This article is more than 1 year old
No more holidays for US telcos, FCC is cracking down
Also, LastPass faces class action, and Louisiana says that, while the internet may be for porn, ID is still required
In Brief The Federal Communications Commission plans to overhaul its security reporting rules for the telecom industry to, among other things, eliminate a mandatory seven-day wait for informing customers of stolen data and expand the definition of what constitutes an incident.
In a unanimous 4-0 vote, the FCC published a notice of proposed rulemaking that Chairwoman Jessica Rosenworcel said is sorely overdue, as the current rules are more than 15 years old.
"The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements," Rosenworcel said.
Along with eliminating the waiting period for reporting events to customers, the FCC is also proposing to require telling the FBI and US Secret Service, but is still seeking input on when this should be done.
The FCC also admitted in the proposal that its focus in the original breach reporting rules implemented in 2007 was too narrow - it only accounted for breaches involving pretexting crimes that involve impersonating someone to forcibly gain access to secure data.
Of its original definition, the FCC's 2007 rule stated that a breach occurs "when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed [confidential proprietary network information]," or CPNI.
The FCC's new definition adds accidental disclosures to its definition of breach, which should make telecom companies sit up and take notice: Negligence isn't going to be a good excuse for much longer.
Rosenworcel had been floating the stricter disclosure rules since January of last year, months after T-Mobile US saw 100 million customer records leaked online. T-Mobile also settled two data breach lawsuits from 2012 and 2015 late last year.
The comment period opened today, giving interested parties 30 days to have their say before the FCC makes its final decision.
LastPass hit with lawsuit over August breach
An August data disaster at password manager LastPass just keeps getting worse for the company. First it admitted the attacker made off with customer data in a December update, and now it's been served with a proposed class-action lawsuit accusing it of "woefully insufficient" security practices.
LastPass initially said the incident involved the theft of the platform's source code and some internal documents, but said user data was all perfectly safe. After looking deeper, it turned out that the stolen data was used to target another employee, and with that access the attackers managed to gain access to a cloud storage system to steal user password vaults.
The data stolen included "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses."
A lawsuit has been filed by an unnamed individual who said LastPass' failures led to the theft of an unspecified amount of Bitcoin private keys stored in the wallet, which the suit said contained roughly $53,000 in the cryptocurrency.
The suit is seeking a jury trial to squeeze damages and restitution out of LastPass for a nationwide class that includes any LastPass users who had data stolen in the breach.
ID now required to access online smut in Louisiana
A bill signed into law in Louisiana last year has taken effect requiring anyone in the state looking to peruse pornographic content on websites like Pornhub or OnlyFans to verify their age first.
Act 440 [PDF], which took effect on New Year's Day, requires any website that deals in "more than thirty-three and one-third percent" smutty content to ID users through a commercial age verification system.
It's not immediately clear how most adult websites plan to respond, but PornHub, owned by Canadian company Mindgeek, which is the big daddy of pornographic websites with a monopolistic market share, has already begun to require age verification via Louisiana's LAWallet, its digital driver's license app.
Unsurprisingly, privacy advocates aren't thrilled with the new policy. Speaking to NPR, the Electronic Frontier Foundation's Jason Kelley, its associate director of digital strategy, said Louisiana residents have every right to be concerned.
"There is the explicit intention in the law that verifiers and websites that are using age verification should not retain [your information], but users don't have a lot of guarantees that it will happen and the data will be removed or deleted and [won't be] shared or used in other ways," Kelley said.
In addition to requiring visitors to verify their age, Act 440 also puts an onus on pornographic site operators to ensure minors don't gain access, lest they be liable for "damages resulting from a minor's accessing the material." ®