CommLaw Monitor https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor News and analysis from Kelley Drye’s communications practice group Thu, 29 Feb 2024 22:50:02 -0500 60 hourly 1 Rosenworcel Moves to Update Data Breach Reporting Requirements Under CPNI Rules https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/rosenworcel-moves-to-update-data-breach-reporting-requirements-under-cpni-rules https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/rosenworcel-moves-to-update-data-breach-reporting-requirements-under-cpni-rules Thu, 13 Jan 2022 17:05:13 -0500 Yesterday, FCC Chairwoman Jessica Rosenworcel circulated a Notice of Proposed Rulemaking ("NPRM") with her colleagues on the Commission to update the agency’s rules for notifying customers and federal law enforcement of breaches involving customer proprietary network information ("CPNI"). According to a press release, the proposed “updates would better align the Commission’s rules with recent developments in federal and state data breach laws covering other sectors.”

The Chairwoman’s proposal is significant because it signals a potentially more active FCC in consumer protection as the Democrats solidify control of the agency following the Presidential transition and Chairwoman Rosenworcel’s elevation from Acting Chair to Chair. The scope of the proposal appears to be fairly narrow (based on the limited information currently available) but represents the second CPNI-related action proposed in the past three months. Once a fifth commissioner is confirmed, Chairwoman Rosenworcel may be able to press a broader consumer protection agenda for the agency.

At this time, little is known of the draft NPRM, because the draft of the proposal has not been released. The press release provides the best indication of what we can expect to see in the proceeding, if and when it is adopted. The FCC’s announcement explains that the proposal will:

  • Eliminate the current seven business day mandatory waiting period for notifying customers of a breach;
  • Require notification of inadvertent breaches; and
  • Require carriers to notify the FCC of all reportable breaches, in addition to the FBI and U.S. Secret Service.
The NPRM also is expected to seek comment on whether the FCC should require customer breach notices to include specific categories of information, which would give consumers “actionable information” to address the breach.

The move to update the CPNI rules may be motivated in part by T-Mobile's August 2021 disclosure that names, Social Security numbers, and other personal information belonging to more than 48 million current, former, and prospective customers had been compromised.

With the Commission still evenly split while awaiting confirmation of a third Democratic commissioner, Chairwoman Rosenworcel will need the support of at least one of the two Republican commissioners to adopt the NPRM. The proposed changes may be innocuous enough to garner such support.

The NPRM comes on the heels of an FCC proposal in October 2021 to update the CPNI rules to address SIM swap and port-out fraud, which did garner support from the Republican commissioners. The FCC also has yet to take final action on the Notices of Apparent Liability it issued to major wireless carriers in March 2020 proposing over $200 million in fines for allegedly selling access to their customers’ location information in violation of the CPNI rules. Together, these three actions signal that the FCC may be renewing its focus on privacy issues in telecommunications. In 2017, Congress used the Congressional Review Act to rescind the Commission’s 2016 broadband privacy rules. That action restricts the FCC’s ability to adopt substantially similar rules if it reclassifies broadband providers back to Title II telecommunications services.

]]>
FTC Staff Report Puts Spotlight Back on ISP Data Collection and Use Practices; FCC Re-Regulation Suggested https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/ftc-staff-report-puts-spotlight-back-on-isp-data-collection-and-use-practices-fcc-re-regulation-suggested https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/ftc-staff-report-puts-spotlight-back-on-isp-data-collection-and-use-practices-fcc-re-regulation-suggested Wed, 27 Oct 2021 16:24:33 -0400 Over the past few years, the data collection and use practices of Internet Service Providers ("ISPs") have largely flown under the radar while large internet platforms and the broader adtech industry have been under greater scrutiny. That respite may be coming to end following a staff report released last week by the FTC detailing the scope of ISPs’ data collection and use practices. The staff report was based on orders issued in 2019 under Section 6(b) of the FTC Act and puts ISPs and large platforms on similar footing, observing that “many ISPs in our study can be at least as privacy-intrusive as large advertising platforms.” In addition, the staff report finds that several ISP data practices could cause harm to consumers but does not go as far as calling any practices unfair or deceptive.

What the FTC will do with the staff report is less clear. The Commission voted unanimously to release the report, which does not make any specific policy recommendations. Members of the Commission, however, drew their own conclusions and articulated starkly different outlooks on the report’s implications. Chair Lina Khan and Commissioner Rebecca Kelly Slaughter declared that the FCC should play a leading role in overseeing ISPs’ data practices, citing the FCC’s industry expertise and legal authority. Commissioner Christine Wilson, however, stated that “oversight of ISPs for privacy and data security issues should remain at the FTC.” ISPs’ data practices – and the broader question of whether the FCC should reclassify broadband service back to a Title II telecommunications service and re-impose strict broadband privacy rules – are likely to be prominent issues as the Biden FCC takes shape in the months ahead.

The FTC Staff Report’s Findings

The staff report is based on information the FTC obtained from the country’s six largest ISPs and three of their adtech companies. The FTC compelled the companies to provide information about their data collection and use practices through orders issued under FTC Act Section 6(b) in March and August of 2019. While this group of ISPs “represents a broad swath of the internet services offered” to U.S. consumers, their practices are not necessarily representative of ISPs in general.

The staff report raises several concerns about ISPs’ practices, beyond generally equating ISPs with large advertising platforms, which include the following examples.

  • Scope and Scale of Data Collection. The staff report finds that “many” of the ISPs in the FTC’s study “have access to 100% of consumers’ unencrypted internet traffic,” potentially allowing the ISPs to obtain information about sensitive web browsing behavior. In addition, FTC staff determined that several ISPs in the study collect and use potentially sensitive, real-time location information for advertising. They are also collecting customer information from other products and services they offer—such as voice, content, smart devices, advertising, and analytics—as well as purchasing information about consumers from data brokers. According to the report, several ISPs combine data from across their product lines, though the report did not reach a conclusion about how extensively ISPs combine this data.
  • Opacity and Consumer Choices. The staff report concludes that ISPs collect and use personal data more extensively than consumers expect, do not provide clear disclosures about their practices, and generally provide opt-out choices that are difficult to use.
  • Potential Consumer Harm. Finally, FTC staff conclude that some of the practices observed among these ISPs could cause harm to consumers. These practices include combining data from distinct services (e.g., video, web browsing, location, and connected devices) in a manner that consumers do not expect, as well as enabling third-party data uses that could harm consumers (e.g., targeting ads in a discriminatory manner, or making location data available to third parties “without reasonable protections”).
What The Staff Report Could Mean for ISPs

The unanimous vote to approve and issue the FTC staff report—an increasingly rare instance of bipartisan agreement on a major issue—does not necessarily signal consensus on further steps the FTC should take on the basis of the report. Chair Khan’s remarks highlight ISPs’ practices as an example of more general problems with the privacy framework the FTC was instrumental in establishing. In her view, the report’s findings “underscore deficiencies of the ‘notice-and-consent’ framework for privacy” and that “[a] new paradigm that moves beyond procedural requirements and instead considers substantive limits increasingly seems worth considering.”

