Warning: Immediate Action Required by All Providers of Telephone or VoIP Services to Comply with New FCC CPNI Rules
FCC Issuing $100,000+ Fines to Violators
As we have advised previously, on or about Dec. 8, 2007,1 every company that provides telephone-type services—including interconnected VoIP service providers, as well as cable television operators that offer a telephony product and traditional telecommunications carriers (wireline CLECs, IXCs, and ILECs, and wireless carriers)—will become subject to new, expanded FCC regulations designed to protect the privacy of customer telephone records (customer proprietary network information or CPNI).2 This is to remind our clients that the compliance deadline is fast approaching. Specifically, every such provider must, among other things:
- have written CPNI compliance policies, employee training programs and other operating and disciplinary procedures in place to implement the new rules by this effective date;
- institute customer authentication and password protections, according to new and highly detailed FCC specifications, prior to giving customers access to various types of account information and other subscriber records, either during customer-initiated calls or through online access;
- adhere to new requirements for notifying customers of changes in account information;
- comply with detailed customer approval requirements prior to many types of uses or disclosures of CPNI, including a new requirement of express “opt-in” customer consent before sharing CPNI with independent contractors or joint venture partners;
- starting Feb. 29, 2008 and annually thereafter, file with the FCC a certificate by an officer of the company attesting to his/her personal knowledge of the company's implementation of adequate CPNI compliance procedures, along with a summary of those compliance procedures and descriptions of any customer CPNI complaints and actions taken against “data brokers;"
- institute new procedures to promptly notify specific contacts at law enforcement agencies of “breaches” of customer CPNI, and thereafter (but only after a specified waiting period) notify affected customers of such breaches; and
- comply with new and specific record-keeping obligations.
Failure to comply with any of these expanded requirements will expose service providers to significant monetary penalties. In the past several months, the FCC has proposed forfeitures of a minimum of $100,000 even for minor CPNI violations by small companies, such as a failure to execute an annual officer certification. We have been advised by the FCC’s Enforcement Bureau that the Commission will aggressively seek to identify and penalize companies that do not comply with the revised rules and make the required filings.
The very specific details of the new FCC rules will require at least some operational policy changes for most providers. For example, the new requirement that online access to CPNI be password-protected may at first appear to be a simple rule, but many companies will have to make changes to their processes for the initial establishment of customer passwords, which must rely on an authentication process such as a PIN that is not based on biographical or account information.
While these new and stringent requirements apply to all providers of telephone-type services, interconnected VoIP providers will become subject to both the pre-existing CPNI rules and these new requirements for the first time as of the December effective date.
We are working closely with numerous providers to implement solutions to assure complete compliance with the new FCC requirements, including the drafting of compliance plans and preparation of employee training materials. Whether you are newly subject to CPNI obligations or have operated for years under earlier versions of the rules, we strongly recommend that you have your new CPNI compliance plans prepared or reviewed by counsel experienced in CPNI compliance. We would be happy to assist you or answer any questions you may have. For further information, please contact one of the below DWT attorneys or your primary DWT relationship attorney.
1 The rule changes will take effect on the later of Dec. 8, 2007 or upon OMB approval. As a practical matter, providers should plan to be in compliance by Dec. 8, as OMB approval could come at any time prior to that date.
2 CPNI is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer. . .; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer . . . .” It includes the time, date, duration and destination number of each telephone call, the list of optional call-related features to which a customer subscribes, and any other information that appears on the consumer’s telephone bill except name, address and telephone number.