|
FCC Continues Telecom Customer Privacy Crackdown: Proposes New Protections, Carrier Requirements
By Jim Smith
[February 2006]
As we reported in a Bulletin on January 31, the FCC in recent weeks has moved with unprecedented speed to crack down on apparent violations of its Customer Proprietary Network Information (CPNI) rules, which are designed to protect the privacy of telephone subscribers by restricting a carrier’s ability to use or disclose subscribers’ personal telephone records. We reported that, responding to “concerns regarding the apparent sale of telephone call records over the Internet,” the FCC had: (1) directed all telecommunications carriers, both wireline and wireless, to file certificates within one week (by Feb. 6, 2006) demonstrating their ongoing compliance with the CPNI rules; (2) launched investigations into several carriers’ CPNI compliance efforts and into the practices of many non-carrier online “data brokers” (which sell personal consumer information apparently obtained from telephone records); and (3) proposed forfeitures against AT&T and AllTel of $100,000 each for alleged failures to comply with CPNI certification rules.
Now, the FCC has gone even further, launching a new rulemaking to significantly expand the obligations imposed on service providers to protect the privacy of customer records. In a Notice of Proposed Rulemaking (NPRM) issued on February 14, the FCC is considering whether additional security measures would prevent the unauthorized disclosure of customer CPNI. The agency is requesting comment on the security measures that carriers currently have in place, what inadequacies exist in those measures, what kind of security measures may be warranted to better protect consumers’ privacy, and whether the existing ability of customers to “opt-out” from permitting carrier use of their personal information sufficiently protects the privacy of CPNI, especially from disclosure to carriers’ affiliates, joint venture partners and independent contractors.
The FCC granted a petition for rulemaking filed by the Electronic Privacy Information Center (EPIC) on whether carriers are adequately protecting customer call records and other CPNI. EPIC claims that data brokers have taken advantage of inadequate security standards to gain access to customer information under false pretenses, such as through “pretexting”—which, as we reported previously, involves posing as the telephone subscriber in order to obtain such data from the telephone service provider—and then offering the records for sale on the Internet. The FCC also asks whether “hacking” into carrier records is a problem, noting that numerous websites advertise the sale of personal telephone records, including calling records for landline and wireless customers, sometimes including the physical location of the customer, as well as non-published phone numbers. It asks “how CPNI is maintained and secured by carriers and how data brokers are able to obtain CPNI from carriers. Specifically, how is CPNI being made available to unauthorized third parties? Who is able to obtain unauthorized access to CPNI, and for what range of purposes? To the extent third parties are able to obtain unauthorized access to CPNI, what are the methods by which they obtain such access? “
The FCC is seeking comment whether to mandate five specific new CPNI security measures proposed by EPIC:
- Passwords set by consumers;
- Audit trails that record all instances when a customer’s records have been accessed, whether information was disclosed, and to whom;
- Encryption by carriers of stored CPNI data;
- Limits on data retention that require deletion of call records when they are no longer needed; and
- Notice by service providers to customers when the security of their CPNI may have been breached.
The FCC noted that it already requires carriers to certify compliance with the CPNI rules and make that certification available to the public, but that a lack of uniformity in those certifications could be an obstacle to effective enforcement. The Commission requests comment on its tentative conclusion that it should require carriers to file annual compliance certificates with the Commission, along with a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI and a summary of any actions taken against data brokers during the year. Finally, the Commission requested comment on other ways to protect customer privacy, including whether carriers should be required to call a subscriber’s registered telephone number before releasing CPNI in order to verify that the caller requesting the information is actually the subscriber.
Comments on CC Docket 96-115 and RM-11277 are due 30 days after the NPRM is published in the Federal Register, and reply comments are to be filed 30 days thereafter. We will advise you further when these dates become fixed.
We encourage all interested service providers and clients who may be concerned about privacy regulations to file comments in this important proceeding. To discuss the filing of comments or for further information, please contact Jim Smith in our D.C. office or any of the other Davis Wright Tremaine attorneys listed below.
For further information, please contact:
This Advisory is a publication of the Telecommunications Department of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent developments in the telecommunications industry. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may be given only in response to inquiries regarding particular situations.
Copyright © 2006, Davis Wright Tremaine LLP.
return to Telecom Bulletins main page
|
