‘Incompetent’ FCC Fiddles With Data Breach Rules – Source: securityboulevard.com

February 14, 2024
Post Author / Publisher: Security Boulevard

CISO2CISO post categories: Analytics & Intelligence, API security, Application Security, AppSec, CISO Suite, Cloud Security, Cyber Security News, Cyberlaw, Cybersecurity, Data Privacy, data security, DevOps, DevSecOps, Editorial Calendar, endpoint, FCC, FEATURED, Federal Communications Commission, Governance, Humor, Identity & Access, Identity and Access Management, Incident Response, Industry Spotlight, insider threats, Malware, Mobile Security, Most Read This Week, Network Security, News, Popular Post, Regulatory Compliance, Risk & Compliance, rss-feed-post-generator-echo, SB Blogwatch, Securing Open Source, Securing the Cloud, Securing the Edge, Security at the Edge, Security Awareness, Security Boulevard, Security Boulevard (Original), Security Challenges and Opportunities of Remote Work, Security Operations, Social - Facebook, Social - LinkedIn, Social - X, software supply chain security, Spotlight, Threats & Breaches, Zero-Trust

Rate this post

Source: securityboulevard.com – Author: Richi Jennings

While Rome burns, Federal Communications Commission is once again behind the curve.

The FCC is telling telcos to tell them about data breaches. And to tell customers. And … errr … that’s it. No hefty fines, no must-do-better, no nothing.

Commission head Jessica Rosenworcel (pictured) is putting a brave face on it. In today’s SB Blogwatch, we resign ourselves to more of the same.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Don’t Tell Texas.

FCC FAIL

What’s the craic? Brandon Vigliarolo reports—“Telcos must now tell you when your personal info is stolen”:

“Criminals”

Along with requiring that attacks are reported to the FCC within seven days of a telco discovering them, the same deadline now exists to report any data leaks to the FBI and US Secret Service. [It] also eliminates the mandatory seven-day waiting period for reporting break-ins to consumers: The FCC now “requires carriers to notify customers of breaches of covered data without unreasonable delay … and in no case more than 30 days following reasonable determination of a breach.”

…

The FCC has additionally extended the scope of data exposure types that telecom customers must be notified of: … Starting now, names, government ID numbers, data used for authentication purposes, email addresses/passwords and biometric data is all included in the FCC’s reporting requirements. Dissociated data, if linkable to an individual using other data criminals accessed during a break-in, has to be reported as well. [It] also expands the FCC’s definition of “breach” to include “inadvertent access, use or disclosure of customer information.”

Why now? Why, ask Sergiu Gatlan—“FCC orders telecom carriers to report PII data breaches”:

“37 million individuals”

Massive telecom data breaches in recent years have highlighted the need to update the FCC’s data breach rules. … For example:

- In December 2022, widespread attacks bypassed two-factor authentication and hijacked Comcast Xfinity customers’ accounts.
- Two months earlier, Verizon notified prepaid customers of a breach that exposed their credit card information, later used in SIM swapping attacks.
- T-Mobile has also been hit by at least nine breaches since 2018, with the most recent one—and the least damaging—being disclosed in May 2023 after threat actors had access to the personal information of hundreds of customers for more than a month. …
- In January 2023, T-Mobile alerted customers of another data breach after the sensitive info of 37 million individuals was stolen.

Horse’s mouth? The FCC’s Marlene Dortch—“Data Breach Reporting Requirements FCC23-111”:

“Scammers and phishers”

In this Order, the Commission adopts several proposals … to modernize its data breach requirements. … The Commission finds that these changes will better protect consumers … and harmonize its rules with new approaches to protecting the public already deployed by the Commission’s partners in Federal and State government. … These rules fall comfortably within the Commission’s statutory authority.

