FCC Adopts Expansive CPNI Regulations

Document Sample
FCC Adopts Expansive CPNI Regulations Powered By Docstoc
					  FCC Adopts Expansive CPNI Regulations                                                            April 3, 2007

Yesterday, the FCC released a Report and Order and Further Notice of Proposed Rulemaking (Order)
establishing new rules related to the protection of customer proprietary network information (CPNI) under
section 222 of the Communications Act of 1934 (Act). The implications of the Order are far-reaching for
telecommunications carriers and interconnected Voice-over-Internet Protocol (VoIP) providers, as well for the
third parties that serve such carriers and providers. All entities that have access to CPNI should examine the
new rules carefully to determine the impact on their business and to establish internal protocols to ensure
compliance. Highlights of the new requirements are outlined below. We would be happy to provide further
information and analysis upon request.

The new requirements will take effect six months after publication of the Order in the Federal Register or
Office of Management Budget (OMB) approval, whichever is later. Small companies that meet the definition
of a "small entity" or a "small business concern" under the Regulatory Flexibility Act or Small Business Act will
have an additional six months to implement the online carrier authentication requirements described below. If
you would like to receive notice of the exact effective date, once established, please contact us.

Similar to E911, Communications for Assistance for Law Enforcement (CALEA) and Universal Service Fund
(USF) regulatory requirements, the FCC relied on its ancillary jurisdiction under Title I to extend the CPNI
carrier requirements to interconnected VoIP providers. Among other things, the FCC concluded that it "was
reasonable for consumers to expect that their telephone calls are private irrespective of whether the call is
made using the services of a wireline carrier, a wireless carrier, or an interconnected VoIP provider."


       Customer-Initiated Telephone Contact

               Call Detail Information: Carriers and interconnected VoIP providers are prohibited from
               releasing call detail information based on customer-initiated telephone contact unless: (1)
               the customer provides a pre-established password; (2) the carrier/provider calls the
               telephone number of record to disclose the call detail information; or (3) the
               carrier/provider sends the call detail information to the customer's address of record. The
               FCC provides specific guidance on the manner in which passwords must be established
               for new and existing customers as well as back-up authentication.

               Non-Call Detail Information: The release of non-call detail information also requires
               authentication, but the method of authentication is left to the discretion of the provider.

       Online Account Access
       Online account access to all CPNI (not just call detail information) must be password protected.

Telecommunications and
Information Security & Internet Enforcement

Sonnenschein Nath & Rosenthal LLP
       Retail Location Account Access
       Customers requesting CPNI at a retail location must produce a valid photo identification
       matching the name on the customer account.

       Business Customer Exemption
       The authentication rules do not cover business customers with contractual arrangements
       addressing the protection of CPNI that are serviced by a designated account representative as
       the primary contact.

Customers must be notified immediately of changes to the customer's account, including whenever a
password, customer response to a carrier-designated back-up means of authentification, online account, or
address of record is created or changed. Notification may be accomplished through voicemail, text message
or mail.

Customers must also be notified of any breach of CPNI, but only after notification to law enforcement.
Carriers and interconnected VoIP providers must provide electronic notification to the United States Secret
Service (USSS) and the Federal Bureau of Investigation (FBI) no later than seven business days after a
"reasonable determination" of a breach. Law enforcement may require an additional thirty days of delayed
customer notification for cause, which may be further extended "as reasonably necessary in the judgment of
the agency." Carriers/providers must maintain a record of any discovered breaches, notifications to the
USSS and the FBI, and the response to such notifications, for a period of at least two years. The record must
include the date that the carrier/provider discovered the breach, the date that the carrier/provider notified the
USSS and the FBI, a detailed description of the CPNI that was breached, and the circumstances of the
breach. The FCC declined to specify the content of the notice to customers. The FCC further specified that
none of these new notification requirements are intended to alter or supersede any existing breach
notification laws, except to the extent that such laws are "inconsistent" with the new requirements.

Carriers and interconnected VoIP providers must obtain opt-in consent from a customer before disclosing
CPNI to joint venture partners or independent contractors for the purpose of marketing communications-
related services to that customer. The FCC noted that this opt-in regime does not in any way affect a
carrier/provider's permitted use of CPNI enumerated in section 222(d) of the Act (e.g., billing).

Although the FCC rejected a proposal to specifically require encryption of customer account databases, the
FCC indicated that it interpreted the Act to require carriers and interconnected VoIP providers to "take
reasonable steps" to protect CPNI when it is stored in their customer databases, which may include

Carriers and interconnected VoIP providers must file annual CPNI compliance certifications on or before
March 1st of each year. In addition to the existing requirements, the certification must also include: (1) an
explanation of any actions taken against data brokers; and (2) a summary of all customer complaints received
in the past year concerning the unauthorized release of CPNI. Given the sensitivity of information related to
specific security procedures and customer complaints, the FCC indicated that carriers/providers may submit
that information confidentially.

As part of the Order, the FCC puts carriers and interconnected VoIP providers "on notice" that the FCC will
infer from evidence that a pretexter has obtained unauthorized access to a customer's CPNI that the carrier
did not sufficiently protect that customer's CPNI. A carrier/provider must demonstrate that the steps the
carrier/provider took to protect CPNI are "reasonable." If the FCC finds the carrier/provider did not take
"reasonable" steps in light of the threat, the FCC may sanction the carrier/provider. The FCC declined to
"immunize" carriers/providers with any "safe harbor" procedures.

Telecommunications and
Information Security & Internet Enforcement

Sonnenschein Nath & Rosenthal LLP
Comments due 30 days after publication in the Federal Register; and Reply Comments due 60 days after
publication in the Federal Register.

The FCC seeks comment on expanding the CPNI rules to protect additional customer information. The FCC
is considering password protection for non-call detail, as well as for physical safeguards for the transport of
CPNI between carriers. The FCC also seeks additional information on audit trails and data retention. Finally,
the FCC seeks comment on implementing requirements that carriers/providers remove customer information
from mobile communications devices prior to refurbishing the equipment.


If you would like additional information regarding this e-Alert please contact your regular Sonnenschein
attorney at 888.858.6429 or any of the following attorneys:

    Kathleen Greenan Ramsey          202.408.6345

    Wendy Creeden                    202.408.6479

    Marc Zwillinger                  202.408.9171

To unsubscribe from this Telecommunications and Information Security & Internet Enforcement e-
Alert list, please forward this e-mail to with the words
"unsubscribe Telecommunications and Information Security & Internet Enforcement" in the
SUBJECT field of your e-mail.

These materials should not be considered as, or as a substitute for, legal advice and they are not
intended to nor do they create an attorney-client relationship. Because the materials included here
are general, they may not apply to your individual legal or factual circumstances. You should not
take (or refrain from taking) any action based on the information you obtain from this document
without first obtaining professional counsel and you should not send us confidential information
without first speaking to one of our attorneys and receiving explicit authorization to do so.

This e-mail was sent by Sonnenschein Nath & Rosenthal LLP, located at 1301 K Street, N.W., Suite
600, East Tower, Washington, D.C. 20005-3364 in the USA.

Telecommunications and
Information Security & Internet Enforcement

Sonnenschein Nath & Rosenthal LLP