在几个月后才发现影响你个人数据的数据泄露事件的日子可能很快就会成为过去,至少在黑客攻击影响电信运营商的时候是这样。美国联邦通信委员会(Federal Communications Commission)提出了一项新规定,要求电话和电信运营提供商以更快的速度通知客户数据泄露。
FCC主席杰西卡·罗森沃塞尔在一份新闻声明中说:“这一新程序将对我们的数据泄露报告规则进行急需的、全新的审视,以更好地保护消费者,提高安全性,并减少未来数据泄露的影响。”虽然加州等州的法律有更现行、更严格的标准,但已有15年历史的联邦法规可能急需更新。
目前,联邦政府规定,从发现漏洞到公司可以告知客户之间,至少有七个工作日的等待期。联邦通信委员会建议的改变将取消等待时间,而是要求运营商将黑客攻击和其他安全问题“在发现后不得无故延迟”通知客户。换句话说:从黑客获得人们的敏感数据到受影响的人知道这些数据之间的时间可能会变得更短,从而更容易采取早期保护措施,如取消信用卡或更改密码。
根据提案,7天等待的原因是,电信公司在告知客户之前,有时间向“相关调查机构”报告违规行为,以便调查机构能够评估对公众的风险。然而,黑客攻击电信运营商的次数比以往任何时候都多,公众所面临的风险也越来越明显。
我们几乎一生都在手机或互联网上度过,电信运营公司掌握着客户的大量信息,包括(但不限于)通话数据、位置、硬件细节、账单和财务信息。被窃取的数据最终可能在瞬间在暗网上被买卖,使受害者面临身份盗窃和其他重大财务和隐私影响的风险。
该规则提案指出:“在电信行业,近年来公众遭受了越来越多的客户信息安全漏洞。”根据《信息安全杂志》的一项分析,在2022年的最后几个月里,所有行业的数据泄露上升了70%。
在那之前,情况已经很糟糕了。2021年,另一项分析发现,在短短两年内,超过13家不同的全球电信供应商被一个黑客组织渗透。据报道,T-Mobile和AT&T都遭受了数据黑客攻击,影响了数千万客户,并泄露了包括社会保险号和驾照信息在内的敏感数据。AT&T否认有任何违规行为,但T-Mobile最终就自己的事件赔偿了5亿美元。此前,T-Mobile的客户在2019年和2015年成为类似违规行为的受害者。
Gizmodo联系了T-Mobile、AT&T、Verizon和康卡斯特,想了解美国最大的电信供应商对FCC提案的看法,但没有一家公司立即做出回应。
除了确保客户更快地了解黑客行为外,拟议中的修改还将扩大数据泄露的定义,以及其他一些小调整。意外或无意的客户信息泄露将被归入数据泄露的范畴。因此,如果运营商搞砸了,即使没有外部干预,它也需要通知客户。
但实施这些改变并非百分之百简单。美国联邦通信委员会的提案指出,如果运营商被迫立即通知客户数据泄露,可能会危及刑事调查。作为一个漏洞,新规定允许联邦机构将通知推迟30天,这并不能完全解决及时性问题。委员会还在考虑如何处理较小的运营商,以及是否/如何制定通知期限。此外,联邦通信委员会正在征求公众意见,决定违规通知是否应包括泄露内容以及如何最佳管理的具体信息。很快,该提案将公开征求意见,你可以告诉FCC你的想法。
原文:
The days of finding out about a data breach impacting your personal data months after the fact may soon become a thing of the past—at least when it comes to hacks affecting telecom carriers. The Federal Communications Commission has proposed a new rule, requiring phone and internet providers to notify customers of breaches much more quickly.
“This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches,” said FCC Chair Jessica Rosenworcel in a press statement. Though state laws, like those in California, have more current and stringent standards, the pre-existing federal rule is 15 years old, and likely in dire need of updating.
Currently, there is a federally mandated seven business day minimum waiting period between discovery of a breach and when companies can tell their customers about it. The FCC’s recommended change would scrap that waiting period and instead require carriers to notify customers of hacks and other security issues “without unreasonable delay after discovery.”
In other words: the amount of time between when hackers get ahold of peoples’ sensitive data and when those impacted know about it could become much shorter—making it easier to take early protective action like canceling credit cards or changing passwords.
The reasoning behind that 7-day wait is so that telecom companies have time to report breaches to “relevant investigative agencies” before they tell customers, and so that the investigative bodies can gauge the risk to the public, according to the proposal. However, hackers are targeting telecom carriers more than ever before, and what’s at stake for the public has become progressively more apparent.
We live nearly our whole lives on our phones or over the internet and telecom companies are in possession of extensive information about their customers, including (but not limited to) call data, location, hardware details, and billing and financial info. Stolen data can end up bought and sold on the dark web in a flash, leaving victims at risk of identity theft and other major financial and privacy repercussions.
“In the telecommunications industry, the public has suffered an increasing number of security breaches of customer information in recent years,” the rule proposal notes. Data breaches across all sectors rose 70% in just the last few months of 2022, according to one analysis from Infosecurity Magazine.
And things were already pretty bad before that. In 2021, a separate analysis found that more than 13 different global telecom providers had been infiltrated by a single hacker group in just two years. Both T-Mobile and AT&T have reportedly suffered data hacks impacting tens of millions of customers, and revealing sensitive data including social security numbers, and driver’s license info. AT&T denied any breach, but T-Mobile ended up settling for $500 million over its own incident. Previously, T-Mobile customers ended up victims of similar breaches in 2019 and 2015.
Gizmodo reached out to T-Mobile, AT&T, Verizon, and Comcast to see what the U.S.’s largest telecoms providers think about the FCC proposal, but none of the companies immediately responded.
On top of ensuring customers learn about hacks more quickly, the proposed change would also broaden the definition of data breaches, among other small adjustments. Accidental or unintended disclosures of customer info would newly fall under the data breach umbrella. So, if a carrier screws up—even without external meddling—it would need to notify customers.
But instituting these changes isn’t 100% straightforward. The FCC proposal notes concerns about jeopardizing criminal investigations if carriers are forced to notify customers of breaches right away. As a loophole, the new rule could allow federal agencies to delay notices for up to 30 days—which wouldn’t exactly solve the timeliness issue. The commission is also working thought how to handle smaller carriers and if/how to institute a notification period time limit. Further, the FCC is asking for public input on whether or not breach notifications should include specific information about what was leaked and how to best manage it. Soon, the proposal will be open for comment, and you can tell the FCC your thoughts.
本文由数字化转型网(www.szhzxw.cn)翻译而成,编辑/翻译:数字化转型网默然。
免责声明: 本网站(https://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