Commissioner Slaughter expressed similar sentiments in her remarks, echoing some of her previous statements calling for “clear rules on data abuses” in general, and FCC-led regulation of ISPs, specifically.

The ISP disclosure practices described by the FTC staff report are subject to the FCC’s Transparency Rule. In 2017, although the Trump FCC classified commercial ISP services as subject to FTC jurisdiction, the FCC retained a transparency rule that, among other things, requires disclosure of “accurate information” regarding commercial terms of broadband internet access services. The FCC stated that disclosure of “commercial terms” included disclosure of information collection practices and privacy policies. If ISPs failed to adequately disclose their practices, as alleged in the FTC Report, the FCC retains jurisdiction to enforce that failure to comply with the transparency rule.

Further oversight by the FTC may not be necessary in the long term if oversight of ISP data practices is moved back under the FCC’s jurisdiction, and they once again become subject to Section 222 of the Communications Act. That statute places privacy restrictions on the use of customer proprietary network information ("CPNI") by telecommunications service providers. (The Obama FCC reclassified broadband as a telecommunications service under Title II of the Communications Act and imposed net neutrality regulations as well as broadband privacy rules. The Trump FCC largely reversed the net neutrality rules, and Congress nullified the broadband privacy rules.)

Commissioner Slaughter and Chair Khan may get their wish to have the FCC jump back into the fray. The White House announced on October 26 that President Biden will nominate Jessica Rosenworcel for another term as FCC Commissioner (and named her as the permanent FCC Chair) and Gigi Sohn as the third Democratic commissioner. Both Rosenworcel and current Democratic Commissioner Geoffrey Starks have expressed support for reclassifying broadband back to Title II, and Sohn was instrumental in orchestrating Title II reclassification in 2015 under former FCC Chairman Tom Wheeler. While Title II reclassification would subject ISPs to Section 222 of the Communications Act, the FCC’s authority to create broadband-specific rules remains unclear because Congress’ repeal of the FCC’s 2016 broadband privacy rules under the Congressional Review Act prohibits the agency from adopting substantially similar rules.

In the meantime, ISPs should be prepared to entertain further oversight activity by the FTC or potential FCC examination of the adequacy of ISP disclosures under its transparency rule.

]]>
FCC Proposes Over $200 Million in Fines to Big Four Wireless Carriers for Allegedly Selling Customer Data Without Safeguards https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-proposes-over-200-million-in-fines-to-big-four-wireless-carriers-for-allegedly-selling-customer-data-without-safeguards https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-proposes-over-200-million-in-fines-to-big-four-wireless-carriers-for-allegedly-selling-customer-data-without-safeguards Thu, 05 Mar 2020 17:29:26 -0500 Last week, in a major enforcement action, the FCC proposed $208 million in fines against the nation’s four largest wireless carriers—AT&T, Verizon, T-Mobile, and Sprint—for allegedly selling access to their customers’ location information without taking “reasonable measures” to protect the information against unauthorized disclosure. The FCC argued that such actions violated its rules regarding the protection of customer data known as customer proprietary network information (CPNI).

This enforcement action marks a series of firsts. It is the first CPNI enforcement action since the pre-2016 CPNI regulations were reinstated following the repeal of the broadband privacy rules by Congress in 2017. This is also the first large consumer protection enforcement action under Chairman Pai’s leadership—up to now, Chairman Pai has eschewed the principle-based enforcement of his predecessor in favor of more clear-cut rules violations. The action also generated criticism both for being too soft (and too late) and for potentially being beyond the Commission’s jurisdiction.

Section 222 of the Communications Act requires carriers to protect the confidentiality of CPNI, which consists of specific customer data carriers get from consumers simply by providing them telecommunications service—or in statutory terms, “solely by virtue of the carrier-customer relationship.” This includes location information that carriers receive from wireless phones almost constantly so that calls and data can be routed to a customer both when the customer is using the phone and when the phone is in standby mode. Except for certain defined uses, carriers can only use, disclose, or permit access to CPNI with customer approval. But the FCC has also found that approval requirements alone are not enough, so the CPNI rules specify that carriers must employ “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI,” such as when a person pretends to be a particular customer or authorized person to obtain access to CPNI—a practice known as “pretexting.”

The FCC alleges that each of the four carriers failed to take reasonable measures to prevent unauthorized access to location information by third parties that improperly disclosed that information without customer approval. Specifically, each carrier sold access to location information to “aggregators,” who then resold access to third-party location-based service providers, who in turn allegedly sold or provided access to individualized location information to unauthorized parties. Each carrier relied on contracts that obligated aggregators to require third-party location-based service providers to obtain customer consent before accessing a customer’s location information from the aggregators. However, the carriers did not independently verify that consent was actually being obtained. In the FCC’s view, the contracts did not amount to reasonable measures to protect CPNI and held the carriers responsible for the failure to obtain customer consent on the basis that the third-party service providers were acting on the carriers’ behalf. The FCC was unconvinced by arguments that the information was primarily for non-common carrier data services, instead of telecommunications services, and that the location information obtained when the phone is on standby mode is materially different than information obtained when a customer is on a call.

Based on these apparent violations, the FCC proposed fines of $57 million for AT&T, $48 million for Verizon, $91 million for T-Mobile, and $12 million for Sprint. The FCC calculated these proposed fines based on four factors:

  • First, the FCC determined the number of aggregators and third-party service providers that had access the information at any given time by looking at the contracts—the more entities that received the information, the greater the proposed fine.
  • Second, the FCC relied on a continuing violation theory, concluding that each day the contracts were in place was an additional violation of the CPNI rules. As a result, the size of the fine increased for each successive day a carrier allegedly continued to allow third-party service providers to access customer location information without reasonable safeguards.
  • Third, the FCC calculated the continuing violation from June 9, 2018—or 30 days after publication of a New York Times article that first brought the location sharing to light—on the basis that the article’s publication was the first time the carriers were put on notice about the inadequacy of their practices and because a carrier cannot be “expected to fully investigate and take remedial actions on the same day it learns that its safeguards are inadequate.” This approach also marks a departure from prior enforcement actions, which had not included a “cure” period previously.
  • Fourth, the FCC upwardly adjusted the proposed fine by amounts ranging from 25-100 percent to reflect the apparent seriousness of the violations and the remediation efforts undertaken by each carrier.
Next Steps

The FCC’s actions are proposed fines. As the Commission customarily notes, neither the allegations nor the proposed sanctions in the Notices of Apparent Liability are final Commission actions. The parties will be given an opportunity to respond and the Commission will consider the carriers’ responses before taking any final action to resolve the matters.

Despite moving forward on the proposed fines, the FCC Commissioners appear split on the specifics of the enforcement approach. Commissioner O’Rielly expressed serious reservations even as he voted in support of the action, citing a concern that the FCC does not have all the relevant facts and expressing interest in the carriers’ argument that their practices are outside FCC jurisdiction. Conversely, Commissioner Rosenworcel dissented, not because she sides with the carriers, but because she believes the proposed fines should be higher. She particularly expressed disdain for the 30-day curing period and the reduction in the fine proposed for each successive day of continuing violation. Commissioner Starks supported the action overall, but dissented entirely on the forfeiture calculation approach, arguing the FCC should have based the fine on the number of consumers actually harmed and not on the number of contracts the carriers entered into.

