The Cybersecurity and Infrastructure Agency is delaying finalization of a rule until May of next year that will require critical infrastructure owners and operators to swiftly report major cyber incidents to the federal government, according to a recent regulatory notice.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, CISA was supposed to produce a final rule enacting the law by October of this year. But last week, the Office of Management and Budget’s Office of Information and Regulatory Affairs published an update that moved the final rule’s arrival to May 2026.

A CISA official told CyberScoop that the move would give the agency time to consider streamlining and reducing the burden on industry of a previously proposed version of the rule, citing public comments in response to that version, as well as harmonizing the law with other agencies’ cyber regulations.

“We received a significant number of public comments on the proposed rule, many of which emphasized the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements, and ensure clarity,” said Marci McCarthy, director of public affairs at CISA. “Stakeholder input is extremely important as we work to draft a rule that improves our collective security. CISA remains committed to implementing CIRCIA to maximize impact while minimizing unnecessary burden to entities in critical infrastructure sectors.”

McCarthy said CISA would take the time prior to May to “examine options within the rulemaking process to address Congressional intent and streamline CIRCIA’s requirements.”

A top lawmaker and leading industry group also told CyberScoop the delay could help make those kinds of changes.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the Trump administration assured him that it would prioritize soliciting additional feedback from groups that would be affected by the regulations.

“I support the administration’s decision to extend the deadline for CIRCIA’s final rule as long as this additional time is used to properly capture private-sector feedback on the proposed rule’s reporting requirements and ensure the final rule fulfills congressional intent for the law,” he said. “I share the concern of many industry stakeholders that CIRCIA should not place duplicative or overly broad requirements on critical infrastructure owners and operators. Doing so could unnecessarily burden America’s cyber professionals as they work to defend our networks from heightened threats.”

The 2022 law will require critical infrastructure owners and operators to report to CISA within 72 hours if they suffer a major cyberattack, and to report within 24 hours if they pay a ransomware demand. It was inspired by a spate of major cyberattacks, such as the 2021 Colonial Pipeline hack.

But CISA’s proposed rule — and how it interpreted the scope of whom the law would apply to or what kind of incidents would constitute reporting to CISA — had drawn industry criticism from groups that wanted a narrower reading of the definitions of the law’s key terms and phrases.

The Information Technology Industry Council, which had co-signed letters about the proposed regulation, said the delay gives CISA a chance to adopt industry input.

“Enhancing operational efficiency through improved visibility into significant cyber incidents remains a top priority for the tech industry,” said Leopold Wildenauer, director of cybersecurity policy for the group. “CIRCIA will have a significant impact on the U.S. cyber landscape, so it’s critical to get it right. CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congress’s original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes.”

Bloomberg Law had earlier reported the planned delay, based on a notice that disappeared from the Office of Information and Regulatory Affairs website for weeks afterward.

Personnel cutbacks at CISA and other developments had long prompted concerns that the agency would not meet the October CIRCIA deadline. Department of Homeland Security Secretary Kristi Noem said in May she would support re-opening industry consultation on the proposed regulation.

The top Democrat on Garbarino’s panel, Mississippi Rep. Bennie Thompson, said the Trump administration appears to have done little to meet the deadline, among other criticisms. He told CyberScoop in an emailed statement that he first learned about the rulemaking time shift last week.

“I’m disappointed that CISA has failed to keep its authorizers — and one of the authors of the CIRCIA — updated of its lack of progress in issuing a final rule,” he said. “I am also disappointed that CISA has yet to initiate an ex parte process to gather additional input to inform the final rule. All evidence suggests the administration burned seven months doing nothing while it could have been engaging with stakeholders and working toward a final rule. Full implementation of CIRCIA will enhance our collective ability to detect and disrupt cyber threats and, if done right, drive harmonization of cyber incident reporting rules.”

The former CISA official who ran the CIRCIA program, Lauren Boas Hayes, wrote in an op-ed for CyberScoop in July that it was always going to be difficult for CISA to meet the October deadline without a confirmed director. The Senate Homeland Security and Governmental Affairs Committee has since approved the nomination of Sean Plankey, but the full Senate has yet to vote to confirm him.

