FCC matches its data breach notification policies with US state regulations

U.S. regulator the Federal Communication Commission is changing data-breach definitions in order to harmonize its notification rules with those of states.

The changes broaden definitions in a way that should give consumers more protection when their data, biometric and otherwise, is viewed or used by unauthorized people.

An analysis of the changes by the Covington law firm says the new policies expand definitions for covered data and breach. Enactment of the FCC’s order is expected this year.

Inadvertent unauthorized access is now the same as malicious actions in the FCC’s eyes. However, good faith access by employees and agents of carriers or service providers is exempt  so long as the accessed data is not disclosed or improperly used beyond those initial employees.

Covered data – personally identifiable information — in relation to a breach has been broadened from the current guideline known as Customer Proprietary Network Information.

Now, PII is data useful in distinguishing or tracing someone’s identity alone or combined with other information “linked or reasonably linkable to a specific individual.”

Biometric data, including genetic information is protected along with authentication methods for account access as well as other factors like unique ID numbers.

The new rules for notification of a breach are less straightforward and are, of course, worth a read.

Article Topics

biometric data  |  biometric identifiers  |  data protection  |  U.S. Government