Each carrier will have the opportunity to respond to the proposed fines in approximately 30 days. The responses typically are not made public but we will continue to monitor the proceedings for developments and will provide updates as they occur.

]]>
It's Official: The Old CPNI Rules Are Back in Effect https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/its-official-the-old-cpni-rules-are-back-in-effect https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/its-official-the-old-cpni-rules-are-back-in-effect Thu, 21 Sep 2017 16:33:22 -0400 Today the Office of Federal Register published a final rule from the Federal Communications Commission (FCC or Commission) that formally voids the rule changes in the Commission's 2016 Privacy Order—which Congress invalidated in a 2017 Congressional Review Act (CRA) joint resolution earlier this year—and reinstates the voice-centric customer proprietary network information (CPNI) rules “in effect immediately prior to the effect date” of the FCC’s 2016 Privacy Order.

As the Commission notes in the summary of today’s action, “because the CRA does not include direction regarding the removal . . . of the voided language from the Code of Federal Regulations, the FCC must publish this document to effect the removal of the voided” rule’s text. The Commission further explains that the publication of the previous rules is not an exercise of rulemaking authority, but rather simply effectuates what Congress had already done, and therefore today's action is neither subject to public comment nor to judicial review. The FCC's action is effective today and does not substantively modify the CPNI rules in effect immediately prior to the issuance of the 2016 Privacy Order.

In June, the FCC issued an Order that formally recognized the CRA's disapproval of the 2016 Privacy Order and dismissed eleven petitions for reconsideration of the new privacy rules. The June Order noted that the reinstated rules would not apply to broadband service, which would be subject only to the text of Section 222 of the Communications Act, as amended. The June Order was met with a strong partial dissent from Commissioner Clyburn, who challenged the Commission's decision not to place the item on public comment or to provide consumers with privacy rules beyond the "bare text of section 222" and "decade-old rules for legacy voice."

For providers, today's action formalizes what we've known for some time: the old CPNI rules are back in effect for non-broadband telecommunications carriers and providers of interconnected VoIP, and the statutory text of Section 222 continues to apply to broadband providers until further action.

]]>
FCC Votes to Impose Aggressive New Privacy Rules on Broadband Providers https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-votes-to-impose-aggressive-new-privacy-rules-on-broadband-providers https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-votes-to-impose-aggressive-new-privacy-rules-on-broadband-providers Thu, 27 Oct 2016 18:35:14 -0400 iStock_000019536561Large

At the Federal Communications Commission’s (“FCC”) Open Meeting on October 27, the Commission voted along party lines (3-2) to impose more stringent rules on broadband Internet service providers (“ISPs”). Chairman Tom Wheeler, along with Commissioners Rosenworcel and Clyburn voted in favor of the item, while Commissioners Pai and O’Rielly voted against it.

The new rules clarify the privacy requirements applicable to broadband ISPs pursuant to Section 222 of the Communications Act. The new rules also apply to voice services and treat call-detail records as “sensitive” in the context of voice services.

According to an FCC press release issued immediately after the meeting, these rules “establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information.” The Commission further asserts that this approach is consistent with the existing privacy framework of the Federal Trade Commission (“FTC”).

The actual text of the order is not yet available, but a fact sheet and press release outline the core components of the order. Under the order, mobile and fixed broadband ISPs will apparently be subject to the following requirements:

  • Opt-in: ISPs must obtain affirmative consent from consumers to use and share “sensitive” information. Under the new rules, the following categories of information are included as sensitive: precise geo-location information, financial information, health information, children’s information, Social Security numbers, web browsing history, app usage history, and the contents of communications.
  • Opt-out: ISPs can use and share “non-sensitive” information unless a customer “opts out.” All other individually identifiable customer information is considered “non-sensitive,” and may be used by ISPs consistent with consumer expectations.
  • Exceptions to Consent: Customer consent can be inferred for certain purposes specified in the statute, such as provision of broadband service, billing and collection, and marketing of services and equipment that are ancillary to broadband service. In such cases, no further consent is required beyond creation of the customer-ISP relationship.
  • Notice & Transparency: ISPs must notify customers about the types of information collected, the uses that could be made of such information, and with whom such information may be shared. Although ISPs must provide such information to customers from the outset, it is a continuing obligation – ISPs must update their customers of material changes to their privacy policies and make such information persistently available on their website or mobile app. Moreover, in response to contemporary “pay for privacy” controversies, the Commission will impose heightened disclosure requirements where ISPs offer discounts in exchange for greater rights to use customer information. Finally, the Commission has directed its Consumer Advisory Committee to develop a privacy notification standard that will afford a safe harbor to adopting providers.
The rules also address other issues, including the following:
  • Data Protection: The new rules impose requirement that ISPs utilize reasonable data security measures. To fulfill said requirement, ISPs may: a) adopt current industry best practices; b) provide accountability and oversight for security practices; c) use robust customer authentication tools; and d) conduct data disposal consistent with FTC best practices and the Consumer Privacy Bill of Rights.
  • Breach Response: ISPs must notify affected customers of breaches within 30 days of the determination of a breach. They must notify the Commission, FBI, and Secret Service within 7 business days if a breach affects 5,000 or more customers. If a breach affects fewer than 5,000 customers, the ISPs must contemporaneously notify the Commission and affected customers (within 30 days).
The Rationale: Consumer Rights and Technological Change

In the fact sheet, the Commission states that ISPs serve as “a consumer’s ‘on-ramp’ to the Internet,” observing that “[p]roviders have the ability to see a tremendous amount of their customers’ personal information that passes over that Internet connection” and asserting that consumers should have the right to decide how such information is used and shared.

The Commission intends for the rules “to evolve with changing technologies and encourage innovation.”

De-identified Information:

ISPs may utilize de-identified information without consumer consent. De-identified information consists of data sets that have been modified so that they can no longer be traced to individual users or devices. However, in recognition of the fact that ISPs might otherwise have the ability and incentive to re-identify customer information, the order adopts a three-part test which the FTC created in 2012 to determine whether de-identified information may be shared without consumer consent.

Pursuant to this framework, in order for an ISP to rely on de-identification without notice and consent, it must:

  1. Alter customer information so that it cannot reasonably be linked to a specific individual or device.
  2. Publicly commit to (a) maintain and use the data in an unidentifiable format and (b) make no efforts to re-identify the information.
  3. Contractually prohibit re-identification of shared information.
Consumer Empowerment Efforts: Ending Contracts of Adhesion and Enabling Dispute Resolution:

The Commission appears to be concerned with the bargaining power differential between customers and providers. In an effort to give consumers greater leverage, the order bans ISPs from “take-it-or-leave-it” offers and forces them to serve customers who do not consent to the commercial use or dissemination of their information.

The order also purportedly addresses a recent controversy over mandatory arbitration clauses in ISP-consumer contracts by reiterating the right of consumers to utilize the Commission’s informal dispute resolution process, and signals the Commission’s intent to more directly address the matter in a rulemaking in February 2017.

