Listen To This Story
When phone carriers leave data vulnerable to theft by cybercriminals, but there’s no definitive proof that a bad actor broke in and stole information, they are under no obligation to tell their customers — and the telecom companies want to keep it that way.
The sensitive data that carriers hold gets breached all the time, and customers often have no clue about it, experts note.
“Data breaches get worse every year,” said Chris Frascella, a law fellow at the Electronic Privacy Information Center. What’s more, customers don’t hear about most privacy incidents, according to a 2019 Internet Society study.
These breaches happen not only when a criminal hacks a carrier’s database but also when a company exposes data by mistake. Current Federal Communications Commission (FCC) regulations don’t require providers to report all accidental exposures that could lead to a breach.
In other words, carriers don’t have to tell customers when they expose their Social Security numbers or financial records. They only have to report breaches of customer proprietary network information (CPNI), which includes real-time location data, call history, and device information.
To remedy the current situation, the FCC proposed a rule earlier this year that would force telecom companies to tell customers whenever they expose customer data and expand the kinds of sensitive information that they have to admit to exposing beyond CPNI.
“The CPNI rulemaking is very promising. They’re talking about considering a breach something that’s an inadvertent disclosure,” said Frascella. “Up until this point, a breach only qualified as a reportable event if someone intentionally gained access to CPNI.”
“[If] your phone carrier has your Social Security number stored in a database somewhere and it gets breached, that’s actually not a breach of CPNI,” said Frascella. “And the FCC in this latest rulemaking is acknowledging that.”
If telecom providers had to report every data exposure — even inadvertent ones — they’d have an incentive to implement better security practices, the FCC argued in its notice of proposed rulemaking.
But telecom companies and their trade associations want to keep customers in the dark about negligent exposures of sensitive data. In their comments on the proposed FCC rule, they are pushing a measure that would let them avoid reporting accidental leaks.
Verizon, the Competitive Carriers Association, USTelecom, and the Internet and Television Association agreed that the FCC should include a “harm-based trigger” for breach notification in the final rule.
In other words, they argued that only breaches that cause immediate harm should require a message to customers and that companies themselves should have the power to decide what counts as harm.
If they reported every exposure of customer information, the carriers said, they would have to sound the alarm even when there’s no real risk of data getting into the hands of bad actors. They pointed out that, if an employee sends personal data to the wrong person but quickly secures it, that would count as a breach under the new rule, but there wouldn’t be any true threat to the consumer.
They also argued that a breach that doesn’t affect enough accounts shouldn’t be reported to the FCC or law enforcement, saying that providers serve so many people that they don’t have the resources to notify regulators about every data leak.
However, consumer privacy advocates say a harm-based trigger would leave too much room for companies to avoid reporting exposures that pose a real danger to customers.
“Once you [put a harm-based trigger in place], what is harm?” said Frascella. “Is it harm to 100 or harm to 1,000?”
The measure would let carriers decide that a small breach isn’t worth reporting even if the incident hurts consumers.
And if a company exposes sensitive information to the wrong people by storing data on an unencrypted server or failing to disable compromised accounts, there’s no good way to tell if anyone accessed the data or how long they’ll wait to exploit it if they did.
“Identity thieves might wait a year before they use your information,” said Frascella.
Also, a harm-based trigger could “possibly add weeks” to the time between a data exposure and reporting to consumers while carriers determine if it caused harm, explained Frascella.
But it’s crucial that customers find out about privacy risks right away because it’s up to them to change their account credentials when their personal information gets exposed.
Pointing to language in the Customer Privacy Provisions Act, the carriers also argued that the rule would overstep the FCC’s mandate. Specifically, they said that Section 222, which gives the companies the duty to protect “customer proprietary information,” only applies to CPNI.
But according to Frascella, the FCC has the right to interpret Section 222 broadly. He pointed out that the phrasing of Section 222 covers any information that people entrust to their carrier, including Social Security numbers and financial records.
Telecom companies also raised concerns that more rules would worsen the already complex landscape of privacy laws that companies have to abide by at the state level.
However, the FCC has “robust” and “flexible” privacy authority, said Frascella. The commission has the power to say that any unjust or unreasonable action that telecom providers take is unlawful under its mandate, he said.
The carriers stressed in their filings that reporting a breach when there’s no apparent harm would make people ignore messages that require action — a phenomenon called “notice fatigue.”
But raising concerns about over-notification is dishonest, according to Harold Feld, senior vice president of Public Knowledge, a consumer advocacy nonprofit.
“This isn’t the kind of situation where we’re worried about notice fatigue,” said Feld. People get desensitized to messages from their providers when companies over-notify about insignificant updates to their terms of service, not when they admit to exposing data, he explained.
“I would want to change my carrier if my carrier weren’t protecting my information,” said Feld. “The only way you’re going to get this kind of notice fatigue from a carrier is if they keep on screwing up on your information.”
Ultimately, it may not matter if the industry’s arguments are valid or not because dysfunction with the FCC could prevent the rule from being finalized.
Unless the commission gains a tie-breaking fifth member, it likely will be deadlocked on the issue if the two Republicans side with the telecom companies and stop the rule in its tracks.
As the result of a miscommunication, we have amended Chris Frascella’s statement characterizing changes to CPNI rulemaking as “promising.”
In addition, for clarity’s sake we have removed language that implied carriers are not required to report data breaches affecting only a small number of accounts.