“I am happy to see that they are acknowledging that and moving the deadline to a reasonable timeframe so that they can make those policy decisions, give the program clear prioritization and direction, and continue to move towards a CIRCIA final rule that will have positive impacts for the nation and and for our national security,” Boas Hayes told CyberScoop in response to the shifted deadline. “I hope that the acting director of CISA is providing that clear guidance and prioritization to the staff so that they can continue to make progress now and when the CISA director joins the agency and is on-boarded fully and ready to make all those policy decisions.” 

The notice about the delay clears up uncertainty about CISA’s plans, said Caleb Skeath, a partner at the Covington law firm.

“It helps provide some clarity on what the next steps are. We did have a statutory deadline for having these rules published, but there had not been a lot of information coming out of CISA for a pretty long period of time since the comment period,” he said. “And it’s a very broad, wide-ranging rule that’s going to impact a lot of entities across a lot of industry sectors, and is going to require very quick reporting of a lot of information about cybersecurity incidents.”

There are limits to the kinds of changes the Trump administration could make to the proposed regulation without going to Congress for additional leeway, Skeath said. And it’s possible that it could take extra time beyond publication of a final rule in May for the regulation to go into effect, he said.

Updated 9/8/25: This story was updated to include comments from Thompson and Boas Hayes.

The post CISA pushes final cyber incident reporting rule to May 2026 appeared first on CyberScoop.

A federal district court declined to step in and review a combined $92 million fine imposed by the Federal Communications Commission on T-Mobile and Sprint for selling customer geolocation data to third parties, saying Congress has recognized “the highly sensitive nature” of such information.

In a unanimous decision, the U.S. District Court of Appeals for the District of Columbia ruled that the FCC “correctly determined” that customer location data is protected under the Communications Act and that “The Carriers therefore had a duty to protect such information from misuse by third parties.”

Judge Florence Pan, who authored the opinion, said the FCC also “reasonably concluded” that Sprint and T-Mobile violated that duty when they failed to take measures to prevent buyers from abusing access to that location data.

“Indeed, the Carriers failed to promptly take such measures even after they became aware of serious abuses,” Pan wrote.

In 2018, the New York Times reported that a Missouri sheriff used data sold by the carriers to track the location of a judge and state law enforcement officers.

That kicked off a broader investigation by the FCC into the data-selling practices of T-Mobile, Sprint, Verizon and AT&T. T-Mobile acquired Sprint in 2020.

The investigation found that all four companies had programs in place until at least 2019 that sold access to the location data of customers to two data aggregators, LocationSmart and Zumigo. Those companies in turn sold that data to dozens of different third-party, location-based service providers and other businesses. Because both Sprint and T-Mobile phones must continually ping nearby cell towers to maintain network service, their location data could provide constant real-time tracking of individuals.

The investigation found the telecoms had effectively shirked their regulatory requirements to safeguard their own customers’ location data by outsourcing responsibility to their third-party buyers in contract language. Meanwhile, internal audits of the companies’ customer data-sharing programs revealed numerous instances where auditors knew third parties were not holding to those agreements.

The FCC fined the companies a combined $200 million, with T-Mobile on the hook for $92 million in penalties between their own offenses and the Sprint acquisition.Pan expressed incredulity that T-Mobile and Sprint would ask a court to intervene on their behalf without substantively disputing the FCC’s case.

“Neither denies what happened. Instead, they argue that the undisputed facts do not amount to a violation of the law,” Pan wrote, adding that these and other legal arguments by the telecoms about the case “lack merit.”

Reached for comment, a T-Mobile spokesperson told CyberScoop that the company is “currently reviewing the court’s action. We don’t have anything new to add right now.” Last year, the telecom told CyberScoop they halted the sale of location data to third-party aggregators in 2019.

Eric Null, co-director of privacy and data at the Center for Democracy and Technology, called the ruling a “welcome decision,” and argued that such fines were necessary to hold telecoms accountable when they “sell off customers’ location data to the highest bidder and violate the law.”

