EPIC Emphasizes Need for Audits, Enforcement in Rollout of FCC’s Cybersecurity Requirements

On Monday, EPIC applauded the Federal Communications Commission for its proposal to require telecom companies that provide U.S.-international service to certify that they are following basic cybersecurity standards, such as the Cybersecurity Framework developed by the National Institute of Standards and Technology. EPIC emphasized the importance of independent and thorough annual audits, of consistent enforcement for deficient or false certifications, and of ultimately requiring all providers (not just those seeking to maintain their international operating authority) to follow basic cybersecurity best practices.

EPIC outlined how bad data breaches have become, including in the telecom sector, the impact of poor cybersecurity and privacy practices on consumer trust, and the priority the White House has placed on remedying this problem through its National Cybersecurity Strategy. EPIC urged the FCC to require that auditors be independent and conduct actual testing of the effectiveness of a company’s cybersecurity measures not merely interview staff about the measures that company claims to have implemented. Similarly, because the FCC would not require anything more than a certification from each company that they are following the standard, EPIC urged the agency to bring enforcement actions for deficient or false certifications. Some commenters challenged the FCC’s authority to impose this requirement; EPIC responded to many of these challenges, such as those based in the Major Questions doctrine and the Congressional Review Act, in support of the Commission’s proposal, and noted that this must not be the Commission’s final effort in seeking to improve cybersecurity in the telecom sector.

EPIC regularly comments on regulations and testifies on policies to promote better cybersecurity practices that protect consumer data from unauthorized access and other misuse.