Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Sales

FCC Seeks Comments on Proposed Customer Information Protections

advertisement 
TELECOM AND MEDIA PRACTICE GROUP E-NEWS — APRIL 4, 2006
FCC Seeks Comments on Proposed Customer
Information Protections
A summary of the Notice of Proposed Rulemaking (NPRM) from the Federal Communications
Commission (FCC or Commission) seeking comment on additional steps the Commission should take
to further protect the privacy of customer proprietary network information (CPNI) was recently published
in the Federal Register, thereby triggering the cycle for comments and reply comments. The NPRM is
significant for all telecommunications companies that compile or otherwise obtain customers’ private
phone records.
The NPRM responds to a petition for rulemaking filed by the Electronic Privacy Information Center
(EPIC) expressing concern over data brokers who were purportedly selling customers’ private
telephone data. The NPRM seeks comment on whether the FCC should mandate enhanced security
and authentication standards for access to telephone records, and if so, what form those additional
measures should take. The NPRM is significant in the breadth of the issues raised and its potential
impact on a wide array of telecom carriers.
FCC Reviews CPNI Privacy Protections
Highlights:
ƒ
The FCC has initiated a rulemaking proceeding to examine whether tougher privacy rules are
needed to protect customers’ proprietary telephone records and data. Comments are being
sought on whether additional security measures may prevent the unauthorized disclosure of
private customer information held by telecommunications companies.
ƒ
Virtually all telecommunications carriers will be affected by this rulemaking. Under
consideration are proposals to: (1) mandate customer-set passwords, (2) require carriers to
keep audit trails of all instances in which a customer’s CPNI has been accessed or disclosed,
(3) compel encryption for all CPNI data that is retained; (4) limit the retention of CPNI; and (5)
require carriers to notify customers when their CPNI has been released. Also under
consideration is a requirement that all telecom carriers file annual compliance certifications,
along with a summary of all customer complaints regarding the unauthorized release of CPNI
and any actions taken in response to those complaints.
ƒ
Comments are due on April 28, 2006, and Reply Comments are due on May 19, 2006.
CPNI
CPNI can be sensitive or personal information. The Communications Act defines CPNI as "(A)
information that relates to the quantity, technical configuration, type, destination, location, and amount
of use of a telecommunications service subscribed to by any customer of a telecommunications carrier,
and that is made available to the carrier by the customer solely by virtue of the carrier-customer
relationship; and (B) information contained in the bills pertaining to telephone exchange service or
telephone toll service received by a customer of a carrier."1 CPNI includes information derived from a
customer’s relationship with a telephone company, regardless of whether the customer purchases
wireline or wireless telephone service. For example, CPNI would include information such as the phone
1
numbers called by a customer, the length, frequency and timing of such calls, and any services
purchased by the customer, such as call-waiting or caller identification programs.
Telecommunications carriers are required to protect the confidentiality of CPNI and may only disclose
such information when required by law, with the customer’s express consent, or when necessary to
provide the telecommunications service from which the information was derived, or services necessary
to, or used in, the provision of such service.2 Carriers must have the customer’s knowing consent
before using or disclosing CPNI, and can get this consent in two ways.3 They must receive either
affirmative "opt-in" permission (which is express written, oral, or electronic consent) to disclose CPNI to
third parties or their own affiliates that do not provide communications-related services, or a customer’s
"opt-out" approval before intra-company use of CPNI and before disclosing CPNI to affiliates that
provide communications-related services.4 Once a customer allows the carrier to release its CPNI, the
information is deemed less sensitive by the FCC.5 Telecommunications carriers must also keep records
of disclosures and annually certify that they are in compliance with the FCC’s CPNI regulations.6
Background
The issue of the disclosure and sale of customer proprietary telephone data was brought to the FCC’s
attention late last summer in a petition for rulemaking filed by EPIC, a customer privacy organization.7
EPIC expressed concern about the manner in which carriers were protecting customers’ private call
records and other proprietary data. EPIC claimed that some online data brokers had taken advantage
of allegedly insufficient security measures to gain access to CPNI under false pretenses (e.g., claiming
that they were in fact the customer), a practice known as "pretexting," and were offering those private
records for sale on the Internet.
At the same time, the FCC’s Enforcement Bureau initiated an investigation into the practices of online
data brokers. This effort culminated in the issuance of subpoenas to several prominent data brokers
seeking details regarding the manner in which they obtained their telephone record information and
other specifics regarding the companies’ sale of customers’ call records. The FCC also made
undercover purchases of phone records from various data brokers to assist it in targeting additional
subpoenas and determining the method by which private customer telephone data was being
disclosed.