“This is a huge win for privacy and for everyone who owns a cell phone,” Null said in a statement. “Location data is one of the most personal and sensitive types of data, and is particularly harmful in the hands of bad actors.”

The post Court rebuffs request by telecoms to review $92 million privacy fine   appeared first on CyberScoop.

A federal court has upheld the Federal Communications Commission’s authority to impose stricter data breach notification regulations on the telecom sector, including requirements that the industry notifies customers when their personally identifiable information is exposed in a hack.

In a 2-1 decision, the U.S. Sixth Circuit Court of Appeals concluded that the FCC did not overstep its statutory authority last year when it updated existing data breach notification requirements to require telecoms to report on any customer PII lost during a data breach.

In its opinion, the majority wrote that “based on the statutory text, context, and structure, [existing law] gives the FCC the authority to impose reporting requirements in the event of a data breach of customer PII.”

In 2024, the FCC under the Biden administration updated federal regulations on the telecom sector when reporting on the impact of a data breach.

Under previous rules, telecoms were only required to report to the government when a breach exposed customer proprietary network information, which includes any customer information concerning the quantity, technical configuration, type, destination, location and amount of use of a telecommunication service.

The 2024 order concluded that telecoms are also responsible for safeguarding customer PII — a customer’s name, address, date of birth, etc. — along with “any information that is linked or reasonably linkable to an individual or device.” 

The expanded regulations were quickly challenged in court by trade groups representing telecommunications firms, including the Ohio Telecom Association, the Texas Association of Business and USTelecom.

In a consolidated case before the Sixth Circuit, the groups argued  that the FCC lacked authority under the two laws they cited to include customer PII in data breach reporting requirements. They further argued that the 2024 order violated the Congressional Review Act, as Congress had formally moved to block a larger set of FCC Net Neutrality rules in 2016 that included a similar section on data breach notification.

In its decision, the court’s majority disagreed with the telecom group’s argument that the FCC lacked the legal power to regulate poor data privacy practices or to make rules that go beyond information specified by Congress in the Communications Act.

But the court concluded that Congress clearly intended for the federal government, and specifically the FCC, to regulate telecoms’ data privacy. Laws like the Federal Trade Commission Act not only give the FTC similar authority to regulate inadequate data privacy among other industries, they also specifically exempt telecommunications carriers because that industry’s data privacy regulation falls under FCC jurisdiction.

“Contrary to Petitioners’ assertions, this is not a situation in which an agency has “claim[ed] to discover in a long-extant statute an unheralded power to regulate ‘a significant portion of the American economy,’” the majority wrote. “Rather, it is part of the FCC’s longstanding, flexible, and incremental application of [existing law] to data regulation in the evolving environment of data collection and retention.”

Former FCC officials and legal experts told CyberScoop that while the ultimate fate of the regulation is still uncertain, the Sixth Circuit’s decision is a clear win for the agency’s authority to regulate cybersecurity and data privacy.

In an interview with CyberScoop, Loyaan Egal, former chief of the FCC’s enforcement bureau, said he believes “most people thought this new expansion of data breach notification requirements was more than likely probably going to be rejected by the court, and surprisingly it wasn’t.”

Telecom groups could appeal the ruling to the Supreme Court. Current FCC Chair Brendan Carr was one of two commissioners to vote against the data breach notification rules last year. However, after taking the gavel this year, Carr has not moved to rescind the rules, and the FCC continues to vigorously defend their validity in court.

Over the past year, policymakers have been dealing with fallout from Chinese hackers that have systematically compromised U.S. telecommunications infrastructure.

Several sources told CyberScoop that the emergence of the Salt Typhoon and Volt Typhoon campaigns over the past year, as well as the revelation that hacking groups maintained access to telecom networks by exploiting widespread cybersecurity vulnerabilities, may have upended attempts to kill cybersecurity-related regulations like the FCC data breach rules.

Rick Halm, a cybersecurity attorney at law firm Clark Hill, said the FCC’s authority to regulate cybersecurity and data privacy has to be viewed through the lens of the persistent threats the sector is facing from hackers and foreign spies.

