FCC Considers Toughening Customer Privacy Rules
Washington, D.C., March 1, 2006 - In the wake of growing concerns among customers about the safety of their private information - termed CPNI ("customer proprietary network information") - kept or accessible by telecommunications carriers, the FCC is revisiting with renewed vigor the need for tougher privacy rules governing the handling of CPNI by carriers.
As an initial measure, on January 30, 2006, the FCC directed all carriers to file - in a new docket created expressly for the occasion - their CPNI compliance certificates for the most recent period along with an accompanying "statement explaining how their respective operating procedures ensure compliance" with the Commission's current CPNI rules by February 6, 2006 . See 47 C.F.R. § 64.2009(e); 47 U.S.C § 222. The Commission explained that it had established a new docket to enable more ready public access to carrier certificates.
On the heels of this measure, the Commission has also now issued a Notice of Proposed Rulemaking ("NPRM") to examine the need for and feasibility of tougher privacy rules relating to the handling of CPNI through the establishment of enhanced security and authentication standards for access to customer telephone records. The NPRM, released on February 14, 2006, arises from a petition filed by the Electronic Privacy Information Center ("EPIC").
In its petition, EPIC raised significant concerns regarding the adequacy of carrier practices and current rules relating to CPNI, and highlighted several disturbing trends involving the sale by data brokers of both landline and wireless telephone records, as well as records for non-published phone numbers and VOIP communications. The records being sold apparently include the 'call to' and 'call from' number, call duration, and (in the case of cellular communications) even the location of the cell phone. The FCC expressed concern that data brokers are employing a practice known as "prextexting" - i.e., obtaining the information under false pretenses, including posing as the customer - to gain access to such sensitive data. The FCC has become aware that the availability of such information is causing growing concern among customers.
Accordingly, in its NPRM, the FCC seeks comment on five types of security measures proposed in the EPIC petition. Such additional measures, as explained by EPIC, would more effectively protect CPNI than the current safeguards. Specifically, the five areas in which the FCC proposes to explore for the purpose of implementing enhanced security measures include:
Identity authentication and passwords set by customers.
Audit trails that record all instances when a customer's records have been accessed, whether information was disclosed, and to whom.
Encryption by carriers of stored CPNI data.
Limits on data retention that require deletion of call records when they are no longer needed.
Notice provided by companies to customers when the security of their CPNI may have been breached.
In addition to enhancements in these areas, the FCC also proposes to insure uniformity of carrier compliance certification filings by requiring carriers to file annual filing certificates accompanied with a " summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI and a summary of any actions taken against data brokers during the preceding year."
The FCC also seeks comments on any other means that could be implemented to enhance customer privacy, including possibly requiring carriers to confirm a requesting subscriber's identity "calling a subscriber's registered telephone number before releasing CPNI."
Comments on these proposed rules are to be filed 30 days after the publication of the NPRM in the Federal register. Reply comments will be due 60 days of such publication.
If you would like additional information on these issues and what they mean for your particular situation or business, or wish to discuss potential participation in the FCC's rulemaking proceeding, please feel free to contact us.