Telecom companies aren’t required to notify customers about every breach. A Federal Communications Commission order in December 2023 adopted a “harm-based notification trigger” in which “notification of a breach to consumers is not required in cases where a carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed.”
The FCC said that harm requiring notifications can include, but is not limited to, “financial harm, physical harm, identity theft, theft of services, potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse, and other similar types of dangers.”
The FCC order argued that the harm-based standard would let carriers “focus their time, effort, and financial resources on the most important and potentially harmful incidents” and protect “customers from over-notification and notice fatigue, specifically in instances where the carrier has reasonably determined that no harm is likely to occur.”
Senator: Telecoms should tell customers
US Sen. Ron Wyden (D-Ore.) this week criticized the carriers for having weak security and the FCC for “let[ting] phone companies write their own cybersecurity rules.” Wyden proposed legislation to beef up telecom security requirements.
A spokesperson for Wyden today said that carriers should notify the affected customers.
“Senator Wyden strongly supports the phone companies notifying their customers about the theft of their data,” the spokesperson told Ars. “Not only do Americans have a right to be told that their information was stolen, but this is useful information that could result in some consumers voting with their wallets and switching service to carriers that retain less data and or have better cybersecurity.”
Stanford University researchers collected and studied telephone metadata for a 2016 paper to determine how it could be used against customers. “Using crowdsourced telephone logs and social networking information, we find that telephone metadata is densely interconnected, susceptible to reidentification, and enables highly sensitive inferences,” they wrote.