The US Federal Communications Commission has proposed new rules in its data breach policy that include quickly reporting breaches to carriers and making it shorter, and the move will eliminate a mandatory week-long wait for carriers to tell you a security incident has occurred and your data has been stolen from hackers.
The proposal would also clarify that carriers must notify the Federal Communications Commission (FCC), the Federal Bureau of Investigation (FBI) and the Secret Service of any reportable data breaches, according to the engadget report.
Service providers will also have to alert customers to unintentional breaches, such as account information being left exposed, and at the same time the commission is asking for public input on whether breach alerts should include specific information to help people take action such as the nature of the compromised data.
And the FCC is not shy about its reasoning behind the temporary rule change since the current rules are more than 15 years old and are said to be “out of step” at a time when it is often necessary to notify victims and authorities as quickly as possible.
In theory, the communications will warn users quickly, which reduces the chances of identity fraud and follow-on hacks, reduces harm to both customers and the networks’ backline, and is more consistent with other laws around whistleblowing, particularly in states like California.
A potential problem, the report said, is that the proposed rule change for federal agencies would allow warnings to clients to be delayed for an initial period of up to 30 days if the notice could endanger a criminal investigation or national security.
It can endanger the general public, and the FCC is also wondering whether or not there should be a cap on the notification period, and whether smaller carriers should have more time to report intrusions. Public comment (open 30 days after a proposal reaches the Federal Register) may help shape these rules, but there’s no guarantee the final outcome will address all concerns.