Practice Groups Corporate/Securities Regulatory/Administrative Privacy, Internet& e-Commerce LitigationAntitrustIndustries Served Communications We have unparalleled depth and breadth in Cable Television, Telecommunications, Broadcasting and Internet, Privacy, and e-Commerce. EnergyRegulatory, Corporate and Securities expertise in the Electric, Natural Gas and Transportation industries. OtherWe also represent startup, established and international entities in a varied range of industries. Contact Us |
Breaking News
FCC Tightens Privacy and Data Management Practices Over CPNI
April 9, 2007
In an Order with broad implications over privacy, the Federal Communications Commission (“FCC”) has strengthened how customer proprietary network information (“CPNI”) is accessed, stored and shared. Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115 and WC Docket No. 04-36. The FCC strengthened the rules that impact telecommunications carriers and the providers of interconnected VoIP services (collectively “Providers”), as well as their joint venture or contractor partners, in an effort to prevent the procurement of CPNI through “pretexting.” Absent judicial intervention on appeal, the new rules will likely become effective in about six months.
New Customer Authentication Requirements
Providers will be required to implement higher authentication standards to ensure that inbound telephone access of CPNI and online access is authorized. Prior to providing call record information to an inbound caller (customer originated call), the customer must give a password. For customers who do not have passwords, they may establish passwords if the Provider first authenticates the customer without the use of any account information or readily available biographical information. The Provider can accomplish this, for example, by contacting the customer at the telephone number of record. In the event of a forgotten password, the carrier cannot use a shared secret back-up authentication if that shared secret is based on account information or readily available biographical information.
Similar restrictions apply to online access. Providers can no longer issue passwords that permit access to CPNI where a customer establishes an online account relying on any account information or readily available biographical information to authenticate his or her identity. This may require some Providers to either change the protocols for online account creation or to create an additional level of security before giving online access to CPNI. Moreover, the FCC requires Providers to take “reasonable” actions to prevent hacking. For example, the FCC noted that Providers should lockout user access after a number of invalid login attempts to prevent “brute force attacks” to discover account passwords. This requirement could impact how entities providing other services, that do not implicate CPNI, authorize these customers for online access (e.g., a broadband provider that provides value added services or an online electronics retailer that resells telephone services).
Customer Notification
Another key security measure is a requirement that Providers immediately notify customers of certain account changes, including whenever a password, customer response to a Provider-designated back-up means of authentication, online account, or address of record is created or changed. The notice must be made by Provider-originated voicemail or text message to the telephone number of record or by mail to the address of record. This notification requirement does not apply to certain business accounts serviced by a dedicated account representative as the primary contact.
In the event of an unauthorized disclosure of CPNI, the Provider must send electronic notification to the United States Secret Service and the Federal Bureau of Investigation. Unless requested by either law enforcement agency to delay notification, the Provider may notify the customer and make a public announcement of the breach seven days after notifying law enforcement. In the event of an extraordinarily urgent need to notify a customer or class of customers in order to avoid immediate and irreparable harm, the Provider may, after consulting law enforcement, notify a customer or class of customers of the breach.
Joint Venture and Independent Contractor Use of CPNI
The rules require that Providers obtain “opt-in” consent from a customer before disclosing that customer’s CPNI to a Provider’s joint venture partner or independent contractor (“partners”) for the purpose of marketing communications-related services to that customer. In particular, for providers of interconnected VoIP services that contract with a third party for a portion of such services, this may require careful segregation of information as well as the assertion of more control over how that information is used by their partners (potentially involving everything from online marketing on Provider homepages to direct solicitations and bill stuffers). This restriction appears to favor large horizontally integrated Providers of service, such as many of the RBOCs, due to their ability to market communications-related services using in-house resources. Moreover, the FCC’s use of the term “communications-related services” is yet undefined and could ultimately be found to include a broad range of services.
Additional Measures and Certification
The FCC stressed that Providers have a fundamental duty under the Communications Act to institute effective measures to protect the privacy of CPNI. Providers must take affirmative measures to discover and protect against activity that is indicative of pretexting beyond what is required by the Commission’s current rules. Providers will also be require to file annual CPNI certifications with the FCC, including an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning unauthorized release of CPNI.
The FCC Seeks Further Comment
The FCC seeks further comment on whether or not to:
- Expand password protection for customer-initiated calls requesting non-call detail CPNI;
- Require audit trails to track customer contact regarding CPNI;
- Adopt rules governing the physical transfer of CPNI among companies or how others have access to CPNI;
- Limit data retention periods of some or all customer records; and
- Require Providers to permanently erase or permit customers to permanently erase their personal information prior to discarding mobile communications devices.
Comments are due 30 days and reply comments 60 days after publication of the Further Notice in the Federal Register.
We would be pleased to respond to any questions regarding this matter.