“I see this ruling against the backdrop of the looming national cybersecurity threat of Chinese infiltration of critical infrastructure in preparation to inflict damage if an actual conflict erupts,” Halm said.

Chevron’s dead, but cybersecurity regulations live on

In reaching its conclusion, the court cited Loper Bright Enterprises vs. Raimondo — a  2024 Supreme Court case that said, courts, not federal agencies, have the authority to interpret congressional laws — at least 15 times.

When the Supreme Court ended the practice of automatically deferring to agencies’ interpretations of laws, many worried the shift could jeopardize the legality of cybersecurity regulations. That’s because many rules, like the FCC’s data breach regulations, depend on applying old laws to new technologies, which might not meet stricter legal scrutiny. 

But in this instance, the Sixth Circuit used its independent authority to agree with the  FCC: regulating how firms handle and protect PII is a core part of the agency’s responsibilities.

Peter Hyun, a former chief of staff and acting enforcement chief at the FCC, told CyberScoop that “as a substantive matter, this was a clear signal that the FCC did not overreach here.”

“In other words it is in its rightful lane, looking at the practices of these telecom carriers in order to ensure they were protecting customer information and PII,” he said.

However, other observers think future cybersecurity regulations will now face tougher standards.

“I think that this opinion is a warning shot to both the FCC and other federal agencies that you better be able to firmly tie any data privacy or cybersecurity rules directly to a clear statutory premise,” Halm said.

The court also determined that the agency did not violate the Congressional Review Act by proposing “substantially similar” regulation to data privacy regulations that had been formally blocked by Congress in 2016.

While the blocked 2016 order did include similar data breach notification requirements, the court determined it was “far more expansive, imposing a broad array of privacy rules on broadband Internet access services” than the FCC’s 2024 rule.

“The data breach notification requirements were a mere subset of the broader compendium of privacy rules in [the 2016] Order,” the majority wrote. “The 2024 Order, by contrast, addresses only data breach reporting requirements. The two rules are not substantially the same.”

The Sixth Circuit’s ruling appears to reaffirm “a narrower reading of the CRA than some companies would have liked,” Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals, told CyberScoop.

The majority’s conclusion earned a rebuke from Judge Richard Griffin, who wrote in his dissent that “our interpretation of the [Congressional Review Act] ought to elevate the will of Congress over that of an administrative agency.”

The post Court upholds FCC data breach reporting rules on telecom sector appeared first on CyberScoop.

Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.

Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.

But amid the flurry of personnel changes, budget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.

The Foundation for Defense of Democracies’ Mark Montgomery said the executive orders were “more important” than he originally understood, noting that he “underestimated” the March order after examining it more closely. Some of the steps would be positive if fully implemented, such as the preparedness order’s call for the creation of a national resilience strategy, he said.

The Center for Democracy & Technology said the June order, which would unravel some elements of executive orders under presidents Joe Biden and Barack Obama, would have a negative effect on cybersecurity.

“Rolling back numerous provisions focused on improving cybersecurity and identity verification in the name of preventing fraud, waste, and abuse is like claiming we need safer roads while removing guardrails from bridges,” said the group’s president, Alexandra Reeve Givens. “The only beneficiaries of this step backward are hackers who want to break into federal systems, fraudsters who want to steal taxpayer money from insecure services, and legacy vendors who want to maintain lucrative contracts without implementing modern security protections.”

The big changes and the in-betweens

Perhaps the largest shift in either order is the deletion of a section of an executive order Biden signed in January on digital identity verification that was intended to fight cybercrime and fraud. In undoing the measures in that section, the White House asserted that it was removing mandates “that risked widespread abuse by enabling illegal immigrants to improperly access public benefits.”

One critic, speaking on condition of anonymity to discuss the changes candidly, said “there’s not a single true statement or phrase or word in” the White House’s claim. The National Security Council did not respond to requests for comment on the order.

Some, though, such as Nick Leiserson of the Institute for Security and Technology, observed that the digital identities language in the Biden order was among the “weakest” in the document, since it only talked about how agencies should “consider” ways to accept digital identities.

