The Federal Communications Commission wants to strengthen its rules for notifying customers and law enforcement of breaches of customer proprietary network information by speeding up the reporting process to customers and to require telecommunication companies to report breaches to the FCC, FBI and U.S. Secret Service.
The regulator announced Jan. 6 that it launched a proceeding to gather information on the rule change to eliminate the current seven business day mandatory waiting period and notify customers of a breach, even inadvertent breaches, “without unreasonable delay of a breach and notification to law enforcement.”
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” said FCC Chairwoman Jessica Rosenworcel in a news release. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
The rule change was not a surprise considering agencies will have to update reporting cybersecurity incidents to meet the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), said Tanium’s Chief Security Advisor Timothy Morris.
The act, passed by Congress last year, requires critical infrastructure organizations to report cyber incidents within 72 hours. Morris noted that breach-reporting laws vary by state and federal agencies, such as the 36-hour reporting requirement for the financial sector the Securities and Exchange Commission is seeking, which the FCC said it’s attempting to remedy with the rule change.
While the FCC is seeking industry input on its proposals, one expert commenting to SC Media that new requirements could pose a challenge for security and legal teams.
Sounil Yu, JupiterOne’s chief information security officer, said the FCC was “blurring the line between ‘incident’ and a ‘breach.’”
If the rules lower the threshold of what is considered a material breach, Yu said legal teams may have to be involved with CISOs in every incident going forward, especially in light of Uber’s former CISO being convicted of misleading regulators in a 2016 breach.
But some experts also saw positive effects from faster reporting of breaches. Bud Broomhead, CEO at Viakoo, said reducing the reporting time gives threat actors a shorter window to act unnoticed in the event of a data breach.
“Faster reporting is only one part of minimizing the damage from a breach, especially with respect to telecoms,” said Broomhead. “Equal or higher priority should be given to automated vulnerability remediation, extending zero trust to non-IT assets like IoT/OT, and more comprehensive asset discovery and threat assessment.”