Regulatory Comment: FCC Lacks Statutory Authority to Expand Data Breach Notification Standards to “Inadvertent Breaches”
Data breach notification standards are important tools to protect cybersecurity. The Federal Communications Commission (FCC), though, lacks congressional authority to expand its current notification regime to include “accidental” or “inadvertent breaches.” In a recent comment filed with the FCC, I discussed the need to ensure that consumers are notified when bad actors intentionally access confidential information.
The statute that the FCC cites for the authority to establish data breach notification rules, though, lacks any reference to the security of data. Congress, instead, wanted telecommunications carriers to protect the privacy of certain defined confidential information from misuse. It is difficult to infer security standards from a privacy statute, especially when Congress specifically granted to other agencies the authority to protect the security of data.
As stated in the comment, “Data breach notifications fall within a broad spectrum of cybersecurity measures. They help notify consumers of the need to take identity-protecting mitigation measures in response to a successful cyber attack. … Encouraging better security practices, though, is outside the scope of [the authorizing law], as evidenced by other statutes Congress passed enabling agencies to promulgate data breach notification standards.”
Read the full comment here.