The biggest prospective change in the March order was a stated shift for state and local governments to handle disaster preparedness, including for cyberattacks, a notion that drew intense criticism from cyber experts at the time who said states don’t have the resources to defend themselves against Chinese hackers alone. But that shift could have bigger ripples than originally realized.

Errol Weiss, chief security officer at the Health-ISAC, an organization devoted to exchanging threat information in the health sector, said that as the Cybersecurity and Infrastructure Security Agency has scaled back the free services it offers like vulnerability scanning, states would hypothetically have to step into that gap to aid entities like the ones Weiss serves. “If that service goes away, and pieces of it probably already have, there’s going to be a gap there,” he said.

Some of the changes from the March order might only be realized now that the Senate has confirmed Sean Cairncross as national cyber director, or after the Senate takes action on Sean Plankey to lead CISA, said Jim Lewis, a fellow at the Center for European Policy Analysis.

For instance: The order directs a review of critical infrastructure policy documents, including National Security Memorandum 22, a rewrite of a decade-old directive meant to foster better threat information sharing and respond to changing threats. There are already signs the administration plans to move away from that memorandum, a development that a Union of Concerned Scientists analyst said was worrisome, but critics of the memo such as Montgomery said a do-over could be a good thing.

Most of the other biggest potential changes, however, are in the June order. This is a partial list:

• It eliminates a requirement under the January Biden order that government vendors provide certifications about the security of their software development to CISA for review. “I just don’t think that you can play the whole, ‘We care about cyber,’ and, ‘Oh, by the way, this incredible accountability control? We rolled that back,’” said Jake Williams, director of research and development at Hunter Strategy.
• It removes another January Biden order requirement that the National Institute of Standards and Technology develop new guidance on minimum cybersecurity practices, thought to be among that order’s “most ambitious prescriptions.”
• It would move CISA in the direction of implementing a “no-knock” or “no-notice” approach to hunting threats within federal agencies, Leiserson noted.
• It strikes language saying that the internet data routing rules known as Border Gateway Protocol are “vulnerable to attack and misconfiguration,” something Williams said might ease pressure on internet service providers to make improvements. “The ISPs know it’s going to cost them a ton to address the issue,” he said.
• It erases a requirement from the Biden order that contained no deadline, but said that federal systems must deploy phishing-resistant multi-factor authentication. 
• It deletes requirements for pilot projects stemming from the Defense Advanced Research Projects Agency-led Artificial Intelligence Cyber Challenge. DARPA recently completed its 2025 challenge, awarding prize money at this year’s DEF CON cybersecurity conference.
• It says that “agencies’ policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks,” a change security adviser and New York University adjunct professor Alex Sharpe praised.

Some of the changes led to analysts concluding, alternatively, a continuation or rollback of directives from the January Biden executive order on things like federal agency email encryption or post-quantum cryptography.

The head-scratchers and the mysteries

Some of the moves in the June order perplexed analysts.

One was specifying that cyber sanctions must be limited, in the words of a White House fact sheet, “to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.” The Congressional Research Service could find no indication that cyber sanctions had been used domestically, and said the executive order appears to match prior policy.

Another is the removal of the NIST guidance on minimum cybersecurity practices. “If you’re trying to deregulate, why kill the effort to harmonize the standards?” Sharpe asked. 

Yet another is deletion of a line from the January Biden order to the importance of open-source software. “This is a bit puzzling, as open source software does underlie almost all software, including federal systems,” Leiserson wrote (emphasis his).

Multiple sources told CyberScoop it’s unclear who wrote the June order and whom they consulted with in doing so. One source said some agency personnel complained about the lack of interagency vetting of the document. Another said Alexei Bulazel, the NSC director of cyber, appeared to have no role in it.

Another open question is how much force will be put behind implementing the June order.

It loosens the strictness with which agencies must carry out the directives it lays out, at least compared with the January Biden order. It gives the national cyber director a more prominent role in coordination, Leiserson said. And it gives CISA new jobs.

“Since President Trump took office — and strengthened by his Executive Order in June — CISA has taken decisive action to bolster America’s cybersecurity, focusing on critical protections against foreign cyber threats and advancing secure technology practices,” said Marci McCarthy, director of public affairs for CISA.