* * *

The Broadband Privacy Order is an important and controversial decision. Commissioner Clyburn claimed the rules amount to “strong privacy protections.” Commissioner Rosenworcel praised the benefits of the rules for consumer protection, but openly acknowledged that “with respect to the future of privacy, I think we still have work to do” and saw the need for further harmonization efforts vis-a-vis the FTC.

Commissioners Pai and O’Rielly both voiced strong dissents. Commissioner Pai emphasized that these rules were out of sync with FTC standards, warned that “[n]othing in these rules will stop edge providers from harvesting and monetizing your data,” and expressed concern that the order sets forth “one-sided rules that will cement edge providers’ dominance in the online advertising market.”

Commissioner O’Rielly expressed frustration with the order’s new opt-in requirements, stating that the use of an “opt-in consent mechanism results in far fewer individuals conveying their consent than is the case under an opt-out consent mechanism even when substantial benefits are at stake.”

FTC Chairwoman Edith Ramirez released a statement praising the order:

“I am pleased that the Federal Communications Commission has adopted rules that will protect the privacy of millions of broadband users. The rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices. We look forward to continuing to work with the FCC to protect the privacy of American consumers.”

Although the full order has yet to be released, at a press conference following the meeting, Chairman Wheeler indicated there was a relatively strong chance it will be released at some point in the next 24 to 48 hours.

Details aside, it is clear that today’s decision (if upheld) will change the communications and privacy landscape. We will post updates here as we learn more about the new Broadband Privacy rules.

Finally, Kelley Drye will soon offer a free webinar that will unpack the new order. Once the full order becomes available, we will announce the date and time of the webinar.

]]>
FCC Includes Privacy Item on Its March Open Meeting Agenda: What to Expect https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-includes-privacy-item-on-its-march-open-meeting-agenda-what-to-expect https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-includes-privacy-item-on-its-march-open-meeting-agenda-what-to-expect Fri, 25 Mar 2016 15:30:29 -0400 stock_03082013_0826It’s official: next Thursday, March 31, 2016, the FCC will vote on a Notice of Proposed Rulemaking seeking comment on a proposed framework for new privacy and data security rules for broadband Internet access service (BIAS) providers. This proceeding will have important implications for not only the broadband providers subject to the rules, but also for the Internet ecosystem as a whole.

This rulemaking proceeding stems from the 2015 Open Internet Order, which reclassified BIAS as a telecommunications service and applied several of the FCC’s core consumer protection provisions—including Section 201 and 222 of the Communications Act—to BIAS. Section 201(b) prohibits “unjust or unreasonable” practices, which the FCC has interpreted to require reasonable data security practices. Section 222 (and the Commission’s interpretations of that section) establishes a complex framework for the protection of proprietary information (PI), carrier proprietary information (CPI), and customer proprietary network information (CPNI). CPNI, in short, is the information that a carrier has about its customer solely by virtue of the customer-provider relationship. However, because the CPNI rules promulgated pursuant to Section 222 were designed with traditional telecommunications services in mind, the FCC declined to impose those rules on BIAS, instead opting for a rulemaking proceeding to create new broadband CPNI rules.

While the Commission will not release the text of the NPRM until after the March 31st Open Meeting, Chairman Wheeler’s Fact Sheet sheds some light on the likely direction of the item. Specifically, the proposal will rely on three “core principles”: choice, transparency, and security. With respect to choice, the proposal establishes a consent framework similar to the existing framework, which permits certain uses of customer data without the need for additional consent (e.g., billing and managing the network), but requires opt-out or opt-in consent from the customer before using or sharing customer data in other circumstances (e.g., marketing communications related-services to which the customer does not subscribe or marketing non-communications-related services). As for transparency, the proposal would require BIAS providers to offer clear, conspicuous, and understandable information about the provider’s privacy practices. With respect to security, the item proposes to require BIAS providers to “take reasonable steps to safeguard” customer data, including specific minimum standards for data security. The proposal also would impose data breach notification requirements that would require BIAS providers to notify affected customers within 10 days of discovery, to notify the Commission no later than 10 days after discovery, and to notify law enforcement (i.e., FBI and Secret Service) about larger breaches within 7 days of discovery. The Commission will also seek comment on other approaches for implementing privacy rules.

Importantly, while some had hoped that the FCC would harmonize its privacy and data security rules with the ex post enforcement approach of the Federal Trade Commission (FTC), the FCC here appears to double-down on its existing ex ante approach to privacy and data security regulation. As a result, the rulemaking has the potential to further expose tensions between the FCC and FTC with respect to privacy and data security policy. This remains a critical issue for businesses to monitor as this item moves forward.

Like most FCC items, the devil is in the details, and unfortunately we will not know those details until the Commission releases the text of the NPRM. That said, here are a few of the unanswered questions that we will be tracking:

  • How will the proposed rules define broadband CPNI?
  • Will there be different proposed rules for mobile and fixed BIAS?
  • How will the proposed rules apply to non-BIAS data services (such as connected home products) that a broadband provider offers to its customers?
  • Will the FCC propose specific rules for “proprietary information” under Section 222(a)?
  • Will the FCC revise its “basket of services” approach to traditional services?
  • How will the FCC’s rules affect third-party apps that rely on data from carriers to provide their services?
  • Will these rules include an annual certification requirement, as the existing rules do?
  • How will this rulemaking proceeding affect the existing CPNI rules for traditional telecommunications services?
We’re tracking and will follow up with a comprehensive overview once we have the order in hand. The FCC will establish a comment cycle for the rulemaking to give all interested parties an opportunity to weigh in on the proposed rules, so if you’re interested in participating in this proceeding, feel free to contact the authors of this post or your regular Kelley Drye attorney.

]]>
AT&T Reaches $25 Million Settlement with FCC over Privacy and Data Security Violations https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/att-reaches-25-million-settlement-with-fcc-over-privacy-and-data-security-violations https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/att-reaches-25-million-settlement-with-fcc-over-privacy-and-data-security-violations Thu, 09 Apr 2015 22:25:56 -0400 iStock_000019536561LargeOn April 8, 2015, the Federal Communications Commission (“FCC” or the “Commission”) Enforcement Bureau (“EB”) reached a $25 million consent decree with AT&T over privacy and data security breaches involving its customers’ proprietary information (“PI”) and customer proprietary network information (“CPNI”) at three of AT&T’s international call centers. Under the terms of the settlement, AT&T must implement a wide-ranging compliance plan, notify affected customers of the breach (and provide free credit monitoring services), and report any noncompliance or future breaches to the Commission.

As explained in more detail below, this settlement represents the latest in a growing trend in aggressive enforcement of the Commission’s privacy and data security rules. As the Commission continues to find new ways to apply its rules against carriers—and begins to implement its 2015 Open Internet Order against broadband Internet access service providers—providers should take steps to bring themselves (and their vendors) into compliance.