…

Carriers possess proprietary information of customers, … which customers have an interest in protecting from public exposure. … The Commission believes that the unauthorized exposure of sensitive personal information that the carrier has received from the customer … or about the customer … such as social security numbers or financial records, is reasonably likely to pose risk of customer harm. … Consumers expect that they will be notified of substantial breaches that endanger their privacy.

…

Any exposure of customer data can risk harming consumers, regardless of whether the exposure was intentional. … Inadvertent exposure of customer information can result in the loss and misuse of sensitive information by scammers and phishers, and trigger a need to inform the affected individuals so that they can take appropriate steps.

Ummm. Yay? happytiger sounds slightly sarcastic:

Yeah, that’ll teach them. Now they have to tell you when they utterly fail to protect you.

…

Such a tough FCC. I will say that Jessica Rosenworcel is an angel compared to Ajit “Screw Consumers” … Pai. I miss that guy like a hemorrhoid. I’m sure he’s enjoying his job as a partner at the private-equity firm … where he is now seeking to [exploit] failures he was largely responsible for.

…

It’s amazing. The FCC seems to be either very bad at their job or completely 0wn3d by the revolving door of private industry.

But will this staunch the flood of breaches? No way, thinks Dagmar d’Surreal:

They’ll just pay the fine. Telcos are … always willing to waste customer money paying fines instead of playing by rules.

…

Expect the next discovered breach to be reported a few months after it happens, as said telco looks for a big news story to try to hide the event under.

So, no change? Not according to u/h3rpad3rp:

I just assume that it is just constantly being stolen from everyone who collects it at this point: … If your information can be stolen from a company like Equifax … I don’t have a lot of faith in corporate data security.

O RLY? This Anonymous Coward calls it “too little, too late”:

There is one answer to if telco have leaked everyone’s data: … Yes. Maybe some care how many times—if so: Many.

…

The FCC is … full of incompetent jacket fillers. They … allow number spoofing, which is literally enabling criminals to pretend to be anyone.

How could this rule be better? aeternum suggestifies thuswise:

One major problem is that PII/Personal info is uselessly broad. Legislation like this would be much more useful if it had clear rules or fines for various levels of PII.

For example, getting your social security number stolen is significantly worse than a stolen e-mail address or phone number. All the notifications about e-mail being “stolen” are just noise.

Meanwhile, what of the unintended consequences? codebase7 pictures the scene:

Hello $USER,

We regret to inform you that your personal info has once again been stolen during the last 29 days. All of your data was compromised, and we are working hard to ensure the next notification 29 days from now will not be sent out.

This mandatory notification has been sent as per the FCC mandates.

Regards, $TELCO.

And Finally:

B.G. Knowles-Carter vs. M.L. Ciccone

CW: Bey be a bit potty-mouthed.

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Jessica Rosenworcel (public domain)

Recent Articles By Author

Original Post URL: https://securityboulevard.com/2024/02/fcc-breach-rules-richixbw/

Category & Tags: Analytics & Intelligence,API Security,Application Security,AppSec,CISO Suite,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Software Supply Chain Security,Spotlight,Threats & Breaches,Zero-Trust,breach notification,Data Breach Notification,data breach notification laws,fcc,FCC Failures,FCC Follies,FCC privacy rules,Federal Communications Commission,GDPR Breach Notification,Jessica Rosenworcel,SB Blogwatch,U.S. Federal Communications Commission – Analytics & Intelligence,API Security,Application Security,AppSec,CISO Suite,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,DevOps,DevSecOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Industry Spotlight,Insider Threats,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Regulatory Compliance,Securing Open Source,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social – Facebook,Social – LinkedIn,Social – X,Software Supply Chain Security,Spotlight,Threats & Breaches,Zero-Trust,breach notification,Data Breach Notification,data breach notification laws,fcc,FCC Failures,FCC Follies,FCC privacy rules,Federal Communications Commission,GDPR Breach Notification,Jessica Rosenworcel,SB Blogwatch,U.S. Federal Communications Commission