Strengthened CPNI Rules Apply to VoIP Carriers

In light of the increasing popularity of interconnected VoIP services as a permanent replacement for traditional telephone services, the FCC is seeking to exercise its power to impose various privacy rules on providers of interconnected VoIP service in its above-referenced 2007 CPNI Order. The CPNI rules were originally enacted to prevent unauthorized disclosure and sharing of personal information. The rules were recently expanded in an effort to respond to the practice of “pretexting” — a practice whereby data brokers or other third parties use false pretenses to obtain a customer’s private calling information.

By way of background, CPNI is defined by the FCC as “information that relates to the quantity, technical configuration, type, destination, location and amount of use of a telecommunications service” that the carrier possesses because they are serving the customer.

Under the new CPNI rules, the FCC took the following actions:

Implemented New Authentication Rules.

Carriers and interconnected VoIP providers are now generally prohibited from releasing CPNI during a customer initiated call or through the carrier’s website. The release of such information, however, remains permissible if the customer provides a pre-established password. As a result, covered providers need to consider how they will implement passwords.

In the event a customer seeking call detail information has forgotten his or her password, carriers are expressly prohibited from verifying the password using a prompt that contains readily available biographical information. Carriers are still permitted to mail information to the address of record pursuant to a telephone request without password verification, and may still perform customer service calls that disclose call detail information if the carrier initiates the call. It also remains permissible to provide information to a live customer at a retail location with valid identification.

Adopted New Procedures of Account Changes and/or Data Security Breaches.

Carriers and Interconnected VoIP providers are now required to notify customers immediately when a password, forgotten password retrieval mechanism, online account information, or address of record is changed. Notification may be made in the form of a voicemail or text message to the telephone number of record, or may be mailed, but must “reasonably ensure” that the customer receives the notification.

Data security breaches that result in the disclosure of CPNI to third parties without the customer’s authorization must now be reported to the FBI and Secret Service no later than 7 days after a “reasonable determination of a breach.” Carriers may notify the customer 7 days thereafter if no request is made by federal law enforcement officials to further delay customer notification, or, alternatively, immediately after consulting with federal law enforcement officials if the need is urgent. In addition, carriers are now required to maintain a record of any discovered data breaches, related notifications,

and the FBI and Secret Service response to such notifications for at least 2 years.

Carriers May No Longer Share CPNI with Affiliated Independent Contractors and Joint Ventures without Customer Opt-In Permission. The existing rules that allow carriers to share CPNI with affiliated joint ventures and independent contractors have been repealed. The new rules require telecommunications carriers to obtain opt-in consent from a customer before disclosing the customer’s CPNI for marketing related purposes.

Annual Certifications Must Now be Filed with the Enforcement Bureau. Carriers must now submit their annual CPNI compliance certifications directly to the Enforcement Bureau no later than March 1 for data from the prior calendar year. In addition, annual CPNI compliance certifications must now include an explanation of any action taken against data brokers and a summary of all customer complaints received during the past year regarding the unauthorized release of CPNI.

Increased Enforcement Activity Expected. Finally, the FCC has plainly stated that it intends to take a two-prong approach to protecting consumer privacy. The first prong is the promulgation of the above referenced “minimal requirements.” The second prong will be “strong enforcement measures.” Going forward, every carrier must be able to demonstrate that the steps it has taken to protect CPNI from unauthorized disclosure are “reasonable in light of the threat posed by pretexting and the sensitivity of the customer information at issue”. If the FCC finds that insufficient steps were taken to adequately protect CPNI, sanctions, including “forfeiture,” are likely.

While this summary provides a highlight of the FCC rule changes, the rules are complex and expansive and also cover joint ventures, sharing with independent contractors and other arrangements. As a result, when developing policies and procedures, it’s important to consider consulting with your internal and external counsel. IT

William B. Wilhelm is a Partner in the Telecommunications, Media and Technology group of the national law firm of Bingham McCutchen, a law firm with over 950 lawyers For more information regarding the author you may visit www.bingham.com. The preceding should not be considered legal advice and it represents the views of the author only and does not necessarily represent the views of Bingham McCutchen or its clients.

Internet Telephony Magazine Table of Contents