The Notice of Proposed Rulemaking
Deeming the allegations of EPIC "very disturbing," the FCC issued an NPRM "to determine whether
enhanced security and authentication standards for access to customer telephone records are
warranted."8 To this end, the FCC sought comment on how CPNI is maintained and secured by
carriers, and how data brokers are able to obtain such information and make it available to
unauthorized third parties.9 To the extent third parties are able to obtain unauthorized access to CPNI,
the FCC questioned "what are the methods by which they obtain such access" (for example, is it
primarily through pretexting)?10
The FCC also questioned whether its existing regulatory safeguards were sufficient to protect the
privacy of CPNI. For example, does the current process for allowing customers to "opt out" of use of
their CPNI sufficiently protect the privacy of customers’ telephone records and data, particularly as it
relates to disclosure to telecommunications carriers’ joint venture partners and independent
contractors?11 The FCC also asked about carriers’ current practices regarding the disclosure of CPNI
and whether they were adequate.12
2
The FCC sought comment on "the feasibility and advisability" of the five security measures proposed by
EPIC to protect against the unlawful disclosure and sale of CPNI. These practices include: (1)
passwords set by customers; (2) audit trails that record all instances in which a customer’s records
have been accessed, whether information was disclosed and to whom; (3) encryption of CPNI that is
stored by the carrier; (4) limits on data retention, which would require the deletion of call records when
they are no longer needed for billing or dispute purposes; and (5) notice procedures that alert the
customer when the security of their CPNI may have been breached. The FCC also questioned whether
there might be other approaches that might best "guard against fraudulent or unauthorized disclosure
of CPNI."13
In addition to these proposals, the FCC asked whether carriers should be required to report further on
whether customers’ records were accessed, including whether information was disclosed and to whom.
Recognizing the arguments made by some carriers that data trails are costly to maintain, the FCC
asked about the steps already being taken, in an effort to determine whether new requirements would
entail significantly more work. In addition, the FCC sought comment on whether there were any
additional enforcement actions that might enhance its ability to protect CPNI, and whether there were a
"set of security requirements that the Commission should adopt that would exempt a carrier from
liability or establish a safe harbor if the carrier implemented those requirements."14
Finally, the FCC sought comment on its tentative conclusion that all telecommunications carriers be
required to file annual compliance certificates stating that they have established operating procedures
adequate to ensure compliance with the Commission’s rules.15 In addition, carriers would be required to
provide a summary of all customer complaints received in the previous year concerning the
unauthorized release of CPNI, and any actions taken regarding those complaints against data brokers
during that year.16
For additional information on this topic, or if you are interested in commenting on the NPRM,
please contact Megan H. Troy (megant@prestongates.com) or Kristin M. Cleary
(kristinc@prestongates.com) in Washington, D.C.; Holly K. Towle (hollyt@prestongates.com) or
Scott L. David (scottd@prestongates.com) in Seattle; or David J. Perry
(dperry@prestongates.com) in Orange County.
Notes
1 Telecommunications Act of 1996, Pub. L. No. 104-104, 110 Stat. 56 (codified at 47 U.S.C. § 151 et
seq.), § 222(h)(1).
2Id.
§ 222(c)(1).
3Id.
4See
47 C.F.R. §§ 64.2005(a), (b); 64.2007(b)(3); 64.2008(e).
See § 222(f); see also Implementation of the Telecommunications Act of 1996; Telecommunications
Carriers’ Use of Customer Proprietary Network Information and Other Customer Information;
Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act
of 1934, As Amended, Order on Reconsideration , 14 FCC Rcd 14409, 14468 n.331 (1999) ("CPNI
Reconsideration Order").
5
6
47 C.F.R. § 64.2009(3); see also CPNI Reconsideration Order".
3
7See
Petition of the Electronic Privacy Information Center for Rulemaking to Enhance Security and
Authentication Standards for Access to Customer Proprietary Network Information, CC Docket No. 96115 (filed Aug. 30, 2005).
8
Notice at ¶ 1.
9
Notice at ¶ 11.
10
Notice at ¶ 11.
11
Notice at ¶ 12.
12
Notice at ¶ 13.
13
Notice at ¶ 25.
14
Notice at ¶ 26.
15
Notice at ¶ 29.
16
Notice at ¶ 29.
4
Related documents
Configuring and managing remote access for industrial
Configuring and managing remote access for industrial
Si source : X-ray Cu-Ka1 1,540598 2Theta : 20,000
Si source : X-ray Cu-Ka1 1,540598 2Theta : 20,000
Economic Analysis at the FCC A Proposal Resources for the Future
Economic Analysis at the FCC A Proposal Resources for the Future
The FCC`s Privacy Foray: Privacy Regulation Under Title II
The FCC`s Privacy Foray: Privacy Regulation Under Title II
MatE271 ... Write neatly and legibly and please remember to write your... No late HW will be accepted, regardless of the reason
MatE271 ... Write neatly and legibly and please remember to write your... No late HW will be accepted, regardless of the reason
Download
advertisement