How FCC’s New Requirement for ISPs to Report Data Breaches Faster Will Improve Internet Safety

Written by

Last Updated: Dec 21, 2023
FCC website on smartphone and computer screens
The FCC is responsible for regulating communications by wire, cable, satellite, TV, and radio in the U.S. (Image: Shutterstock)

The U.S. Federal Communication Commission (FCC) issued a Notice of Proposed Rulemaking for new data breach reporting requirements. The new law would help strengthen federal law enforcement and modernize notification for breaches of customer proprietary network information (CPNI). It’ll also help better align the FCC’s rules with recent developments in state and federal laws in other sectors.

The FCC has already established laws requiring internet service providers to protect sensitive customer data and privacy. Some of these rules, however, are outdated. According to FCC Chairwoman Jessica Wosenworcel, the “(existing) laws need upgrading to fully reflect the evolving nature of data breaches and real-time threat.” Wosenworcel further added that customers deserve extra protection against the rise in frequency, scale, and sophistication of cyberattacks. As a result, she urged her FCC colleagues to take a fresh look at existing data breach rules to improve internet safety.

The new proposal highlights several updates to existing FCC rules. These include eliminating the current seven-day mandatory waiting period for notifying customers of a security breach, requiring notifications for inadvertent breaches, and requiring carriers to notify the FCC for any breaches, in addition to the U.S. Secret Service and the FBI. Any inadvertent use, access, or disclosure of customer information should be included in the definition of a data breach.

The proposal also seeks comments on whether there should be a requirement for specific and actionable information to be included in the notifications. The existing laws specify to whom and when to make breach notifications, but there are no requirements for the content of the notifications. The FCC has recommended a similar upgrade to telecommunication relay services (TRS) data breach reporting requirements.

Laptop wireless keyboard and anonymous mask
A cyberattack can include damaged networks, stolen data, and millions of dollars in recovery efforts. (Image: Shutterstock)

Introducing new requirements for reporting data breaches helps reduce the risk of security breaches, which can be devastating for customers and have a detrimental impact on the economy. Unfortunately, the frequency of cyberattacks has been on the rise. In December 2022, Comcast Xfinity suffered a widespread cyberattack that bypassed two-factor authentication. Earlier in 2022, Verizon suffered a massive SIM-swapping attack, while T-Mobile Internet has had several security breaches since 2018.

The proposed rules are aimed at ensuring that federal law enforcement agencies receive security threat notifications in a timely manner, so they can prevent or mitigate the threat. In September 2021, the FCC proposed new rules for port-out fraud and SIM-swapping scams. The Notice of Proposal Rulemaking will help further advance the commission’s efforts to protect customers’ online privacy and data in the face of evolving security threats.

Wireless carriers hold vast amounts of personal and financial data, making them a hot target for hackers. The new laws are ultimately a good thing for customers and carriers. While customers get better security for their online privacy and data, carriers would have more clarity regarding their obligations toward customers and compliance with FCC rules. Carriers can face penalties for violation of FCC laws. The new laws will also allow law enforcement agencies to take swift action against hackers.