Background

The consent decree stems from data breaches that occurred at AT&T customer call centers in Mexico, Colombia, and the Philippines between 2013 and 2014. Through its investigation, the FCC determined that call center employees had gained unauthorized access to CPNI and other personal information in a scheme to supply third parties with unlock codes for AT&T mobile phones. The Mexico breach affected 68,701 customer accounts, while the Colombia and Philippines breaches affected at least another 211,000 customer accounts.

In the consent decree, the Commission argues that AT&T’s conduct violated two provisions of the Communications Act of 1934—Section 201(b) and Section 222(c)—along with the Commission’s CPNI safeguards and breach reporting rules. As we explained in an earlier blog post, the Commission relied on Section 201(b) in its Notice of Apparent Liability against YourTel and TerraCom, which it issued late last year based on similar data breaches involving vendor security practices. The AT&T action is indicative of the Commission’s intent to continue using Section 201(b) to protect consumers’ personal information and require more stringent data security practices among communications companies.

Terms of the Consent Decree

Under the terms of the consent decree, AT&T agrees to pay a $25 million civil penalty, and to implement a wide-ranging compliance plan, which includes the following key elements:

  • Risk Assessment. AT&T must perform a risk assessment to identify internal risks of PI or CPNI breaches by employees and vendors, and to evaluate the sufficiency of existing policies, procedures, and practices designed to protect against a data breach.
  • Information Security Program. AT&T must establish a written information security program to protect against CPNI and PI breaches by employees and vendors. AT&T must keep this information security program up-to-date and address deficiencies and gaps as they appear. These provisions of the consent decree will remain in effect for seven years.
  • Compliance Manual and Training. AT&T must develop and distribute a compliance manual to relevant employees and vendors (and the vendors’ employees) explaining Section 222, the FCC’s CPNI rules, the terms of the consent decree, and all operating procedures that employees and vendors’ employees must follow. As with the information security program, AT&T must periodically review and revise the compliance manual to ensure it is current and accurate. Further, AT&T must establish and implement a compliance training program to ensure compliance with Section 222, the CPNI rules, and the operating procedures.
In addition, with respect to the Colombia and Philippines breaches, AT&T must notify each affected customer about the breach, offer one year of complimentary credit monitoring services through a nationally recognized credit monitoring service, and provide a toll-free number where affected customers may contact AT&T with questions about the breaches. Moreover, AT&T must report any noncompliance with the consent decree, and any breaches of PI or CPNI involving any employees or vendor employees, to the Commission. Finally, AT&T must file period compliance reports to the Commission.

In a separate blog post on the Commission's website, Kris Monteith, Acting Chief of the Consumer and Governmental Affairs Bureau, provided consumers with action items to protect them from theft of smart devices and personal information. Among other things, Monteith recommended that consumers set strong passwords or PINs, or to take advantage of biometric and fingerprint authentication technologies. Providers should consider communicating similar advice to their subscribers.

What’s Next?

We don’t expect the Commission’s privacy and data security enforcement push to end any time in the near future. Quite the opposite. As the Commission notes in its press release announcing the consent decree, this action is its fifth major enforcement action—totaling over $50 million in penalties—in the last year related to consumer privacy and data security.

Further, as the Commission begins to implement its 2015 Open Internet Order, we expect the EB to seek out new and creative ways to stretch its privacy and data security authority against providers, both for the providers’ own actions, as well as those of their vendors (both here and abroad). Moreover, as the Commission embarks on its effort to draft privacy and data security rules for BIAS, we expect vigorous debate about how best to protect consumers without imposing undue or unwarranted burdens on providers.

As a result, providers interested in getting involved in these debates should continue to monitor developments and contact counsel for assistance. Additionally, all telecommunications and broadband providers alike should take affirmative steps to inventory their own data security policies, procedures, and practices, as well as those of their vendors, to ensure compliance with FCC rules and guidance.

]]>
FCC Issues Enforcement Advisory Discussing Upcoming Annual CPNI Certification Filing Deadline https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-issues-enforcement-advisory-discussing-upcoming-annual-cpni-certification-filing-deadline https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-issues-enforcement-advisory-discussing-upcoming-annual-cpni-certification-filing-deadline Mon, 09 Feb 2015 16:26:31 -0500 iStock_000000295237LargeEarlier today, the Federal Communications Commission released an enforcement advisory reminding telecommunications carriers and interconnected VoIP providers of the upcoming annual customer proprietary network information (“CPNI”) certification due by March 2, 2015. For Kelley Drye’s own advisory on this CPNI filing requirement, please see the attached alert.

In addition to identifying the relevant CPNI rules and certification format, the FCC’s advisory highlighted common certification errors such as failing to explain how the filer’s operating procedures ensure compliance with the CPNI rules or failing to have an officer certify the filing based on “personal knowledge.” The FCC’s advisory also emphasized the potential for monetary penalties for noncompliance with the CPNI protection and certification filing rules. As noted in the advisory, enforcement penalties for noncompliance can include monetary forfeitures of up to $160,000 for each violation or each day of a continuing violation (up to a maximum of $1,575,000). The FCC actively enforces the CPNI rules and, as addressed in Kelley Drye’s September 5, 2014 blog post, the FCC recently entered into a $7.4 million consent decree with Verizon to resolve a CPNI investigation. Accordingly, carriers and VoIP providers should timely file the annual CPNI certification and review their practices to ensure compliance with the CPNI rules.

]]>
Federal Communications Commission Announces Membership in Global Privacy Enforcement Network https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/federal-communications-commission-announces-membership-in-global-privacy-enforcement-network https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/federal-communications-commission-announces-membership-in-global-privacy-enforcement-network Mon, 03 Nov 2014 19:32:31 -0500 On October 28, 2014, the Federal Communications Commission (“FCC” or the “Commission”) announced that it had joined the Global Privacy Enforcement Network (“GPEN”), a network of privacy enforcement and regulatory bodies from around the world that engages in collaboration and coordination on cross-border privacy enforcement actions.

The FCC’s announcement represents the latest step in its headlong march into privacy and data security matters. This past June, the FCC launched a brand new cybersecurity initiative, “The New Paradigm,” which will include a private-sector-driven effort to improve cyber-readiness in the communications industry. In September, the FCC reached a $7.4 million settlement with Verizon over alleged violations of the Customer Proprietary Network Information (“CPNI”) rules. And just two weeks ago, the FCC released a Notice of Apparent Liability (“NAL”) proposing multi-million dollar fines against two wireless providers, YourTel and TerraCom, based on a novel and expansive reading of Sections 222(a) and 201(b) of the Communications Act of 1934, as amended.

These recent actions demonstrate that Chairman Tom Wheeler and Enforcement Bureau Chief Travis LeBlanc are serious about expanding the FCC’s role as a privacy and security cop. As a result, communications companies – particularly those that fall within the Federal Trade Commission’s “common carrier exemption” – should take this opportunity to review all of their privacy and data security practices to ensure compliance with an evolving set of FCC privacy and security requirements.

