Operators push back on FCC’s stricter data breach reporting proposal

Telecom industry groups from USTelecom and ACA Connects to WISPA and NCTA sounded off on proposed changes to the Federal Communications Commission’s (FCC) data breach reporting rules and their message is clear: reporting requirements should be tied to the prospective harm done to consumers.

In January, the FCC proposed revisions to its data breach reporting rules and comments were due by March 24. Among other things, the changes would expand the definition of a breach to include accidental disclosures of customer information and require operators to notify the FCC “as soon as practicable” after the breach’s discovery. The FCC also wants operators to alert customers faster – “without reasonable delay” – once a breach is identified. Operators are currently required to wait seven business days before notifying customers to give law enforcement time to act.

The FCC opened its proposal for comments on January 23 and the telecom industry has responded in full force. Almost universally, they have argued the FCC should not expand the definition of what constitutes a data breach without also implementing a so-called “harm-based trigger” for reporting.

Industry groups warned that a broader definition could lead to consumers being inundated with breach notices. Eventually, they might come to disregard these notices, whether a given breach is likely to cause harm or not. But, they argued, a harm-based trigger could help ensure that breach notifications remain meaningful.

But what actually constitutes harm? According to NCTA, the FCC should define harm as impacts on a consumer which are “actual and concrete, not merely speculative or amorphous. Such harms could include identity theft, theft of services, physical harms, or financial harms,” the group wrote in a filing.

ACA Connects backed NCTA’s suggestion. But ACA added the FCC should “clarify that the cause of the breach in itself has no bearing on the reasonable likelihood of harm ensuing from it. In other words, a breach that is not reasonably likely to cause financial harm should be exempt from reporting even if the breach is intentional.”

Several operators and telecom groups also pushed for the implementation of a threshold trigger, which would limit reporting only to breaches of a larger size. USTelecom, Verizon and CTIA all backed this idea.

But the Electronic Privacy Information Center (EPIC), Center for Democracy and Technology, and Public Knowledge contended efforts to cap breach reporting ignore the reality for consumers that “unauthorized access of their data is inherently harmful.”

“Carriers aren’t incentivized to be impartial; such a ‘likely harm’ estimate would be performed by the same carrier that failed to properly weigh costs vs. benefits in preventing the breach itself,” the consumer groups argued. They called for the FCC to reject proposals for a harm-based trigger.

Within the past year, AT&T, Charter Communications, Comcast, T-Mobile and Verizon have all reportedly suffered data breaches or hacks of some kind. Lumen Technologies’ Black Lotus Labs recently noted telecom companies are a growing target for distributed denial of service (DDoS) attacks as well.