|
FCC Crackdown on CPNI Compliance, Phone Record Disclosure and “Pretexting”—Immediate Carrier Action Required
By James M. Smith
Moving with unprecedented lightning speed, the FCC has moved on multiple fronts to crack down on apparent violations of the agency’s Customer Proprietary Network Information (CPNI) rules, which seek to protect the privacy of telephone subscribers by restricting a carrier’s ability to use or disclose subscribers’ personal telephone records.
First, on Jan. 30, 2006, responding to “concerns regarding the apparent sale of telephone call records over the Internet,” the FCC’s Enforcement Bureau directed all telecommunications carriers, including both wireline and wireless carriers, to file a compliance certificate under section 64.2009(e) of its CPNI rules within one week—by Feb. 6, 2006. That rule instructs: “A telecommunications carrier must have an officer, as an agent of the carrier, sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the [CPNI] rules…The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules…”
Second, the Bureau has, in the space of less than a week, moved to investigate and penalize carriers for inadequate compliance with these CPNI rules. On Jan. 25, 2006, responding aggressively to the recent profusion of online “data brokers” that sell personal consumer information apparently obtained from telephone records, the Bureau demanded that several carriers, including AT&T and Alltel, produce within 48 hours evidence of their compliance with rule 64.2009(e). Two days later, on Jan. 27, AT&T submitted certifications executed by its new parent SBC, but produced no certifications on the part of the former AT&T Corp. Alltel submitted a two-page document executed that same day by in-house counsel, which “describes generally how Alltel uses CPNI.” The next business day (Jan. 30), the Bureau issued Notices of Apparent Liability for Forfeiture against both carriers, proposing to fine each carrier $100,000—AT&T for not executing the certifications at all, and Alltel for failing to produce an officer’s certification “that the officer has personal knowledge that [Alltel] has established operating procedures that are adequate to ensure compliance with the [CPNI] rules…” The Bureau stated that it was “guided by the principle that there may be no more important obligation on a carrier’s part than protection of its subscribers’ proprietary information. Consumers are increasingly concerned about the security of their sensitive, personal data...Given the increasing concern about the security of this data, and evidence that the data appears to be widely available to third parties, we must take aggressive, substantial steps to ensure that carriers implement necessary and adequate measures to protect their subscribers’ CPNI, as required by the Commission’s existing CPNI rules.” The Bureau alleged that AT&T had not complied with the rules, and that Alltel “has apparently not taken its obligations seriously.” AT&T and Alltel must respond by March 1.
The FCC’s crackdown is also attempting to reach non-carriers. Starting in November 2005, the Bureau has issued subpoenas to numerous data brokers, seeking to obtain information “concern[ing] call detail and other [CPNI]” that the data brokers “may be obtaining from telecommunications providers, in apparent violation of section 222 of the Communications Act...and the Commission’s [CPNI] rules.” Although the statute and rules currently only prohibit the dissemination of such customer information by telecommunications carriers, the FCC may issue subpoenas and citations warning non-carriers against such practices. On Jan. 20, the Bureau issued two such citations against data brokers for failure to respond to such subpoenas, advising that future violations of the rules may subject them to fines of up to $97,500, as well as criminal contempt penalties if they continued to be unresponsive to the subpoenas.
Finally, on Jan. 18, U.S. Senators Charles Schumer (D-NY) and Bill Nelson (D-FL) introduced the Consumer Telephone Records Protection Act, proposing to extend criminal penalties to anyone (including telephone service provider employees or data brokers) who obtains or attempts to obtain and/or sell such confidential telephone record information under false pretenses. The bill establishes a new term in telecommunications jargon: “pretexting,” defined as the practice of pretending to be the telephone subscriber in order to obtain such data from the telephone service provider. Congressional hearings on these subjects have been scheduled for the first week of February.
For further information, please contact:
This Advisory is a publication of the Telecommunications Department of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent developments in the telecommunications industry. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may be given only in response to inquiries regarding particular situations.
Copyright © 2006, Davis Wright Tremaine LLP.
return to Telecom Bulletins main page
|