]]>
FCC Proposes $10 Million in Fines for Privacy and Data Security Violations https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-proposes-10-million-in-fines-for-terracom-and-yourtel-privacy-and-data-security-violations https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-proposes-10-million-in-fines-for-terracom-and-yourtel-privacy-and-data-security-violations Tue, 28 Oct 2014 16:19:13 -0400 On October 24, the FCC, over the dissent of its two Republican commissioners, issued a Notice of Apparent Liability (NAL) proposing a fine of $10 million to Lifeline eligible telecommunications carriers (“ETCs”) TerraCom, Inc. and YourTel America, Inc. for violations of laws protecting “phone customers’ personal information.”

This is the agency’s first data security case and the largest privacy action in the Commission’s history. See News Release. Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.

According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.” The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft. CPNI Violation. The NAL first alleges that the companies failed to properly protect the confidentiality of consumers’ proprietary information collected from applicants for wireless and wired Lifeline services in violation of Section 222(a) of the Communications Act, which requires that carriers protect the confidentiality of the “proprietary information” of their customers. The FCC proposes a forfeiture of $8.5 million for this violation based on precedent for base forfeitures of $29,000 for previous CPNI violations. Applying the base forfeitures to the alleged over 300,000 violations would have resulted in a proposed penalty of close to $9 billion, but the FCC settled on $8.5 million as “sufficient.”

Unjust and Unreasonable Practices. The NAL next alleges several violations of Section 201(b) of the Communications Act, which prohibits unjust and unreasonable practices, but only proposes a penalty for one such violation. The NAL proposes a $1.5 million penalty against the companies for making false representations in their website privacy policies regarding protecting customers’ sensitive personal information. The FCC alleges that the companies’ failure to follow their own privacy policies was an unjust and unreasonable practice. This forfeiture is based on precedent for a $40,000 base forfeiture for Section 201(b) violations related to deceptive marketing to consumers.

Further, the NAL alleges that by failing to employ reasonable data security practices (such as password protection or encryption) and failing to notify all potentially affected customers of the security breach, the companies apparently violated Section 201(b). However, the agency declined to propose a forfeiture for those two alleged violations because this is the first case in which it makes such findings. The NAL states that carriers are now on notice regarding these potential violations.

The Commission’s use of its authority to police “unjust and unreasonable” practices by telecommunications providers appears to represent a significant expansion of the Commission’s enforcement authority over privacy-related matters and appears to mirror the Federal Trade Commission’s privacy and data security actions under a similar statutory provision in the Federal Trade Commission Act Section 5 barring unfair and deceptive trade practices. The expansion of authority is the reason that Commissioners Pai (R) and O’Reilly (R) dissented. Both Commissioners contended that the FCC had not given fair notice of what data security practices are required. Commissioner O’Reilly also questioned the majority’s interpretation of the CPNI provisions of Section 222. While the $10 million proposed penalty is the largest privacy action in the Commission’s history and its first foray into data security enforcement, it is not likely to be its last. We expect that the FCC will continue to investigate and take enforcement action against lax data security and other practices that compromise the privacy of consumers’ personal information.

In light of the FCC’s action, all carriers, including especially Lifeline providers, should review their security and privacy practices related to customer eligibility documentation and other personal information, as well as their privacy statements and CPNI policies to ensure that consumer data is adequately safeguarded in a manner that comports not only with the FCC’s CPNI rules but also with federal and state privacy frameworks that will inform the Commission’s determination of what is “unjust and unreasonable” in this area.

]]>
Checking the Boxes: FCC Proposes Forfeiture of Half a Million Dollars against International Prepaid Calling Card Provider https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/checking-the-boxes-fcc-proposes-forfeiture-of-half-a-million-dollars-against-international-prepaid-calling-card-provider https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/checking-the-boxes-fcc-proposes-forfeiture-of-half-a-million-dollars-against-international-prepaid-calling-card-provider Thu, 25 Sep 2014 22:36:01 -0400 On September 16, the Federal Communications Commission issued a Notice of Apparent Liability ("NAL") against PTT Phone Cards, Inc., ("PTT") for a litany of alleged violations of rules applicable to international telecommunications carriers in general and one applicable to pre-paid calling card providers in particular. In short, the NAL alleges that, for over three years, PTT violated "virtually all of [the] regulatory obligations" applicable to international carriers and one specifically applicable to pre-paid calling card providers. The proposed forfeiture of $493,327 was arrived at through a straightforward application of the Commission’s base forfeiture amounts or penalties that the agency has recently applied for similar violations. While the Commission normally considers mitigating and aggravating factors to adjust penalties downward or upward, in the NAL it did not expressly do so, despite what it called "PTT’s apparent pattern of noncompliance" and "the seriousness, duration, and scope of PTT’s apparent violations." Instead, it simply proposed standard penalties for each apparent violation, giving a casebook glimpse into what awaits entities that provide international and/or calling card services without first obtaining necessary FCC authority and without making requisite filings with the Commission, contributions into applicable federal funds, and payments of federal regulatory fees.

PTT commenced providing prepaid calling services – reselling international telephone service – in January 2010. PTT did not obtain authorization to do so under Section 214 of the Communications Act of 1934, did not register as a provider of telecommunications by filing a FCC Form 499A, and failed, at least for several years to make other filings required by international telecommunications carriers and prepaid calling card providers. The NAL does not say how the FCC Enforcement Bureau became aware of PTT’s operations in January 2013, but the NAL notes that PTT sold its cards through grocery stores and Internet distributors and resellers, which outlets may have led to the Bureau’s discovery. A Bureau investigation commenced almost immediately, and, in April 2013, the Bureau sent a Letter of Inquiry to PTT. PTT apparently cooperated with the investigation, promptly sought Section 214 authority (although not special temporary authority while its application was pending), which the Commission granted in May 2013. Over time, extending almost to the time of the NAL, PTT sought to rectify its past failures to register and make other compliance filings. Notably, although the Commission faulted PTT in many instances for its apparent slowness in bringing itself into compliance after the Letter of Inquiry was sent, that alleged fact did not result in the aggravation of the proposed forfeitures.

While the Bureau and PTT entered into a tolling agreement – which explains why the NAL was issued more than one year after the investigation began and PTT began to make its belated compliance filings – the Commission’s proposed penalties confirms the FCC’s historic approach to treating carrier reporting and filing failures as continuing violations until they are cured. In addition, the proposed penalties reflect the Commission standard penalties for many carrier compliance breakdowns and illustrate how the failure to obtain Section 214 international authority, when required, can lead to a cascade of penalties. In particular, the Commission proposed penalties of:

