Telecom providers balk at proposal for reporting hacks

Some of the nation's biggest telecom providers are pushing against an FCC proposal that would require them to disclose hacks and other breaches of their customers' data.

But a group of public interest groups voiced their support for the FCC's plans, arguing that consumers have the right to know what's happening with their data. "We again applaud the commission’s attention to the increasingly severe and largely avoidable impacts of data breaches on phone subscribers, and we reiterate the importance of strengthening the overall security of America’s networks and protecting consumers from the harms of breaches," Public Knowledge, Electronic Privacy Information Center and other public interest groups wrote in a recent filing to the FCC.

The FCC's new data breach reporting proposal represents a response by the agency to continued breaches and hacks into telecom providers like AT&T and T-Mobile. FCC rules already protect so-called customer proprietary network information (CPNI), but the agency is looking to expand its purview by requiring telecom providers to promptly report virtually any unauthorized access of their customers' data.

Telecom providers say proposal is a bridge too far

But the agency's proposed rules, according to several top telecom providers and telecom industry trade associations, go too far. The rules "do not promote consistency or practicality," wrote T-Mobile in a recent filing. "The new rules will create serious implementation challenges, including new recordkeeping requirements, and will likely result in a deluge of notifications of innocuous events that have no chance of harming a consumer."

The company's statements on the topic are noteworthy considering T-Mobile's customer data has been hacked several times in recent years.

And some won't let T-Mobile forget that: "Nearly half of US consumers have been affected by data breaches where a company holding their personal data was hacked, compared to a global average of just 33% of consumers," wrote Public Knowledge and other public-interest groups. "Even if the focus is narrowed solely to breaches of phone subscriber data that have been revealed since this [FCC] docket opened two months ago, it is clear that urgent commission action is required."

The groups even published a calendar showing the days that SIM-swapping hackers advertised access to T-Mobile’s internal employee tools earlier this year.

Broadly, T-Mobile, Verizon, AT&T and their trade associations, including CTIA and USTelecom, offered a range of arguments against the FCC's proposal. For example, they contended, in general, that the FCC doesn't have the legal jurisdiction to require data breach reporting, and that the agency's definition of such hacks was too broad. 

"Expanding the [data breach reporting] trigger to cover 'disclosure of private facts, reputational or dignitary harm, mental pain and emotional distress, the disclosure of contact information for victims of abuse, and other similar types of dangers' is so broad and subjective that carriers may feel compelled to over-notify customers," CTIA warned in its filing.

"AT&T has serious concerns with respect to the legal authority on which the draft [document of the rules] relies," AT&T added in its filing.

The companies also warned of other consequences, including overloading consumers with too many breach warnings.

Counterpoint: Consumers should be alerted to data breaches

Public interest groups fired back at that complaint. 

"Commenters’ claims about the magnitude of consumer notifications that would be sent if they were required to report every time their protocols failed to safeguard their customers’ privacy is both alarming and illustrative of how grievously deficient practices are," Public Knowledge and others wrote. "A carrier should communicate its assessment of the level of risk it thinks a given breach caused to impacted subscribers, but a carrier’s duty to disclose a breach should not depend on that internal and inherently self-interested determination. Consumers should know what information was exposed so they can make their own determination as to whether the breach is a problem for them, and this alert should not be contingent upon a minimum threshold of harm or of number of impacted consumers."

It's unclear when the FCC might move forward on the proposal. The agency is also tackling a number of other tricky issues, including potentially reinstating its net neutrality rules.