FCC proposes stricter requirements for reporting data breaches

Companies would even have to report accidental breaches.

Jonathan Newton-Pool/Getty Images

The Federal Communications Commission is the next US regulator hoping to hold companies more accountable for data breaches. Chairwoman Jessica Rosenworcel has shared a rulemaking proposal that would introduce stricter requirements for data breach reporting. Most notably, the new rules would require notifications for customers affected by "inadvertent" breaches — companies that leave data exposed would have to be just as communicative as victims of cyberattacks.

The requirements would also scrap a mandatory one-week waiting period for notifying customers. Carriers, meanwhile, would have to disclose reportable breaches to the FCC in addition to the FBI and Secret Service.

Rosenworcel argued the tougher rules were necessary to account for the "evolving nature" of breaches and the risks they posed to victims. People ought to be protected against larger and more frequent incidents, the FCC chair said — that is, regulations need to catch up with reality.

The FCC didn't say when the proposal might come up for a vote, although the FCC's next open meeting is slated for January 27th. There's no guarantee the Commission will greenlight the new requirements. It won't be surprising if the rulemaking moves forward, however. While companies are now more likely to disclose breaches, there have been multiple high-profile incidents where those firms took too long to alert customers or didn't notify them at all. The new measures could cut that wait time, giving people a better chance of securing their data and preventing fraud.