The FCC's data breach reporting requirements are broken
Under the current rules, telcos' submit data breach information that cover only a fraction of what cybersecurity pros consider to be cyber incidents. And sometimes they keep the data confidential.
In April, I wrote a column about the FCC's effort to update its data breach reporting rules for telecommunications carriers. At the time, I intended to include statistics gleaned from annual certification filings submitted by the telcos to the FCC. But as I went through these documents, I realized the carriers' filings contained very little information on what most cybersecurity professionals would consider data breaches. Nor did they jive with press reports regarding well-known carrier breaches.
So, I've spent the past several months intermittently trying to make sense of these filings. I discovered that the FCC's data breach rules are so broken that data breach information carriers submit to the Commission is virtually meaningless. First, the reporting rules are restricted to situations where carrier employees voluntarily give data to unauthorized individuals under false pretenses. None of the data submitted to the Commission reflects ransomware attacks, malicious hacker intrusions, or malware infections.
The data also doesn’t reflect incidents affecting only personally identifiable information, such as social security numbers. Moreover, carriers only have to report customer complaints received regarding an incident, not how many customers were impacted or how. Carriers are allowed to submit no data if they deem it confidential.
And, finally, despite a spate of negative press reports and regulatory actions centered on carriers selling customers' location data to third parties, major carriers appear to have yet to report receiving a complaint about a data broker or taking action against a data broker.
Against this backdrop, the Cybersecurity and Infrastructure Security Agency could face challenges in trying to align the FCC's data breach reporting rules into it a comprehensive national data breach framework which it is legislatively mandated to do.
The following report walks through some of the details of the FCC's current data (and proposed new) data breach rules.
In its second publicly known data breach of the year, T-Mobile sent data breach notification letters on April 28 to 836 customers, letting them know that a bad actor accessed "limited" information from their accounts. T-Mobile said the information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, and date of birth. The carrier said no personal financial information or call records were accessed.
That breach paled in comparison to a breach T-Mobile announced in January, which affected 37 million customers whose name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features were exposed through one of its Application Programming Interfaces (APIs). Moreover, three cybercriminal groups have claimed access to internal networks at T-Mobile in more than 100 incidents throughout 2022 via phishing schemes to access customer data.
It's likely that only a tiny fraction of customers impacted by these incidents, if any, will show up in the annual certifications T-Mobile supplies to the Federal Communications Commission (FCC), as required under the Commission's data breach reporting regulations. It's almost certain that very little data regarding the full range of breaches experienced by any phone carrier in the US will be reported to the FCC under the current rules.
The reasons so little breach data show up on the telcos' annual certification filings are that:
The FCC's rules currently apply only to customers who experienced "intentional" incidents involving employees disclosing data. No accidental disclosures by employees are included. Other types of breaches are also excluded by the rules, including database hacks by malicious actors, ransomware attacks, and other kinds of breaches where carrier employees are not involved. However, the FCC proposes a broader definition of what constitutes a data breach in a rulemaking to devise new rules.
The rules don't apply (mostly) to personally identifiable information (PII) or any other data outside a highly narrow class of information known as CPNI or customer proprietary network information. The FCC proposes to expand its definition of a data breach to include at least some PII.
Carriers are currently required to report in their annual certifications only the complaints they received from customers regarding the incidents, not the number of customers affected by them or any other details about the attacks. At least some of the carriers don't consider many of the complaints they receive as relevant to the Commission's rules.
The rules don't apply to any internet or video-related services the carriers might also sell customers on a stand-alone or bundled basis. How carriers decide whether CPNI has been breached regarding incidents affecting bundled customers is unclear.
Carriers can provide annual certification reports hidden from public view and possibly hidden from the Commission itself by proclaiming them "confidential.”
Some evidence suggests that since 2015, no major carrier has reported receiving a complaint regarding data brokers or acting against a data broker in their certification filings, despite high-profile incidents involving the sale of location data to data brokers.
Keep reading with a 7-day free trial
Subscribe to Metacurity to keep reading this post and get 7 days of free access to the full post archives.