  • $100,000 for failure to obtain Section 214 authorization prior to providing international telecommunications services, an amount "[c]onsistent with Commission precedent," for which the FCC cited several recent forfeiture orders against prepaid calling companies;
  • $150,000 for failure to file Form 499A (the annual Telecommunications Reporting Worksheet) for 2011, 2012, and 2013 in a timely fashion – $50,000 for each annual filing missed – again citing precedent where carriers had similar lapses;
  • $30,000, or $10,000 per year (the base forfeiture amount), for failure to make timely required contributions to the Telecommunications Relay Service ("TRS") Fund for three consecutive annual contribution periods, beginning with 2011-2012, which contributions are based on the Form 499A reports;
  • a $23,327 upward adjustment of the penalty for failure to make timely contributions into the TRS fund, 50% (the standard adjustment) of the unpaid contribution amount at the time PTT entered into a payment agreement with the Treasury Department;
  • $30,000, or $10,000 per year (the base forfeiture amount), for failure to make timely required contributions to the Local Number Portability ("LNP") cost recovery mechanism for three consecutive annual contribution periods, beginning with 2011-2012, which contributions are based on the Form 499A reports;
  • $20,000, or $10,000 per year (the base forfeiture amount), for late payments of regulatory fees – specifically the Interstate Telecommunications Service Provider ("ITSP") which international carriers must pay based on their international end user revenues as reported on their Form 499A reports -- for fiscal years 2011 and 2012;
  • $48,000, or $3,000 per filing (the base forfeiture amount), for failure to timely file 16 quarterly certifications required of prepaid calling card companies from the first quarter of 2010 through the first quarter of 2014 (with the exception of the third quarter of 2013 which was timely filed);
  • $12,000, or $3,00 per filing (the base forfeiture amount), for failure to timely file its 2011, 2012, 2013, and 2014 annual international telecommunications traffic reports international common carriers must file; and
  • $80,000, or $20,000 per year (consistent with prior conditions), for failure to timely file its annual 2011, 2012, 2013, and 2014 customer proprietary network information ("CPNI") certifications that telecommunications carriers must make.
]]>
Verizon Agrees to Pay $7.4 Million to Resolve CPNI Investigation https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/verizon-must-pay-7-4-million-for-misuse-of-cpni https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/verizon-must-pay-7-4-million-for-misuse-of-cpni Fri, 05 Sep 2014 09:46:35 -0400 On September 3, 2014, Verizon agreed to pay $7.4 million to resolve an investigation into possible misuse of customers’ personal information in a number of tailored marketing campaigns. Prompted by a self-disclosure from the company, the FCC investigated Verizon's use of customers’ subscription and call information to market new services. Such use is restricted by Section 222 of the Communications Act and the Federal Communications Commission’s CPNI rules. Verizon's consent decree is notable for more than its size. Section 222 requires telecommunications providers to protect “customer proprietary network information” (commonly referred to as “CPNI”) which includes call information (such as the location and timing of calls), types of services a customer subscribers to and other information contained on a customer’s bill. Under the Commission’s rules, a telecommunications provider must obtain a customer’s approval to use CPNI in marketing activities, which it can obtain either through affirmative "opt-in" approvals or (in certain instances) through a written notice about how the company intends to use a customer’s CPNI and an opportunity for the customer to “opt-out” of such use.

Like many carriers, Verizon chose to use the opt-out method for obtaining approval. However, between 2006 and 2013, Verizon failed to provide the opt-out notice to nearly two million residential, small business, and medium business customers. Verizon's procedure was to provide the required CPNI notification language on a customer’s first bill, but in 2012, Verizon personnel discovered that this notice had not been provided in certain customer bills. After investigation, Verizon determined that triggering criteria that generated the opt-out notices were not updated, causing certain bills not to be flagged for the notices. The notification error affected the billing systems used by the incumbent local exchange carriers and interexchange carriers Verizon Long Distance, Verizon Enterprise Solutions LLC, Verizon Select Services Inc., and Verizon Select Services of Virginia Inc. After learning of these CPNI violations, Verizon self-reported the violation, as is required by section 64.2009(f).

Under its Consent Decree with the FCC, Verizon agreed to pay $7.4 million to the U.S. Treasury, and agreed to comply with a number of remedial requirements. As is typical with current FCC settlements, Verizon agreed to implement a Compliance Plan, appoint a Compliance Officer, create a Compliance Manual, implement a Compliance Training Program, and file Compliance Reports with the Commission for the next three years. Three other aspects of the Consent Decree are particularly noteworthy.

First, the Consent Decree contains specific commitments to remedy the CPNI violations that prompted the disclosure. Verizon agreed to automate its “opt-out” process for CPNI consent, and to monitor and test the consent mechanism each month. The company will also notify customers of their right to “opt-out” of any CPNI-related marketing campaigns on every customer bill, for the next three years. Finally, Verizon will implement a CPNI opt-out process review, and identify employees who will be responsible for each step of the process. These provisions go well beyond the FCC's current rule requirements. It is the first time we've seen such detailed remedial measures in a CPNI consent decree.

Second, the Consent Decree contains an assertion that Verizon failed to timely notify the Commission of the CPNI failure. Section 64.2009(f) requires disclosure to the Commission within five business days of discovery of the failure. Verizon provided a notice on January 18, 2013, asserting that "during the week of January 14 ..." Verizon discovered the problem. The Consent Decree states, however, that "certain Verizon personnel discovered a potential opt-out problem in late 2012," several months before Verizon made the disclosure to the Commission. It is not clear whether this factor influenced the amount of the voluntary payment, but we suspect that it had an impact. The fact that the Commission went out of its way to include this statement in the Consent Decree should caution carriers to ensure that they are prompt in their disclosures in the future. It also emphasizes the importance of ensuring that CPNI failures are reported to the legal or regulatory department promptly, so that any potential reporting obligations can be met.

Finally, despite a potential trend we discuss in another recent blog post, Verizon does not admit any violations, and the settlement payment is described in traditional terms as a "voluntary payment." We will continue watching future consent decrees for more insight into the Commission's approach to settlements of enforcement investigations.

]]>
Annual CPNI Certifications Due March 3, 2014 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/annual-cpni-certifications-due-march-3-2014 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/annual-cpni-certifications-due-march-3-2014 Tue, 04 Feb 2014 15:37:46 -0500 It’s time again for carriers to submit the annual Customer Proprietary Network Information (CPNI) certification to the FCC. Telecommunications carriers and interconnected VoIP providers are required to certify annually their compliance with the FCC’s CPNI protection rules. The 2014 report covers calendar year 2013 and will be due by March 3, 2014 (March 1 falls on a weekend this year). The certification requires a “brief statement” describing how the filer’s policies ensure compliance with the CPNI rules and requires certain information regarding complaints received within the prior year. Certifications must be signed by an officer with personal knowledge of the company’s CPNI compliance. Providers may file CPNI certifications via an FCC web application or via ECFS, mail or hand delivery.

The FCC has consistently enforced compliance with the CPNI certification reporting requirement. As we’ve noted in prior posts, penalties for failing to file the CPNI certification have varied widely over time, but seem to have settled at $25,000 per failure to file. To avoid such exposure, filers should be sure to file the certification by the March 3 deadline. In addition, this filing provides an opportunity for filers to take time to review their CPNI policies and actual business practices to ensure they still meet the FCC’s CPNI protection requirements.

]]>
CPNI Season Kicks Off With FCC Enforcement Advisory https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/cpni-season-kicks-off-with-fcc-enforcement-advisory https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/cpni-season-kicks-off-with-fcc-enforcement-advisory Thu, 17 Jan 2013 17:56:50 -0500 Compliance with a carrier's CPNI certification obligations has provided steady fodder for this blog, with the annual Omnibus CPNI fines, unusual settlements and consistent enforcement focus from the FCC's enforcement bureau. With the start of a new year, the CPNI season begins anew. Yeasterday, the FCC unofficially kicked off the 2012 CPNI certification season with an Enforcement Advisory stressing the requirements of the FCC's CPNI rules.

