A major cell phone trade association has asked the Federal Communications Commission for more time to comment on a Justice Department proposal that would require phone companies to delay telling customers that their data has been stolen.

"The proposal, if adopted by the FCC in the manner proposed by the Department, inadvertently could require carriers to report immaterial breaches and could force carriers to delay notifying customers of major security breaches," a representative of CTIA, the Wirelss Association, wrote to the FCC on February 5th. "Both of these elements could create a direct conflict with certain state security breach notification laws."

The Department of Justice (DOJ) has asked the Federal Communications Commission to "include a mechanism of delay" in any rules requiring phone companies to notify consumers that their records have been "pretexted"—that is, stolen. The delay would last at least a week, and could go on indefinitely.

"Allowing for delayed consumer notification in appropriate cases enhances our ability to investigate the circumstances surrounding the loss of the data and, thereby, advances consumer protection," Deputy Attorney General Paul McNulty wrote to the FCC on December 28th, 2006.

In some instances, the Justice Department suggests putting off customer notification for "an initial period" of 30 days. "Such period may be extended by the agency as reasonably necessary in the judgment of the agency," the December 28th filing recommends.

The DOJ request comes in the context of an FCC proceeding to establish security measures against "pretexters"—con artists who trick phone companies into disclosing "customer propriety network information" (CPNI), then sell those records to others.

In February of 2006, the FCC opened a new rulemaking proceeding on pretexting, requested by the Electronic Privacy Information Center (EPIC). The proceeding asked the public to comment on five security measures proposed by EPIC to protect customer phone data: passwords set by customers, better tracking of customer records, encryption of records, limits to how long companies can keep customer data, and letting customers know if the security of their records has been compromised.

CTIA's response to the DOJ's request notes that 34 states have security laws requiring phone companies to promptly notify customers in the event of any incident regarding their data.

In addition, the filing observes: "a party aggrieved by a violation of state disclosure law—in this case a person injured by the delay in learning that his or her CPNI was wrongfully disclosed—could bring a third-party enforcement action against the provider that delayed such notice."

The trade group has asked the FCC to "briefly delay" action on the DOJ proposal and issue a Further Notice on the question in order to get more comment.