LAW OFFICES OF THOMAS K. CROWE, P.C.
LEGAL
ALERT
Clients and Interested Parties:
As you have likely observed over the past several weeks, the
level of privacy afforded to customer
records has recently become a hot topic at
both the Federal Communications Commission
(“FCC”) and before Congress. On
February 10, 2006, the FCC took the latest
step in addressing this issue when it
adopted a Notice of Proposed Rulemaking (“NPRM”)
to examine whether additional security
measures with respect to “Customer
Proprietary Network Information” (“CPNI”)
are warranted. CPNI includes personally
identifiable information derived from a
customer's relationship with a
communications provider, including
information contained on customer
telephone bills or other call-identifying
information.
The FCC indicates in the NPRM that it is considering several
proposals raised in a petition filed by
the
Electronic Privacy Information Center
(“EPIC”) that would apply to wireline and
wireless providers, including resellers,
and potentially to VoIP providers. In
addition to the EPIC proposals, the FCC
seeks comment on additional measures it is
considering implementing, including
additional CPNI reporting requirement and
enforcement rules.
Background
Recent news reports have called into question the security of
CPNI. For example, as the NPRM describes,
numerous online data brokers advertise the
sale of CPNI. Often, such data brokers
claim that, given a subscriber’s name and
phone number, they can provide an
interested party with information
regarding the subscriber’s call records,
including records of calls placed and/or
received from a given number, duration of
calls and the subscriber’s physical
address. While the exact methods used by
data brokers to obtain such information is
unknown, the FCC indicates that many
instances may involve individuals placing
calls to carrier customer service centers
pretending to be the carrier’s customer (a
practice referred to as "pretexting").
The FCC recently took enforcement action
against two carriers which failed to
comply with the Commission’s CPNI rules
and directed all carriers to submit a
certification and statement regarding each
carrier’s CPNI practices.
EPIC Petition
In a petition filed
August 30, 2005, EPIC alleged that the
FCC’s rules were insufficient to prevent
the unauthorized disclosure of CPNI.
EPIC’s petition proposed that the FCC
adopt several additional safeguards to
further protect the security of CPNI.
The FCC’s NPRM seeks industry comment on
the following five additional security
measures:
-
Consumer-Set Passwords. Currently, most
carriers use biographical information
(i.e., date of birth, mother’s maiden
name) to determine whether an individual
calling customer service is, in fact,
the customer of record. EPIC states
that such information can often be
obtained through public record databases
and that carriers should be required to
adopt the use of a customer-set password
as a security measure at the time of
service activation. Some carriers
indicate that such passwords will
frustrate interactions between customers
and customer service personnel.
-
Audit Trails. EPIC requests that the
FCC put into place rules that would
require carriers to keep a log of all
instances in which customer records were
accessed. Such a log would record the
type of information that was disclosed
as a result of such access and to whom
the information was disclosed. In
turn, carriers such as BellSouth contend
that such requirements would be unduly
costly to implement. The FCC requests
comment on the burdens of such a
requirement, especially on smaller
carriers.
-
Encryption. EPIC asks the FCC to
require that all customer data stored by
carriers be kept in an encrypted
format. In response, Verizon, among
others, states that CPNI is currently
encrypted during key uses such as when
accessed online by customers. Such
commenters argue that additional
encryption would provide little benefit
and would be prohibitively costly,
particularly for small providers.
-
Limiting Data Retention. EPIC calls for
the FCC to limit the amount of time a
carrier should be allowed to keep CPNI
in its records. EPIC states that
carriers should be allowed to keep CPNI
only for the limited amount of time
which is necessary for billing and
dispute purposes. After such time has
expired, EPIC believes that the FCC
should require carriers to destroy such
information or remove any information
from the carriers’ records which could
be used to personally identify a
customer.
-
Notice. EPIC requests that the FCC
institute a rule requiring carriers to
notify customers of any suspected CPNI
security breach. EPIC believes that
such a requirement will help customers
mitigate potential harm from security
breaches. Carriers, such as Verizon,
indicate that this step may prove to be
of little use in preventing the type of
CPNI leaks that the FCC is concerned
with since such leaks generally go
undetected. The FCC also requests
comment on whether carriers should be
required to notify customers of any
attempts to access their CPNI. The FCC
contemplates different methods that
could be used for such notices,
including a pre-disclosure notice
requirement that would entail requiring
carriers to call customers at their
number of record prior to releasing any
information. This requirement would
pose a substantial obstacle to the
efficiency of carrier customer service
operations. Another alternative
disclosure rule would require carriers
to include a notice on each customer
invoice detailing each instance in which
customer CPNI was accessed during the
preceding billing period.
Other Issues
The FCC requests comment on several additional areas in which
it is considering taking action.
Regarding the enforcement of CPNI rules,
the FCC requests comment on whether there
are additional steps that should be taken
in order to increase the Commission’s
ability to enforce its rules. For
example, the FCC asks whether it should
adopt a safe harbor rule for carriers with
respect to CPNI. As long as carriers
adopted the policies contained in the safe
harbor rule, carriers would be exempt from
enforcement action, although failure to
adopt the safe harbor policies would not,
of itself, create a violation.
Alternatively, the Commission asks for
comment on whether it should adopt minimum
practices that, if a carrier failed to
follow, could independently subject the
carrier to enforcement liability, even
absent disclosure of CPNI.
The NPRM also addresses the CPNI certifications and policy
statements that all carriers were directed
to file on
February 6, 2006 by the Enforcement
Bureau. Currently, the FCC’s rules do not
require regular submission of such
certificates, the Enforcement Bureau’s
recent directive being an exception.
However, the FCC tentatively concludes in
the NPRM that its rules should be amended
to require carriers to submit an annual
compliance certificate to the Commission
detailing not only the carrier’s policies
with respect to CPNI, but also providing a
summary of all consumer complaints
received in the past year regarding the
unauthorized release of CPNI and a summary
of actions taken against data brokers
during the previous calendar year. The
Commission requests comment on whether
certain smaller telecommunications
companies should be exempted from
complying with a new burdensome annual
reporting requirement.
In addition, the Commission asks for comment as to whether
any new rules should be applied to VoIP
providers and whether any adjustments to
the rules should be made to ease the
potential burden on smaller carriers.
Comments are due 30 days from the date on which the NPRM is
published in the federal register, which
should occur in the near future. If you
are interested in filing comments in the
proceeding, or would like additional
information regarding the FCC’s CPNI
rules, please contact us directly for
assistance.
Thomas K. Crowe, President "firm@tkcrowe.com"
Gregory E. Kunkle, Staff Attorney
(Admitted only in
Virginia; practice limited to federal
communications matters)
Law Offices of Thomas K. Crowe, P.C.
1250 24th Street, N.W.
Suite 300
Washington, D.C. 20037
(202) 263-3640 (voice)
(202) 263-3641 (fax)
www.tkcrowe.com