The cellular industry urged the Federal Communications Commission to delay action on a Justice Department plan that would keep wireless subscribers in the dark for days or weeks after the theft of phone records, saying the plan clashes with state laws.
“The proposal, if adopted by the FCC in the manner proposed by the department, inadvertently could require carriers to report immaterial breaches and could force carriers to delay notifying customers of major breaches. Both of these elements could create a direct conflict with certain state security breach notification laws,” stated cellphone association CTIA in a letter to FCC Chairman Kevin Martin.
CTIA said it also communicated the wireless industry’s concerns with the Justice Department.
Deputy Attorney General Paul McNulty told the FCC that having the FBI and Secret Service alerted first and consumers later about stolen phone records would prevent investigations from being compromised. McNulty wants the department’s proposal incorporated into new rules being crafted by the FCC to curb the practice known as pretexing, whereby marketers and other individuals impersonate subscribers to get their phone records.
Congress last year outlawed pretexting, and is now pursuing legislation left over from last year that would require wireless and wireline carriers to take steps to better safeguard subscribers’ phone data. The mobile-phone industry does not believe additional pretexting legislation is needed and is actively lobbying the FCC to apply a light regulatory touch to new phone-record privacy guidelines.
CTIA told Martin that 34 states have laws requiring telecom carriers to promptly notify customers, credit reporting agencies and state and local authorities when security breaches are identified. “However, contrary to the department’s proposal, none of the state laws currently mandate automatic delayed notice to customers once a breach is discovered, although all but one permit notice to be delayed at the request of law enforcement,” the trade group said.
As such, carriers could face legal troubles if forced to act in the manner sought by the Justice Department. Lawsuits could be filed against cellphone carriers by subscribers, state consumer protection agencies and state attorneys general.
“Rather than engage in litigation to resolve how a carrier should attempt to comply with federal obligations that conflict with state disclosure notification laws, we believe the department and the commission should address and resolve these conflicts [beforehand] by reviewing and revising the department’s proposal to either clearly pre-empt conflicting state security breach laws, or more narrowly tailor the federal requirements,” CTIA stated.
CTIA also worries the Justice Department proposal could run up against the 1986 Electronic Communications Privacy Act, which-among other things-prevents government entities from requiring the disclosure of communications from a service provider without proper procedure.
Under the Justice Department plan, wireless and other telecom carriers generally would have up to seven business days to inform the FBI and Secret Service that a customer’s phone records were stolen. Carriers could be forbidden from notifying a subscriber of a breach until seven business days after apprising federal authorities of the theft. However, under certain circumstances, a carrier could notify customers sooner than seven days. At the same time, law enforcement could order a carrier not to notify a customer for up 30 days or longer of stolen phone records.
Privacy advocates also oppose the Justice Department notice-delay proposal, arguing it works against consumers’ best interest and is unlikely to benefit law enforcement to the extent it claims.
CTIA: Pretexting plan conflicts with state laws
ABOUT AUTHOR
