Update on FCC Oversight of Data Brokers, Pretexters, Etc.
Posted by Ronald London
This week’s output at the Federal Communications Commission included several outgrowths of concerns that started to evolve last year (as reported on DWT's Privacy & Security Law Blog) regarding the apparent availability to third parties of sensitive phone records and other related data online and elsewhere. The records at issue often involve “customer proprietary information” (or “CPNI”) such as data relating to the quantity, type, destination, location and/or amount of use of telecommunications services by subscribers, which becomes available to the subscriber’s carrier solely by virtue of their status as customer. The data also can include potentially identifying information such as phone numbers, addresses, and other data. The Commission began looking into the matter late last year. In early 2006 it issued subpoenas to a number of online data brokers, and it investigated and/or issued notices of apparent liability (“NALs”) proposing fines against several telecommunications providers with respect to their submission to the FCC – or lack thereof – of certifications of compliance with federal CPNI rules and statutes.
One item of note this week resolved an NAL issued to AT&T, as well as the company’s self-reported failures opt-out mechanisms for use of its customers’ CPNI, that latter of which may have resulted in the unauthorized use of CPNI in violation of the Communications Act and FCC rules. The Commission announced that it had entered a $550,000 consent decree with AT&T to remedy the possible mishandling of the opt-out process by which subscribers inform their telecom providers that they do not wish to have their data shared with the provider’s affiliates or other entities. Under the consent decree, the company, which since the investigation commenced merged with SBC Communications, will dedicate company personnel to overseeing the opt-out process, as well as programs for training employees and monitoring customer complaints involving the CPNI opt-out rules. In announcing the settlement, Commissioner Jonathan Adelstein urged his counterparts to advance a pending FCC rulemaking on its consumer privacy rules for telephone companies, which Commission Adelstein characterized as affording the agency “an important opportunity to find ways to tighten our rules and provide greater security for sensitive consumer records.”
Separately, the FCC made a show of issuing an NAL – by proposing the maximum forfeiture permitted by law and by taking the atypical step of announcing issuance of the NAL at the agency’s monthly open meeting – to data broker 1st Source Information Specialist, Inc., d/b/a LocateCell.com, for allegedly failing repeatedly to respond to subpoenas seeking information in connection with the CPNI investigation. The NAL, proposing a $97,500 fine, cites the company for allegedly flouting the FCC’s power to subpoena the attendance and testimony of witnesses and the production of materials relating to any matter under investigation, in this case the apparent offering and sale of CPNI by data brokers. The subpoena LocateCell is alleged to have ignored sought to determine how it was able to acquire information that carriers are obligated to protect under the Act and FCC rules. In commenting on the NAL, FCC Chairman Kevin Martin claimed that “examining how data brokers are able to access consumer call records from these carriers is an integral part” of the investigation.
Also this week, the Commission issued citations (which it must as precursors for entities that violate the Act or FCC rules but do not hold FCC licenses or other authorizations) to several additional data brokers for failure to respond to subpoenas involving information relating to “pretexting,” i.e., the practice of obtaining personal information under false pretenses, which usually is associated with identity theft and/or making the information commercially available to third parties. Each of Matecheckpi.com, aaronspi.com, Usaskiptrace.com and Onlinepi.com had allegedly failed to respond to FCC requests for information, and accordingly received citations. The citations recited that, after receipt thereof, if the companies continue to refuse to comply with the FCC orders in any manner described therein, the Commission may impose monetary forfeitures. Resistance also could lead referral of the companies to federal court for contempt sanctions.
