Be Prepared for the FCC’s Hard Look at Customer Privacy Protection

By William Wilhelm & Jeffrey Strenkowski

On December 8, 2007, the FCC's new Customer Proprietary and Network Information (CPNI) rules go into effect. Strengthened in response to several high-profile pretexting scandals, on that date many carriers will find themselves out of compliance with the FCC's new heightened customer privacy and security rules. Worse yet, many VoIP providers will find themselves subject to CPNI rules for the first time and will have to catch up to traditional carriers that have long been subject to such regulation.

The scrutiny the FCC has placed on CPNI compliance can not be overstated. The agency has recently levied significant penalties against several carriers for seemingly ministerial rule violations. The FCC has also stated that it will infer that a Service Provider (SP) has not sufficiently protected a customer's private information in those cases where a pretexter obtains unauthorized access to a customer's CPNI. Thus, the burden falls squarely on SPs to not only meet the FCC's minimum CPNI requirements, but to demonstrate that the safeguards they put in place are reasonable in light of the threat posed by pretexting and the sensitivity of the customer information. The CPNI rules contain no safe harbor to immunize SPs from liability for improper disclosure of CPNI.

So what are the FCC's new CPNI rules? First, covered SPs must adopt certain customer authentication measures before they can release call detail information to customers. This may involve the use of pre-established passwords, sending such information to the customer's address of record, or by calling the customer's telephone number of record (as opposed to the caller ID telephone number from the customer's service call). Although SPs can discuss call detail information over the phone when a customer calls the provider with questions about their bill, the customer must provide the relevant call detail information to be discussed.

SPs may disclose non-call detail CPNI to customers without using a password; however, they must authenticate the caller first, and do so without using readily available biographical information. SPs must also use passwords to protect online access to all CPNI, not just call detail information, and all customers must similarly be authenticated. Again, providers may not use readily available biographical information or account information to authenticate users or establish passwords. Although providers need not reinitialize existing passwords for online customer accounts, they may not base customer online access solely on readily available biographical information, account information or prompts for such information. SPs that only use such information must re-authenticate such customers pursuant to the new rule requirements.

For new customers, SPs may request that the customer establish a password at the time of service initiation. While providers may develop their own authentication systems and back-up authentication methods for lost or forgotten passwords, those systems may not rely on readily available biographical or account information. Finally, if certain conditions are met, the new authentication rules do not apply to business customers.

SPs must also notify customers immediately of certain account changes through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record. Such notification may not reveal the changed account information.

If a customer's CPNI is disclosed to a third party without customer authorization, the SP must notify law enforcement no less than seven days after the breach is discovered. With few exceptions, the provider may notify the customer and/or disclose such breach publicly seven days after it provides such notification to law enforcement, provided that law enforcement has not requested that such disclosure be postponed. SPs must also maintain a record of discovered breaches, law enforcement notifications, and other information.

Before a SP can disclose a customer's CPNI to a joint-venture partner or independent contractor for the purpose of marketing communications-related services to a customer, the provider must obtain explicit, opt-in consent from the customer. Providers that have already obtained opt-in approval from customers for the disclosure of CPNI may continue to use those approvals depending on the content of the opt-in notice. If the notice is not broad enough, new customer consent will be required. Given these heightened requirements, SPs that use third parties to market their services may need to develop alternative strategies because obtaining such opt-in consent from customers can be very challenging.

Finally, SPs must file an annual CPNI certification with the FCC. Among other things, the notification must include (i) an explanation of any actions taken against data brokers; (ii) a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI; and (iii) a compliance certificate, signed by an officer, stating the officer has personal knowledge that the SP has established operating procedures that are adequate to ensure compliance with the FCC's CPNI rules. This CPNI certification must be made available to the public.

Even with the new CPNI rules in place, the FCC is insisting that SPs take affirmative measures to discover and protect against activity that is indicative of pretexting above and beyond what is required by the rules. Although CPNI rules are very complex, providers should expect strict FCC enforcement. Any unauthorized disclosure of CPNI likely will subject a SP to enforcement action, and the agency has already demonstrated its willingness to levy significant fines for even administrative and record-keeping errors.

William B. Wilhelm is a partner and Jeffrey R. Strenkowski is an associate at the global law firm of Bingham McCutchen LLP. For more information, please visit them online at http://www.bingham.com. The preceding represents the views of the authors only and does not necessarily represent the views of Bingham McCutchen LLP or its clients. Bingham McCutchen represented the Petitioners in the case described above.

» Internet Telephony Magazine Table of Contents