FCC Approves Major Updates to Data Breach Notification Rules

The U.S. Federal Communications Commission voted Wednesday along party lines to update 16-year-old privacy protection rules and expand breach notification requirements as part of an effort to provide law enforcement and the public with real-time information about harmful data breaches.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

The new rule expands the scope of the FCC’s breach notification requirements to cover all personal identifiable information that carriers and telecommunications relay service providers maintain on their customers. Those organizations will be tasked with providing individual, per-breach notifications “no later than seven business days after reasonable determination of a breach” affecting 500 or more customers, according to the guidelines.

The three Democrats on the commission voted for the measure, and the two Republicans dissented.

In approving the updated rules, outlined in a report and order, the agency said data breaches have only grown in frequency and severity over the past two decades.

The FCC first circulated a public draft of the revised breach notification rules in November and eliminated certain requirements from its updated rules, including notifying customers of breaches in instances so long as the telecom can reasonably determine that no harm to customers is likely to occur. Also, organizations are no longer required to file annual summaries of breaches affecting fewer than 500 customers in which no harm is likely to occur.

The updated data breach notification rules garnered swift praise from the think tank Public Knowledge, which said that the rule “will require carriers to treat customer data with the care it deserves and will allow the FCC to punish carriers that fail to take their responsibility to protect customer data seriously or who skimp on precautions to inflate their bottom line.”

The group pointed out that broadband providers are exempt from the new rule – a result of the FCC’s 2017 revocation during the Trump administration of net neutrality, limiting its regulatory power over telecom offerings classified as “information services.” The agency on Oct. 19 initiated a notice of proposed rule-making that would reestablish authority over broadband providers.

The FCC first adopted its breach notification rules in 2007 to protect Americans from fraud through “pretexting,” which is when criminals use social engineering techniques to obtain sensitive information from victims, such as passwords, Social Security numbers or financial information. The FCC attempted to include updated protections for broadband internet access service providers in 2016, but Congress nullified those revisions a year later under a statute that allows lawmakers to overturn agency regulation.