California Rep. Eric Swalwell, the top Democrat on the House Homeland Security Committee’s cyber subpanel, told CyberScoop he was skeptical about what the June executive order signalled about Trump’s commitment to cybersecurity.

“The President talks tough on cybersecurity, but it’s all for show,” he said in a statement. “He signed the law creating CISA and grew its budget, but also rolled back key Biden-era protections, abandoned supply chain efforts, and drove out cyber experts. CISA has lost a third of its workforce, and his FY 2026 budget slashes its funding …

“Even if his cyber and AI goals are sincere, he’s gutted the staff needed to meet them,” Swalwell continued. “He’s also made the government less secure by giving unvetted allies access to sensitive data. His actions don’t match his words.”

Montgomery said there was a contradiction between the June order giving more responsibilities to agencies like NIST while the administration was proposing around a 20% cut to that agency, and the March order shifting responsibilities to state and local governments without giving them the resources to handle it.

A WilmerHale analysis said that as the administration shapes cyber policy, the June order “signals what that approach is likely to be: removing requirements perceived as barriers to private sector growth and expansion while preserving key requirements that protect the U.S. government’s own systems against cyber threats posed by China and other hostile foreign actors.”

For all of the changes it could make, analysts agreed the June order does continue a fair number of Biden administration policies, like commitments to the Cyber Trust Mark labeling initiative, space cybersecurity policy and requirements for defense contractors to protect sensitive information.

Some of those proposals didn’t get very far before the changeover from Biden to Trump. But it might be easier for the Trump administration to achieve its goals.

“It’s hard to say the car is going in the wrong direction when they haven’t started the engine,” Lewis said. “These people don’t have the same problem, this current team, because they’re stripping stuff back. They’re saying, ‘We’re gonna do less.” So it’s easier to do less.”

The post The overlooked changes that two Trump executive orders could bring to cybersecurity appeared first on CyberScoop.

The Federal Communications Commission has adopted new rules to make it more difficult for foreign firms to apply for licensing to build out submarine cables, citing the need to protect the continued construction of critical undersea cables that underpin the internet and transcontinental communications.

The rules would require the FCC to presumptively deny “certain foreign adversary-controlled license applicants” from obtaining licenses needed to operate in U.S.-controlled waters. It would also restrict undersea capacity leasing agreements, ban the use of unspecified covered equipment and establish a range of physical and cybersecurity requirements on those same firms.

The FCC said that as the U.S. seeks to become “the unrivaled world leader in critical and emerging technologies and secure AI dominance,” the cables responsible for powering that data explosion must be protected from acts of foreign sabotage.

According to figures provided by the FCC, there are 90 cable systems already licensed by the agency. The FCC expects those numbers to grow significantly in coming years as businesses and governments continue to build out additional infrastructure.

In a statement, Chair Brendan Carr said the FCC’s order was meant to “facilitate, not frustrate” this expansion of submarine cable infrastructure, while making it harder for foreign nations to potentially gain influence or access to that infrastructure through an affiliate third-party company.

“We not only want to unleash the deployment of new undersea cables — we want to make sure those cables are secure. In recent years, we have seen submarine cable infrastructure threatened by foreign adversaries, like China,” Carr said.

An assessment by Recorded Future’s Insikt Group in July found that the growing submarine cable industry is facing a threat landscape that has “very likely escalated” over the past 18 months. Accidents continue to be the primary means of damage in publicly reported submarine cable incidents, but cybersecurity threats and cable-cutting techniques like anchor dragging are also rising.

Commissioner Anna Gomez noted that the FCC had not updated its rules around submarine cables in decades, despite their evolution into the backbone of global internet communications.

“As national security risks increased and our Government took steps large and small to protect our networks from foreign adversaries on multiple fronts, the Commission long coordinated with key federal agencies to protect submarine cables,” Gomez said.

One key challenge facing policymakers as this expansion continues will be putting hard security restrictions in place without slowing things down.