The Enforcement Advisory (which is itself almost becoming an annual ritual with the FCC) reminds carriers of the annual March 1 CPNI certification filing deadline, identifies common certification errors and highlights the monetary penalties associated with certification errors and failures to file. The Commission’s issuance of this CPNI Advisory is an indication that the FCC considers the submission of the CPNI certifications to be a high priority., and that its past history of enforcement will not change in the near term Telecommunications carriers and interconnected VoIP providers should review the advisory carefully to ensure that they are in compliance with the certification obligations of the rules.

]]>
FCC Eases CPNI Compliance for Prepaid Calling Card Providers https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-eases-cpni-compliance-for-prepaid-calling-card-providers https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-eases-cpni-compliance-for-prepaid-calling-card-providers Mon, 14 Jan 2013 15:16:24 -0500

Back in 2007, in response to the pretexting controversy, the FCC strengthened its CPNI rules to require telecommunications carriers to authenticate a subscriber’s identity before providing call detail information. The FCC rules required carriers to authenticate customers with a password or some other information that does not rely upon "readily available biographical information" before providing telephonic, online or in-store access to CPNI, including call detail information.

These rules presented a particular difficulty for prepaid calling card providers, who typically do not have the same type of information available to them about the identity of their customers. In response to a prepaid card provider's petition seeking relief from the authentication rules, the FCC's Wireline Competition Bureau has issued a waiver to all prepaid calling card providers to allow them to authenticate users solely by virtue of the PIN assigned to the card if the prepaid card provider does not have other identifying information on the end user. Under the waiver, the prepaid card provider may provide call detail information to a caller if the caller provides the PIN as authentication.

However, it is important to note that this waiver does not apply if the prepaid card provider has telephone numbers or addresses of record for the customer. Moreover, the FCC ruling concludes, for the first time, that an email constitutes an address of record for this purpose (see fn. 8). Thus, for “no pin” customers, the prepaid card provider should authenticate the customer via the telephone number(s) registered with the account. For cards purchased online, which are then delivered to an email address, the prepaid card provider should authenticate the customer using the email address provided. It is only for prepaid cards sold through traditional retail store distribution channels that a provider will lack any identifying information other than a PIN.

]]>
Reminder: Annual CPNI Certification Due March 1 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/reminder-annual-cpni-certification-due-march-1 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/reminder-annual-cpni-certification-due-march-1 Sun, 26 Feb 2012 14:16:40 -0500 All telecommunications carriers and interconnected VoIP providers must file an annual report certifying their compliance with the Federal Communications Commission’s (FCC) rules regarding Customer Proprietary Network Information (CPNI). The report covers calendar year 2011 and must be filed with the FCC by March 1, 2012. Providers may file CPNI certifications via an FCC web application or via ECFS, mail or hand delivery.

The FCC’s Enforcement Bureau actively enforces the filing requirement, and proposes fines for failure to file the certification at approximately this time every year. Any company that submits USF revenue reports should ensure that it is in compliance with the CPNI certification requirement.

]]>
Compliance Reminder: Annual CPNI Certifications https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/compliance-reminder-annual-cpni-certifications https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/compliance-reminder-annual-cpni-certifications Tue, 15 Nov 2011 10:15:38 -0500 Yesterday, the FCC released an order cancelling more CPNI fines proposed in its Omnibus CPNI Forfeiture Order. Because proposed fines for failing to file the CPNI certification have become an annual event, this is a good time to remind telecommunications carriers of their obligation to file the CPNI certification that is due annually on March 1.

If for any reason, your company is a telecommunications carrier or interconnected VoIP provider and you have not filed the certification for calendar year 2010, you should do so as soon as possible. And, since this usually is the time during which the Enforcement Bureau sends out its CPNI Letters of Investigation, if you've received a letter, do not delay in responding. Your window to present evidence and negotiate a settlement will close near the end of February.

]]>
FCC Releases Five More CPNI Forfeiture Orders https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-releases-five-more-cpni-forfeiture-orders https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-releases-five-more-cpni-forfeiture-orders Fri, 10 Jun 2011 12:41:15 -0400 The Commission continues to clear the decks from its 2009 Omnibus CPNI NAL. Apparently having exhausted all of the cases warranting revocation of the NAL and meriting a consent decree, the Enforcement Bureau release five forfeiture orders for failure to file the 2007 Annual CPNI Certification. These orders all involve a prepaid card provider and are virtually identical to the 88 Telecom Forfeiture released earlier this week. All conclude that the $20,000 forfeiture proposed should be imposed. None of the providers were represented by FCC counsel, which may have cost them the opportunity to settle for a few hundred to a few thousand dollars instead of $20,000.

The carriers involved are: VoIP Alliance, Touch-Tel USA, Phone Club Corp., DigitGlobal Communications, and StraightTel Corp.

]]>
FCC Imposes $20,000 Fine for Failure to File CPNI Certification https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-imposes-20000-fine-for-failure-to-file-cpni-certification https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-imposes-20000-fine-for-failure-to-file-cpni-certification Wed, 08 Jun 2011 07:59:54 -0400 Still working its way through the 2009 Omnibus CPNI NAL, the FCC released a forfeiture order against prepaid card provider 88 Telecom. The Commission imposed the full $20,000 penalty proposed in the NAL, rejecting 88 Telecom's arguments that its violation was not willful and that it could not pay the forfeiture. What is most significant about the order, however, is that the provider did not settle the allegation via a consent decree. Most of those who did were able to settle for a few hundred to a few thousand dollars.

]]>
Interconnected VoIP Providers Get One Free Bite -- Take Two https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/interconnected-voip-providers-get-one-free-bite-take-two https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/interconnected-voip-providers-get-one-free-bite-take-two Fri, 29 Apr 2011 10:15:39 -0400 The Commission's efforts to resolve the 2009 Omnibus CPNI NAL continue to provide insights into the enforcement process generally. In the past, we've commented on surprisingly small settlements and odd provisions, but two orders earlier this week are especially cryptic.

In both orders, the Chief of the Telecommunications Consumers Division of the FCC Enforcement Bureau concluded that "no forfeiture should be imposed" with respect to the carriers identified. I would like to provide you a definitive reason for the cancellation, but the orders literally provide no explanation of the basis for that conclusion.

In one case, I believe the rationale is that the entities are interconnected VoIP providers. As we've explained previously, because of the Commission's refusal to determine if interconnected VoIP providers are telecommunications carriers, they get one free bite at FCC violations. Each of the three carriers listed in this cancellation order reports itself as an interconnected VoIP provider on its USF forms. Because of that, the FCC could not impose a fine for failing to file the CPNI certification unless the FCC had issued a Citation first.

The other case is truly mystifying. The two carriers listed in this cancellation order are listed as a "CAP/LEC" and an "IXC", respectively, in the USF filer database. Although one appears to have ceased providing business in 2007, the other provider filed a Form 499-A in April 2011. We are left to guess what circumstances justified the decision not to impose a forfeiture.

]]>