FCC: Telcos must now tell you when your personal info is stolen(theregister.com)
theregister.com
FCC: Telcos must now tell you when your personal info is stolen
https://www.theregister.com/2024/02/12/fcc_gets_tough_on_telcos/
32 comments
> Such a tough FCC.
I had the same thought: this is "tough?"
No fines for failing to protect your data? No additional requirements for data security? They just have to tell you when the screwed up.
sigh
I had the same thought: this is "tough?"
No fines for failing to protect your data? No additional requirements for data security? They just have to tell you when the screwed up.
sigh
Yea. This is failure masquerading as improvement as far as I can honestly tell. The idea that someone thought it was a good idea to put out a press release or whatever is a little baffling.
It should read, “FCC once again fails to substantively improve the lives of consumers OR address data breaches and the loss of consumer data by countless companies.”
Its baffling. But it’s still better than the TSA. ;)
It should read, “FCC once again fails to substantively improve the lives of consumers OR address data breaches and the loss of consumer data by countless companies.”
Its baffling. But it’s still better than the TSA. ;)
Once upon a time the FCC had a reputation as the "Benevolent Dictator" (at least when I once worked for an ISP).
No longer.
No longer.
They need to carry identity theft insurance for sim swapping and other similar attacks, or if a rogue employee misuses the data (very common considering that they probably have tens of thousands of front line staff with access to customer data).
I like how this is considered "tough". What would be tough is instituting actual data security and privacy regulations that telcos and service providers have to follow at risk of being fined out of business to be replaced by an organization that can.
One major problem is that PII/Personal info is uselessly broad.
Legislation like this would be much more useful if it had clear rules or fines for various levels of PII. For example, getting your social security number stolen is significantly worse than a stolen e-mail address or phone number.
All the notifications about e-mail being "stolen" are just noise that few care about.
Legislation like this would be much more useful if it had clear rules or fines for various levels of PII. For example, getting your social security number stolen is significantly worse than a stolen e-mail address or phone number.
All the notifications about e-mail being "stolen" are just noise that few care about.
What’s actually insane is treating an unchanging non random 9 digit retirement benefits identifier as some kind of secret, knowledge of which is assumed to be proof of identity.
I think I've gotten at least 5 different notices in the mail from different companies (healthcare, kids school) that told me my info was involved in a breach. I figured some new law must have gotten passed because most companies would never do this willingly.
You know what is even more frustrating?
When I get 5 different notices in the mail from different companies that told me my info was involved in a breach, *and I never did direct business with any of them or have been notified that my data been given to them, ever.*
When I get 5 different notices in the mail from different companies that told me my info was involved in a breach, *and I never did direct business with any of them or have been notified that my data been given to them, ever.*
This would have helped when someone defrauded Verizon's wired line division, converted the account to wireless, and then pinned it on me. Instead, I can't seem to convince at least one of the three arbiters of credit that the other two are correct, and I have never lived on "Crooks Ave".
I've filed everything I was told to and fended off creditors and debt purchasers alike, and I still can't get it cleared. Just who do I need to sue to get this sort of meaningless shit cleared in the US?
I've filed everything I was told to and fended off creditors and debt purchasers alike, and I still can't get it cleared. Just who do I need to sue to get this sort of meaningless shit cleared in the US?
I'll take it as being tough when companies are financially liable for data exposure along the same lines of HIPAA. Maybe something akin to:
* $10 per element of data not directly required for legal purposes or for the direct provision of services explicitly requested by customers (e.g. their shipping address)
* $2 for element of data not legally mandated.
For data stored to meet legal data retention requirements:
* If the law requires that information be made available in a fully automated and online manner, then $0.50 per element of data, and $5 per element of data from the government (state vs federal) that mandated the data be stored and accessible
* If the law does not require fully automated online access, then if the data is not encrypted such that it requires concurrent action by multiple employees to decrypt, then it's $100/data (e.g. no claiming it's needed for legal reasons but keeping it accessible for profit reasons).
Essentially, make it so customer data is not purely a balance sheet asset.
Also make it so credit agencies knowingly reporting incorrect information is a crime, and make them liable for all costs incurred (higher interest rates) and financial penalties for extreme cases (refusing loans outright, refusing rental, demanding higher deposits, etc). The fact that the agencies themselves are selling "monitoring services" shows that they are aware that their reporting is fraudulent.
* $10 per element of data not directly required for legal purposes or for the direct provision of services explicitly requested by customers (e.g. their shipping address)
* $2 for element of data not legally mandated.
For data stored to meet legal data retention requirements:
* If the law requires that information be made available in a fully automated and online manner, then $0.50 per element of data, and $5 per element of data from the government (state vs federal) that mandated the data be stored and accessible
* If the law does not require fully automated online access, then if the data is not encrypted such that it requires concurrent action by multiple employees to decrypt, then it's $100/data (e.g. no claiming it's needed for legal reasons but keeping it accessible for profit reasons).
