Telecommunications companies (telecoms) have been prime targets for cyber attackers. They operate critical infrastructure passage, and vast amounts of customer data pass through their networks.
The United States Federal Communications Commission (FCC) is aiming to strengthen data security with new regulations around data breach reporting by communications carriers.
The agency has long required communication carriers to protect customer proprietary network information (CPNI).
This data is about the subscribers’ use of services, such as numbers called, duration of calls, mobile device location data, account details, and technical configurations—details that can be useful for cyber attackers. As bad actors eye this information, FCC aims to beef up consumer data protections.
How Could the FCC Rules Change?
Current FCC regulations require carriers to notify federal law enforcement agencies within seven days of discovering a data breach involving CPNI.
Agencies like the FBI and the Secret Service need priority knowledge to investigate the breach from criminal and national security perspectives. Affected customers are next in line. Telecoms must inform them no later than seven days after federal agencies.
One of the FCC proposals is to alter those notification periods so customers find out earlier about the exposure of their data. The most significant proposal involves what counts as a “breach.” The new rules could consider any incident that discloses or provides access to CPNI to be a breach—even if it’s unintentional.
The FCC first proposed the changes on January 6, 2023. The agency invited the public to submit comments by February 22, 2023, and reply comments by March 24, 2023.
Whether you’re a consumer, a communications carrier, a third-party service partner that works with the telecoms industry, or a cyber security professional, here’s what you need to know about the updates and their implications.
Three Basic Changes to FCC Regulation
The FCC’s proposed changes fall into three main categories:
1) who telecoms need to notify;
2) when telecoms need to notify authorities and customers; and,
3) what incidents constitute a “breach.”
Informing the FCC
If the FCC enacts the law, telecommunications companies must inform the FCC, along with federal agencies, as soon as possible following a data breach. The FCC’s rationale is that it is easier and faster for carriers to inform all agencies simultaneously.
Once carriers meet these reporting obligations, they can return to the critical job of remediating the breach.
Informing Customers Sooner
The FCC proposes eliminating the current waiting period between notifying federal authorities about a breach and notifying telecom customers. If the proposed language stands, telecoms must inform customers of a breach involving CPNI “without unreasonable delay” unless law enforcement specifically asks them to.
The FCC introduced this update to help get customers up to speed sooner after a breach. Without the seven-day notification period, customers will quickly learn what data fell into cyber attackers’ hands.
This new notification period will let people take protective steps faster, such as changing their account passwords, adopting multi-factor authentication, installing security software, or watching for unusual account activity.
Broadening the Definition of “Breach”
The new regulation expands what the FCC counts as a data breach to include “inadvertent access, use, or disclosures of customer information.”
This update makes communications carriers responsible for notifying law enforcement and customers in a much more comprehensive range of incidents—basically, anything that impacts CPNI confidentiality.
What Could Constitute a Reportable Data Breach?
The FCC regulation currently defines a breach as “when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.” The expanded definition would include inadvertent and accidental disclosures of customer data.
In other words, the current definition includes intent. Employee errors don’t count as breaches, only purposeful, malicious, and intentional disclosures of customer information.
Some observers argue that the expanded definition creates an unnecessarily high reporting and compliance burden for telecoms. If an employee sends an invoice containing account information to a different customer in error, that would be a data breach under the new definition.
As noted, the FCC requested comment on the proposals through March, and there hasn’t been a final decision at the time of writing. However, the FCC may include an exemption for “good faith” access to CPNI.
For instance, if an employee accesses customer data in the regular course of their work but does not use that data improperly or further disclose it, it would not constitute a breach.
The FCC also asked for input about including a “harm-based trigger” on breach notifications. This would require telecoms to notify authorities and customers only when the activity that exposes CPNI leads to or causes harm.
In that case, if a breach occurs but is unlikely to cause harm, the company does not need to notify law enforcement or customers. However, what “harm” means remains a question.
How Does the FCC Regulation Impact Telecoms and Customers?
While the expanded definition of “breach” could create more work for telecoms, the change may improve data security for their customers. It could also reduce security vulnerabilities across the industry. Stricter rules can encourage carriers to update their security technology, adopt new data security policies and procedures, and provide cyber security awareness training for employees.
Those new requirements could build better data protection downstream of the telecoms. Most phone companies work with third-party marketers, software companies, and SaaS vendors.
Since the FCC rules target telecoms first and foremost, they may increase scrutiny over the partners that oversee their customer data to ensure compliance.
Simpler Rules and Stronger Protections
Many states have privacy and telecommunications legislation that differs from FCC rules. The FCC updates strive to simplify the regulatory landscape for telecoms by aligning with state rules on consumer data and emerging international standards.
The benefit for telecoms and end-users is more clarity over data privacy and better protections overall.
Cyber Security Hub: Access Exclusive Cyber Security Content
For tips on preventing data breaches inside your organization and protecting data that moves downstream to third-party service providers, visit our CyberHub.