“The hard work of this item really was in finding the balance between, on the one hand, necessary security measures to protect critical U.S. communications infrastructure against foreign adversary threats and, on the other hand, clarifying and streamlining processes to provide economic certainty that will facilitate investment and minimizing regulatory burdens by removing duplicative or unnecessary requirements where possible,” Gomez said.

The FCC did not respond to a request for more details on the order by the time of publication.

The post FCC tightens rules on foreign firms building undersea cables, citing security appeared first on CyberScoop.

There are few laws at the state or federal level to constrain data brokerage, the process by which companies collect and sell bulk data on people they’ve never met or done business with.

States at the forefront of regulating the industry, like California, currently require hundreds of companies to register with the government and provide consumers with the means to opt out of collection or request deletion of their data.

Now, a study from the University of California, Irvine shows that many registered brokers may be ignoring these requirements, and experts tell CyberScoop that state regulators should strengthen their enforcement of current privacy laws.

In the study, researchers exercised their rights under the California Consumer Privacy Act by contacting all registered data brokers and requesting details about the data the companies had collected on them. Of the 543 companies contacted, 40% failed to respond in any way, showing “rampant non-compliance” among the registered brokers.

“Our findings reveal rampant non-compliance and lack of standardization of the data access request process,” wrote authors Elina van Kempen, Isita Bagayatkar, Pavel Frolikov, Chloe Georgiou and Gene Tsudik. “These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers’ privacy protections and improve data broker accountability.”

In addition to brokers that didn’t respond, those that did often created numerous hurdles for people trying to access their data. There was no standard process for submitting such  requests: some companies required a phone call, others an email, and others asked users to fill out an online form.

The study measured six types of friction in these requests: individual burden, identity verification challenges, response time, response quality, the data collected, and the privacy issues related to the requests.

 One key finding was that inconsistent identity procedures across brokers are confusing and “taxing” to the average consumer, forcing them to navigate a patchwork of different requirements. 

Many brokers that collect and sell personal data require strict identity verification for consumer data requests, which helps prevent unauthorized access.

On the other hand, the study’s authors say this creates an “unintended privacy paradox” for consumers looking to limit the exposure of their personal data by engaging with brokers directly, as they must often provide additional forms of personal and personally identifiable information along the way.

“Paradoxically, this means that exercising one’s privacy rights under CCPA introduces new privacy risks,” the authors wrote.

The study, which focused solely on companies registered as data brokers in California, may actually understate the problem, as other research has shown that many data brokers don’t carry their disclosures across state lines. 

Justin Sherman, a privacy expert and scholar-in-residence at the Electronic Privacy Information Center, told CyberScoop that many brokers seem to hold an odd commitment to privacy principles in one particular instance: verifying the identity of people who object to having a third-party company collect and use their personal information.

“It is beyond irony that there are data brokers who will sell to basically anybody and … yet when someone is saying, ‘I don’t consent to you having collected my data behind my back,’ everything is all of a sudden, ‘how are we going to verify?’ and ‘how are we going to do ‘Know Your Customer’” rules, Sherman said. “It’s talking out of both sides of your mouth. They know that if you create some friction, then people are less likely to cancel.”

Additionally, Sherman noted that for opt-out rights to be effective, “the consumer has to be able to easily exercise them.” A process that forces them to personally contact hundreds of different companies without a standardized process for doing so, he argued, is a recipe for frustration and dark patterns.

He added “there’s no gray area” about how registered brokers are obligated to handle such requests.

“I think the law is very clear. The law says: accept the requests and respond, or reject the requests and respond with the exception you’re setting,” Sherman said, something hundreds of registered brokers failed to do, according to the study.

The California Privacy Protection Agency did not respond to questions from CyberScoop about the UC Irvine study or its own research on data broker noncompliance under the CCPA.

The post Hundreds of registered data brokers ignore user requests around personal data appeared first on CyberScoop.

CJ Cox// Spring storms are often more dangerous and unpredictable than winter storms. The GDPR looks to be no exception. The General Data Protection Regulation is a universal law brought […]

The post WEBCAST: GDPR – Spring Storm Warning appeared first on Black Hills Information Security, Inc..