Cell phone customers whose calling record data has been stolen will learn about the theft as long as two weeks after the Federal Bureau of Investigation does, the Federal Communications Commission ruled today.
That is, if the FBI and the United States Secret Service (USSS) do not ask the carrier to continue to put off disclosure of the security breach.
The decision is part of a suite of new rules to protect consumers from "pretexters"—con artists who trick phone companies into disclosing calling records, then sell the data over the Internet or elsewhere.
Today's FCC decisions mean that from now on:
- Phone companies cannot release customer phone call records unless the customer provides a password. In the absence of a password, the company can only send the data to the customers' address of record or call the customer back at their phone number of record.
- Carriers must notify the customer immediately if their password changes.
- Telcos must get explicit consent from customers before sharing calling data with marketing partners and independent contractors.
- Carriers must submit an annual certification to the FCC that includes actions taken against pretexters and a summary of relevant complaints from consumers.
The FCC opened a new rulemaking proceeding on pretexting a little over a year ago, requested by the Electronic Privacy Information Center (EPIC).
During the course of the comment cycle the Department of Justice, Federal Bureau of Investigation, and Department of Homeland Security repeatedly asked [0] the FCC to include rules that delay carriers letting customers know if the security of their records has been compromised.
The DOJ argued that immediately letting customers know that their calling records have been obtained by pretexters could tip off the culprits, "causing them, among other things, to destroy evidence, change their behavior, and accelerate their illegal use of any data before consumers or company victims can act."
The FCC has complied with this request. Carriers must inform the FBI and USSS no later than seven days after the theft, and then may inform customers seven days after that only if the law enforcement agencies do not request a longer delay.
The new procedures do allow telcos to notify customers immediately "if the carrier believes that there is an extraordinarily urgent need to notify a customer or class of customers in order to avoid immediate and irreparable harm."
The FCC's Notice does not define what "irreparable harm" means. The ruling requires the carrier to make the notification decision in consultation with the relevant police agency.
In addition, carriers must keep records of the breach, and disclosures to the FBI and USSS, for at least two years.
Today's announcement was not part of an Open Commission meeting. The news release and executive summary of the decision barely mentioned its law enforcement notification provisions, except to say that a "notification process is established for both law enforcement and customers in the event of a CPNI [customer proprietary network information] breach."
The Commission's two Democrats dissented on the law enforcement provisions of the decision. Michael Copps' called the move "needlessly overbroad."
"If an unauthorized individual has gained access to personal telephone records involving victims of stalking or spousal violence," Copps said in a public statement, "it won't be the carrier or the law enforcement agency—but the victims—who are in the best position to know when and how harm may be heading toward them."
FCC Chair Kevin Martin praised the Notice, saying that the action "ensures that law enforcement will have necessary tools to investigate and enforce illegal access to customer records."
[1] 
[2] 
[3] 
[4] 
[5] 
[6] 
[7] 
[8] 
[9] 
[10]