Essentially, make it so customer data is not purely a balance sheet asset.
Also make it so credit agencies knowingly reporting incorrect information is a crime, and make them liable for all costs incurred (higher interest rates) and financial penalties for extreme cases (refusing loans outright, refusing rental, demanding higher deposits, etc). The fact that the agencies themselves are selling "monitoring services" shows that they are aware that their reporting is fraudulent.
I would make it even simpler. If a company is breached and customer data is stolen, the company is liable as a coconspirator via negligence to any resulting fraud or scam claims on affected customers.
They may make an affirmative defense that the scam was not due to their breach, if they can prove their leaked data was not used.
> Also make it so credit agencies knowingly reporting incorrect information is a crime, and make them liable for all costs incurred (higher interest rates) and financial penalties for extreme cases (refusing loans outright, refusing rental, demanding higher deposits, etc).
This is already a thing, under US libel laws. Not 100% sure about the damages and how they would be calculated, but they are liable.
The underlying issue is that I'm doubtful they ever "knowingly" lie. They're basically information aggregators; other people report info to them and they republish it. They might suspect some entries of being unreliable, but I don't think they ever truly know. They live on probabilities.
A second underlying issue is that the government has consistently exempted credit agencies from normal applications of libel. Presuming you aren't famous enough to be a public figure, under normal libel law you would only have to demonstrate that a) the information is incorrect (regardless of whether they think it's true or not), b) that they distributed it, and c) that it was written (spoken would be defamation instead of libel). If you are a public official or public figure, you would also have to show actual malice (intent to harm, or reckless disregard for the truth).
The government (the judiciary, really) has consistently applied the malice standard to private citizens under the argument that the system provides substantial benefits to it's users (businesses) and that it effectively cannot exist with normal libel laws.
The malice part effectively shields them from all claims. It's an incredibly high bar to reach, because it's also what protects newspapers from drowning in libel claims. So we're granting credit agencies reporting on private citizens the same protections as a newspaper reporting on the president.
Any significant changes to credit agencies would need to start with rolling back their libel protections to some degree to make them actually liable for what they publish.
They may make an affirmative defense that the scam was not due to their breach, if they can prove their leaked data was not used.
> Also make it so credit agencies knowingly reporting incorrect information is a crime, and make them liable for all costs incurred (higher interest rates) and financial penalties for extreme cases (refusing loans outright, refusing rental, demanding higher deposits, etc).
This is already a thing, under US libel laws. Not 100% sure about the damages and how they would be calculated, but they are liable.
The underlying issue is that I'm doubtful they ever "knowingly" lie. They're basically information aggregators; other people report info to them and they republish it. They might suspect some entries of being unreliable, but I don't think they ever truly know. They live on probabilities.
A second underlying issue is that the government has consistently exempted credit agencies from normal applications of libel. Presuming you aren't famous enough to be a public figure, under normal libel law you would only have to demonstrate that a) the information is incorrect (regardless of whether they think it's true or not), b) that they distributed it, and c) that it was written (spoken would be defamation instead of libel). If you are a public official or public figure, you would also have to show actual malice (intent to harm, or reckless disregard for the truth).
The government (the judiciary, really) has consistently applied the malice standard to private citizens under the argument that the system provides substantial benefits to it's users (businesses) and that it effectively cannot exist with normal libel laws.
The malice part effectively shields them from all claims. It's an incredibly high bar to reach, because it's also what protects newspapers from drowning in libel claims. So we're granting credit agencies reporting on private citizens the same protections as a newspaper reporting on the president.
Any significant changes to credit agencies would need to start with rolling back their libel protections to some degree to make them actually liable for what they publish.
There should also be a sliding scale element e.g. fines doubled if for more than 100k customers affected, if over a million the greater of 20% of gross profit or 10x the fine…etc.
How about, a huge fine! And use the fine to found EFF or open source security experts to audit them (All the big Telcos!) and harden their securities. At this piont Telcos are should be treated as public utility companies!
I'm sorry, but a set of circumstances have led to your data being lost. We're making sure that set of circumstances will never occur exactly the same way it did.
Sincerely,
James Johnson Jr.
CEO BigNetCorp
Sincerely,
James Johnson Jr.
CEO BigNetCorp
And they must say they’re sorry and they must say how important our privacy is to them and they must commit to doing better but they mustn’t make us whole.
So immediately after a new user signs up, they should just send out an email saying their data has been taken. save everyone time.
The <title> is much more accurate: FCC publishes final version of new breach report rules
Curse my cynical mind of the delayed "ohhh, we had no idea we were breached. Sorry about that folks btw your details were stolen lol" excuse.
