Breaking News

FCC Seeks Comment on Increased Regulation of Telecommunications Customer Information Privacy

February 17, 2006

On February 10, 2006 the Federal Communications Commission ("FCC") issued a Public Notice announcing that it has adopted a notice of proposed rulemaking ("NPRM") proceeding to examine whether changes in the federal rules regarding customer proprietary network information ("CPNI") is necessary to prevent the unauthorized disclosure of certain customer information held by telecommunications carriers. In the NPRM, the FCC seeks comment on a variety of issues related to customer privacy, including what security procedures carriers currently have in place, what inadequacies exist in those procedures, and what changes in the federal rules are warranted to better protect customer privacy.

The NPRM is in response to a petition filed by the Electronic Privacy Information Center ("EPIC") requesting that the FCC investigate whether the current rules are adequate to protect telecommunications customer's call records and other CPNI. This request is in conjunction with a series of recent incidents involving "pretexting," a practice in which an Internet data broker takes advantage of inadequate security procedures to gain access to CPNI under false pretenses, such as by posing as a customer, and then offering the records for sale on the Internet. Congress has held hearings on pretexting and bills designed to curb the practice have been introduced. Congress has also directed the FCC to do more to protect customer privacy.

The NPRM seeks comment on five specific security measures that EPIC suggested will more adequately protect CPNI. These are:

• Require carriers to allow access to CPNI through the use of passwords set by consumers.

• Require carriers to keep audit trails that record all instances when a customer's records have been accessed, whether information was disclosed, and to whom.

• Require carriers to encrypt stored CPNI data.

• Place limits on carrier data retention and require deletion of call records when they are no longer needed.

• Require carriers to notify customers when the security of their CPNI may have been breached.

The Commission also seeks comment on other ways to protect customer privacy, including whether carriers should be required to take the additional step of calling a subscriber's registered telephone number before releasing CPNI in order to verify that the caller requesting the information is actually the subscriber. The FCC is also considering amending its current rules to require carriers to file annual compliance certificates with the FCC, along with a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI and a summary of any actions taken against data brokers during the preceding year.

As noted above, the FCC's CPNI rules only apply to certain customer information held by telecommunications carriers. However, there are other, more stringent, customer privacy requirements under Section 631 of the Federal Cable Act, codified at 47 U.S.C. § 551 that may apply to all services provided over cable TV systems, including non-video services. Given the high level of political interest and activity at all levels of government stemming from the recent reports involving pretexting, all carriers and cable companies should make sure that they are in compliance, or come into compliance, with both the CPNI and Section 631 requirements, as applicable, in a timely manner.

We would be happy answer any questions that you may have concerning this matter.

Other News