[BreachExchange] FCC to halt rule that protects your private data from security breaches

[Audrey McNeil]

https://arstechnica.com/tech-policy/2017/02/isps-wont-have-
to-follow-new-rule-that-protects-your-data-from-theft/

The Federal Communications Commission plans to halt implementation of a
privacy rule that requires ISPs to protect the security of its customers'
personal information.

The data security rule is part of a broader privacy rulemaking implemented
under former Chairman Tom Wheeler but opposed by the FCC's new Republican
majority. The privacy order's data security obligations are scheduled to
take effect on March 2, but Chairman Ajit Pai wants to prevent that from
happening.

The data security rule requires ISPs and phone companies to take
"reasonable" steps to protect customers' information—such as Social
Security numbers, financial and health information, and Web browsing
data—from theft and data breaches.

"Chairman Pai is seeking to act on a request to stay this rule before it
takes effect on March 2," an FCC spokesperson said in a statement to Ars.

The rule would be blocked even if a majority of commissioners supported
keeping them in place, because the FCC's Wireline Competition Bureau can
make the decision on its own.

"If commissioners are willing to cast their votes by March 2, then the full
commission will decide the stay request," the FCC statement said. "If not,
then the bureau will stay that one element of the privacy rules pending a
full commission vote on the pending petitions for reconsideration
consistent with past practice."

That "full commission vote on the pending petitions" could wipe out the
entire privacy rulemaking, not just the data security section, in response
to petitions filed by trade groups representing ISPs. That vote has not yet
been scheduled.

The most well-known portion of the privacy order requires ISPs to get
opt-in consent from consumers before sharing Web browsing data and other
private information with advertisers and other third parties. The opt-in
rule is supposed to take effect December 4, 2017, unless the FCC or
Congress eliminates it before then.

Pai has said that ISPs shouldn't face stricter rules than online providers
like Google and Facebook, which are regulated separately by the Federal
Trade Commission. Pai wants a "technology-neutral privacy framework for the
online world" based on the FTC's standards. According to today's FCC
statement, the data security rule "is not consistent with the FTC's privacy
standards."

"Chairman Pai believes that the best way to protect the online privacy of
American consumers is through a comprehensive and uniform regulatory
framework," the FCC said. "All actors in the online space should be subject
to the same rules, and the federal government shouldn’t favor one set of
companies over another."

But the FTC is barred from regulating common carriers, a distinction that
the FCC applies to broadband providers. So the FTC won't be protecting the
privacy of ISP customers unless ISPs are reclassified. The FCC or Congress
could change that classification, but that move could also wipe out
net-neutrality rules that rely on the FCC's authority over common carriers.

What the data security rules require

FCC privacy rules already apply to telephone service. Wheeler's privacy
order changed the privacy rules and applied them to fixed and mobile
broadband service in addition to phone service for the first time.

The data security rule says that telecommunications providers "must take
reasonable measures to protect customer PI [proprietary information] from
unauthorized use, disclosure, or access." That includes financial and
health information, information pertaining to children, Social Security
numbers, precise geo-location data, the content of communications, call
detail information, Web browsing history, and application usage history.

The FCC did not mandate any specific data security practices, but it did
provide some recommendations. For example, the privacy order encouraged
ISPs to consider adopting industry standards such as the Cybersecurity
Framework, written by the National Institute of Standards and Technology
(NIST), and best practices recommended by the FCC's Communications
Security, Reliability and Interoperability Council.

But the privacy order stressed that following these standards is
"voluntary" and that "providers retain the option to use whatever risk
management approach best fits their needs." If there are complaints about
security, the FCC would decide whether the ISP has implemented reasonable
data security practices based on a few factors. In specific cases, the FCC
planned to consider the ISP's size, the technical feasibility of security
measures, "the nature and scope of [an ISP's] activities," and "the
sensitivity of the data it collects."

Another part of the privacy order related to data breach notifications
doesn't take effect until June 2. The breach notification rule requires
providers to notify affected consumers within 30 days "after reasonable
determination of the breach." For data breaches affecting at least 5,000
customers, telcos must notify the FBI, Secret Service, and FCC within seven
business days. For data breaches affecting fewer than 5,000 customers, the
companies must notify the FCC at the same time they notify consumers.

When the FCC approved the privacy rules, Wheeler argued that ISPs are
uniquely capable of collecting consumers' Internet traffic because they can
monitor everything that goes over the connection and because switching ISPs
is difficult for customers. Consumer advocacy groups supported the privacy
rules and have been urging Congress and the FCC to leave them in place.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170224/47dbabe2/attachment.html>