We joined the Electronic Privacy Information Center, Center for Democracy and Technology, and Public Knowledge in submitting reply comments to the Federal Communications Commission on a Notice of Proposed Rulemaking on Data Breach Reporting Requirements. The comments highlight the need for the FCC to incentivize the telecommunications industry to improve data security practices, create guidelines for network vulnerabilities, and better equip consumers to handle the fallout from breaches.
One key point we emphasized was that a business should not be permitted to delay—or avoid notifying people altogether—in the event it determines harm is unlikely to occur as a result of the breach. This is called a harm-based trigger for notification, and it does not sufficiently protect consumers because it allows—and in some cases may incentivize—a business to make the determination that a data breach was "harmless" to avoid notifying victims.
To read the comments submitted, visit the FCC website or downloaded by clicking "Download PDF".