The proposed rule changes were detailed in a Notice of Proposed Rulemaking issued by the Commission. In brief, the proposed changes would eliminate the current seven business day mandatory waiting period to issue notifications of a breach, and would also require notification of all reportable breaches to the FCC, the Federal Bureau of Investigation (FBI), and the U.S. Secret Service.
The Commission also seeks to expand the definition of “breach” to include any inadvertent access, use, or disclosure of customer information. This change would help to protect customers not just from malicious breaches by third parties but also from accidental access, use, or disclosures.
If adopted, the proposed changes would dramatically overhaul Commission rules first enacted in 2007. The Commission acknowledged in its Notice that the threat landscape facing telecommunications operators has changed dramatically over the past 15 years and that its proposed changes are necessary to keep pace with emerging challenges to data security.
In an Order issued in late 2022, the FCC approved across-the-board increases of approximately 7-8% for most forfeiture penalties for violations of FCC rules and requirements. Under the 2015 Inflation Adjustment Act, federal agencies are required to annually adjust civil monetary penalties for violations of their rules. The updated forfeiture amounts apply to penalties assessed on or after January 15, 2023.
In a Proposed Notice of Rulemaking, the FCC is seeking comment on service rules that would provide UAS operators with access to licensed spectrum in the 5030-5091 MHz band to support safety-critical UAS communications links.
At present, no spectrum is licensed in the U.S. exclusively for UAS communications use. Instead, operators have generally relied on unlicensed operations or experimental licenses. However, these options do not provide users with protection from harmful interference, potentially affecting the reliability of essential UAS communications.
As UAS operations expand to include activities with a higher risk profile, the Commission sees the increasing importance of access to interference-protected licensed spectrum for UAS wireless communications. Hence, the decision to issue the proposed service rules.
In a presentation at the Practicing Law Institute’s 40th Annual Institute on Telecommunications Policy & Regulation, Commissioner Nathan Simington called on the FCC to modify its equipment authorization process to require device manufacturers to provide software security updates to their wireless devices for a defined period of time.
“It’s time to turn our attention to the millions of wireless devices in our country that are insecure, not because they’re made by unfriendly state-controlled entities or criminal hackers masquerading as legitimate manufacturers, but rather, because their makers have failed to put sufficient care into making and keeping them secure,” said Simington.
According to Simington, “For software updates…all that’s required is that the maker identify the flaw in the code, fix it, test it, and release it through their update channels…The burden of releasing a software update—a relatively small amount of labor inside a company’s engineering offices—is vastly outweighed by the benefit to society—a dangerous vulnerability being closed on thousands or millions of devices in active use across American households and businesses.”
As for the FCC’s authority to act in this matter, Simington believes that “Title 3 of the Communications Act gives us expansive authority to regulate RF emitting devices to make sure they don’t cause harmful interference.” Accordingly, “I believe that our equipment authorization and spectrum licensing regime includes such a requirement already. It’s just a matter of updating our assumptions about what’s possible.”