When the Electronic Privacy Information Center (EPIC) filed a petition last year asking the FCC to impose additional obligations on carriers to toughen up security measures protecting customer proprietary network information (CPNI), most FCC watchers thought the petition would go nowhere. This view was reinforced when several major carriers opposed the petition in FCC filings.
But then, the picture changed. ï¿½Pretextingï¿½ ï¿½ ploys by data brokers and others misrepresenting themselves as authorized customers to obtain carriersï¿½ CPNI ï¿½ started to get more attention in the press and on Capitol Hill.
Now, while Congress works on legislation, the FCC has decided to consider requirements proposed by EPIC, including use of customer-set passwords, audit trails maintained by carriers to document the release of CPNI, encryption of stored CPNI data, requiring carriers to notify affected customers and the FCC about security breaches, and deletion of call detail records when theyï¿½re no longer needed for billing or dispute resolution.
The FCC rulemaking proceeding has significance for VoIP providers for two reasons. First, there is a sentence in the rulemaking notice asking whether ï¿½any requirements the Commission adopts in the context of the present rulemaking [should] extend to VoIP service providers or other IP-enabled service providers.ï¿½ Second, if the FCC does impose new CPNI obligations on VoIP companies, complying with these obligations could be expensive.
Requirements regarding the confidentiality of CPNI in Section 222 of the Communications Act apply to telecommunications carriers but not to VoIP providers (which have not been classified by the FCC as carriers). Legislation pending in Congress would amend the statute to cover VoIP providers. Short of legislation, the FCC could attempt to exercise its general rulemaking authority to extend CPNI confidentiality obligations to VoIP providers.
Since VoIP providers ï¿½ unlike telecommunications carriers ï¿½ are subject to the Federal Trade Commissionï¿½s jurisdiction, and the FTC regulates the customer privacy practices of VoIP providers, it may not be reasonable to subject VoIP providers to the FCCï¿½s CPNI requirements. (It also should be mentioned that the FTCï¿½s authority extends to the pretexting activities of data brokers, and the FTC filed complaints against several data brokers in federal court in May.)
In any event, a strong argument can be made that the types of additional CPNI requirements now being examined by the FCC donï¿½t make much sense for any voice service providers, or for their customers.
There are two problems with the EPIC proposal. First, instead of going after the ï¿½bad guysï¿½ directly, the proposal would impose requirements aimed at shoring up carriersï¿½ defenses against pretexting, hacking, and other efforts to gain unauthorized access to customer data. EPIC argues that ï¿½carriers are the primary source of CPNI; therefore, they should be the first line of defense against these practices of illegitimately accessing and selling CPNI.ï¿½
A strong line of defense is important. In fact, many VoIP companies already have adopted privacy policies to protect customer information. But the imposition of additional regulations like those proposed by EPIC might not be very effective. Regulation could rob service providers of the flexibility needed to respond rapidly to the latest tricks used by data brokers to breach security barriers. Regulation could also lead to customer frustration, if the rules impair customersï¿½ efforts to obtain their own information.
Certain types of regulation, such as EPICï¿½s encryption proposal, miss the point. Encrypting customer data is no defense against data brokers intent upon obtaining access through false pretenses. As CTIA has pointed out, ï¿½[e]ncryption does nothing to protect the customer from being impersonated.ï¿½
The second problem with EPICï¿½s approach is that it could be very costly for VoIP providers, which could drive up costs for consumers. Verizon has argued that some of EPICï¿½s proposals ï¿½likely would cost the [telecommunications] industry hundreds of millions of dollars to develop and implement.ï¿½
To take one example, the price tag for electronic audit trails could be steep. In the late 1990s, the FCC imposed an electronic audit trail requirement for CPNI, like the one EPIC is now proposing. The agency dropped the requirement in the face of industry opposition. BellSouth (News - Alert), for example, estimated it would have to spend at least $75 million to set up computer systems to comply with the audit trail requirement. Sprint (News - Alert) put the price tag at $19.6 million for modifying its existing systems to comply with the new rule. In getting rid of the requirement, the FCC concluded that the ï¿½electronic audit trail requirement would generate massive data storage requirements at great cost.ï¿½
If Congress and the press continue to spotlight the pretexting issue, the FCC may decide itï¿½s necessary to prescribe new requirements. If so, the FCC should follow several guideposts. Most importantly, the agency should balance costs against benefits, and avoid saddling VoIP providers and other carriers with burdensome requirements that donï¿½t ensure effective results. The agency also should fashion rules that build upon steps the industry is already taking to combat pretexting and similar fraudulent activities. Finally, the FCC should explore ways to assist in taking preventive and enforcement actions directly against data brokers and other perpetrators who are victimizing carriers and their customers. IT
John Cimko served for fifteen years at the FCC, and currently practices law at Greenberg Traurig LLP. The views expressed in this article are solely those of the author and should not be attributed to his firm or its clients. For additional information, visit the firmï¿½s Web site at www.gtlaw.com.
If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at email@example.com or by phone at 800-290-5460.