severity of data breaches in the telecom industry. With these changes, the FCC hopes to encourage telecom carriers to prioritize data security and protect their customers' personal information.