Balls of steel the FCC has. Is this the first consumer friendly thing they’ve actually done in a couple decades?
... what's up next in this tough cruel world? Banks must tell you when someone stole your money? Companies must tell you when they go bankrupt and gambled your assets? I fear madness ahead.
[deleted]
Why just telcos?
Because the remit and legislative mandate of the US Federal Communications Commission is ... communications:
As specified in section one of the Communications Act, the Commission’s mission is to “make available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex, rapid, efficient, Nation-wide, and world-wide wire and radio communication service with adequate facilities at reasonable charges.” 1 In addition, section one provides that the Commission was created “for the purpose of the national defense” and “for the purpose of promoting safety of life and property through the use of wire and radio communications.”
FEDERAL COMMUNICATIONS COMMISSION Fiscal Year 2008 Performance and Accountability Report, p. 4: <https://transition.fcc.gov/Reports/ar2008.pdf>
For general commercial enterprise requirements, you'd want the Federal Trade Commission, whose mandates are antitrust and general consumer protection.
As specified in section one of the Communications Act, the Commission’s mission is to “make available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex, rapid, efficient, Nation-wide, and world-wide wire and radio communication service with adequate facilities at reasonable charges.” 1 In addition, section one provides that the Commission was created “for the purpose of the national defense” and “for the purpose of promoting safety of life and property through the use of wire and radio communications.”
FEDERAL COMMUNICATIONS COMMISSION Fiscal Year 2008 Performance and Accountability Report, p. 4: <https://transition.fcc.gov/Reports/ar2008.pdf>
For general commercial enterprise requirements, you'd want the Federal Trade Commission, whose mandates are antitrust and general consumer protection.
And what's the "Trade Commission" doing about this? Taking bribes? Sorry, listening to lobbyists ...
A somewhat more fruitful, informative, and informative approach to this, as well as adhering to HN's prime directive of stimulating intellectual curiosity[1] might be to spend a minute or five with $YOUR_PREFERRED_SEARCH_ENGINE, seeking relevant results, and commenting on those.
DDG returns for "Federal Trade Commision data breach" results such as:
"FTC Publishes Final Data Breach Notification Amendment to Safeguards Rule"
<https://www.arnoldporter.com/en/perspectives/advisories/2023...>
Dated December 4, 2023
Note that executive departments, agencies, and commissions are limited by their legislative mandate (United States Code) as interpreted by administrative rulemaking (Code of Federal Regulations), modulo further factors (case law, administration and adminstrator policy, etc.). Raising your own and others' awareness of these makes for a more interesting and productive discussion.
As for other HN guidelines, I'd suggest your reviewing <https://news.ycombinator.com/item?id=9721402> and <https://news.ycombinator.com/item?id=9536021>.
________________________________
Notes:
1. <https://news.ycombinator.com/item?id=26998308>
DDG returns for "Federal Trade Commision data breach" results such as:
"FTC Publishes Final Data Breach Notification Amendment to Safeguards Rule"
<https://www.arnoldporter.com/en/perspectives/advisories/2023...>
Dated December 4, 2023
Note that executive departments, agencies, and commissions are limited by their legislative mandate (United States Code) as interpreted by administrative rulemaking (Code of Federal Regulations), modulo further factors (case law, administration and adminstrator policy, etc.). Raising your own and others' awareness of these makes for a more interesting and productive discussion.
As for other HN guidelines, I'd suggest your reviewing <https://news.ycombinator.com/item?id=9721402> and <https://news.ycombinator.com/item?id=9536021>.
________________________________
Notes:
1. <https://news.ycombinator.com/item?id=26998308>
So futuristic
I mean, that doesn’t seem _particularly_ tough.
Wow, they have to do what other companies have to do. Brutal. /s
Just as hard hitting as making robovoices illegal rather than requiring providers to end spam calls on their networks effectively.
https://www.fcc.gov/document/fcc-makes-ai-generated-voices-r....
Bear in mind this is the TOP consumer complaint. And they have done basically a minor law change to clarify that the law still applies, and that it’s definitely still illegal. Uh, but they haven’t addressed the problem or fixed it in any substantive way.
Such a tough FCC.
I will say that Jessica Rosenworcel is an angel compared to Ajit “Screw Consumers ITB As Much As Possible” Pai. I miss that guy like a hemmeroid. I’m sure he’s enjoying his job as a partner at the private-equity firm Searchlight Capital where he is now seeking to “close the gap” on the broadband failures he was largely responsible for expanding for several years.
https://www.wsj.com/articles/searchlight-capital-bets-on-uni...
It’s amazing. The FCC seems to be either very bad at their job or completely 0wn3d by the revolving door of private industry.