FCC Ratchets Up Inquiry into Telephone Record Disclosures: New Rulemaking
On Wednesday, the Federal Communications Commission (“FCC”) released a Notice of Proposed Rulemaking (“NPRM”) seeking comment on existing and new rules for protecting customers’ telephone records from unauthorized use. The NPRM is far reaching in its potential impact, both in terms of new burdens on carriers and possible application of the rules to providers of VoIP and other IP-enabled services.
This proceeding arises as Congress, the FCC and other agencies are investigating widespread abuses by data brokers surreptitiously obtaining customers’ telephone records and selling them. All communications service providers should closely monitor this rulemaking and consider submitting comments as new CPNI rules would likely be expensive to implement and have a significant impact on communications providers’ customer privacy and data security practices generally.
It has been widely reported that data brokers have been able to obtain telecommunications carriers’ customer proprietary network information (“CPNI”) records, which include call logs, services, and other personal subscriber information, through “pretexting” (posing as legitimate customers or employees), hacking, or simply paying employees to defeat internal security precautions. These data brokers have then made the records or compilations commercially available over the Internet or offline. Although the FCC currently has rules governing privacy and use of CPNI, aggregate information (directory listings) is not covered and existing rules governing the use of CPNI for marketing purposes, subject to opt-out or opt-in approval from the subscriber, have not been strictly enforced or audited by the FCC. Telecommunications carriers have traditionally only been required to maintain an annual certification demonstrating CPNI compliance on file at its offices and only notify the FCC when its opt-out mechanisms do not work properly. Given recent reports of widespread abuses and the resulting political backlash, the Commission earlier this month ordered telecommunications carriers to submit their most recent certifications to the FCC (see our advisory dated Jan. 31, 2006) and even fined two of the larger carriers, AT&T and AllTel, for failing to submit appropriate certificates of compliance.
The FCC seeks comment on current practices and problems with unauthorized access and use of CPNI, including:
- Carriers’ methods generally for protecting CPNI.
- How carriers verify requests for CPNI from “customers” or “employees.”
- The manner and method for disclosing CPNI in response to legitimate requests.
- Details on how data brokers or other unauthorized users were able to obtain CPNI.
- Whether existing opt-out and opt-in disclosure regimes are adequate or cost-effective.
The NPRM also seeks comment on new security measures that could provide greater protection to CPNI, including:
- Consumer-set passwords. Reliance on traditional biographical data (e.g., mother’s maiden name, date of birth, or social security number) for verification of identity may be insufficient given the widespread availability of such information through public records and online databases. Consumer-set password systems may improve verification but may also increase database expense and spawn fraudulent requests for “lost” passwords.
- Audit Trails. A new rule could require carriers to alert subscribers to CPNI disclosures.
- Encryption. Encrypting stored CPNI data would better protect CPNI but might not be cost justified, particularly for smaller carriers.
- Limiting Data Retention. Dates for deleting or destroying records, or stripping out or separating personally dentifiable information (“PII”) from CPNI, may limit unauthorized disclosures but might complicate dispute resolution or law enforcement access.
- Notice and Reporting. Advance written or oral customer notice and/or customer verification (opt-in or opt-out), post-release notice, notice of unauthorized access or disclosure, and filing of annual compliance certificates with a summary of consumer complaints concerning CPNI use or disclosure may help audit compliance.
The NPRM seeks comments on a wide array of other issues regarding CPNI. Of particular note is the Commission’s inquiry into whether CPNI rules should apply to VoIP or other IP-enabled services that have not otherwise been classified as telecommunications services under the Communications Act. In addition, the Commission raises issues such as whether customers should be able to place a total “no release” hold on their CPNI, whether wireless CPNI should receive greater protection than traditional CPNI, and whether certain classes of telephone users, such as minors, should have special CPNI protections. The FCC also seeks comment on what steps it should take to enhance enforcement and whether carriers should be able to benefit from a safe harbor if they comply with a specific set of rules or standards.
The FCC acknowledges concerns about “giving wrongdoers a roadmap” through the discussion of specific procedures and weaknesses in a public record. Accordingly, the FCC requests that if carriers believe anti-fraud measures are better pursued outside of the public record, that they describe what steps they will take privately to protect CPNI, whether through an industry working group or otherwise.
As noted above, the potential impact of the proposed changes would be significant on all providers, but the impact on small carriers, in particular, could be significant, and the Commission asks for their input. In addition, the proposed changes could impose significant burdens on providers who do not even serve “retail” customers (e.g., “carriers’ carriers”) but who would technically be subject to the rules as providers of telecommunications services.
* * *
The FCC’s NPRM is the latest step by state and federal legislators and regulators to address the widely publicized practice of pretexting. At least eight new bills to address the problem have been introduced in Congress since the end of January, legislation has been introduced in a number of states, and at least four states have brought suit against data brokers under consumer protection laws. In addition, at least four wireless carriers have filed suit against data brokers.
If you are interested in monitoring or filing comments in this proceeding, or would like any other information about legislative or regulatory developments relating to pretexting, privacy, or data security, please contact us.