Posted by Charlene Brownlee
A password is now required if you want to get your account information from your telecommunications carrier over the phone under new privacy rules approved Monday by the Federal Communications Commission (FCC). If a customer does not provide a password, carriers have two options: (i) mail the information to the customer at its address of record; or (ii) call the customer at the telephone number on record.
The new safeguards also require customers to be notified immediately when there are changes made to their passwords, addresses or online accounts.
The FCC also adopted a Further Notice of Proposed Rulemaking seeking comment on what steps the Commission should take, if any, to secure further the privacy of customer information.
Why the New Rules?
Telephone companies collect information such as the numbers you call and when you call them (called Customer Proprietary Network Information (CPNI)). Both Congress and the FCC impose requirements on telephone companies about how they can use CPNI and what they must do to protect it from disclosure. Specifically, the Telecommunications Act forbids telecom companies from using or disclosing CPNI without customer approval, unless required by law or permitted by certain exceptions.
Despite these rules, using a practice known as “pretexting,” records have been obtained, and, in some cases, offered for sale on the Internet. The Electronic Privacy Information Center (EPIC) pointed out in its petition to the FCC that led to this Order, that numerous websites advertise the sale of personal telephone records. Pretexting became a household term following the high-profile case in which Hewlett-Packard Co. admitted last year that investigators it hired used false identities to obtain telephone records of directors, employees and journalists.
To curb pretexting, Congress recently passed a law making it a crime punishable by fine or imprisonment of up to 10 years to obtain CPNI from a telephone company, including Voice over Internet Protocol (VoIP) service providers, by: making false or fraudulent statements, providing fraudulent documents, or accessing customer records without prior authorization through the Internet or fraudulent computer-related activities. The law also prohibits the unauthorized sale or transfer of CPNI or the purchase or receipt of such information with knowledge that it was obtained fraudulently or without authorization.
The Federal Trade Commission (FTC) has also filed suits against several pretexters under laws barring unfair and deceptive practices. Additionally, numerous states, including California, Florida, Illinois, Missouri, and Texas have all sued data brokers for pretexting phone records.
The Order explicitly notes that it “is directly responsive to the actions of data brokers, or pretexters, to obtain unauthorized access to CPNI.” It is the hope of the FCC that the additional privacy safeguards created by the Order will sharply limit pretexters’ ability to obtain unauthorized access to CPNI.
Key Provisions of the New Rules
- Carrier Authentication Requirements. Carriers can only release call detail information to customers over the phone if the customer provides a password. If a customer does not provide a password, the carrier is limited to sending the CPNI to an address of record or by the carrier calling the customer at the telephone of record.
- Notice to Customer of Account Changes. Carriers must notify the customer immediately when a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed.
- CPNI Regulations Applicable to Providers of Interconnected VoIP Service. The CPNI rules apply to providers of interconnected VoIP service. (See Section IV.F). Note that the FCC does not decide in this Order whether interconnected VoIP services are telecommunications services or information services – it analyzes the issues under its Title I ancillary jurisdiction to encompass both types of service. If the FCC later classifies interconnected VoIP service as a telecommunications service, the providers of interconnected VoIP services would be subject to the requirements of section 222 and the Commission’s CPNI rules as telecommunications carriers under Title II.
- Business Customer Exemption. If the carrier’s contract with a business customer is serviced by a dedicated account representative as the primary contact, and specifically addresses the carrier’s protection of CPNI, the Carrier Authentication Rules do not apply. The FCC notes in the Order that businesses are typically able to negotiate the appropriate protection of CPNI in their service agreements.
- Notice of Unauthorized Disclosure of CPNI. The Order establishes a notification process for both law enforcement and customers in the event of a CPNI breach:
a) A carrier must first notify law enforcement (the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI)) of a breach of its customers’ CPNI no later than seven business days after a reasonable determination of the breach.
b) A carrier may notify the customer and/or disclose the breach publicly after seven business days following notification to the USSS and the FBI, unless the USSS and the FBI have requested that the carrier continue to postpone disclosure.
c) A carrier may immediately notify a customer or disclose the breach publicly after consultation with the relevant investigative agency, if the carrier believes that there is an extraordinarily urgent need to notify a customer or class of customers in order to avoid immediate and irreparable harm.
d) Carriers must maintain a record of any discovered breaches, notifications to the USSS and the FBI regarding those breaches, as well as the USSS and the FBI response to the notifications for a period of at least two years. This record must include, if available, the date that the carrier discovered the breach, the date that the carrier notified the USSS and the FBI, a detailed description of the CPNI that was breached, and the circumstances of the breach.
- Affirmative Consent from Customer Required for Joint Venture and Independent Contractor Use of CPNI. Carriers must ask for customers’ permission (opt-in) when sharing private account information with business partners and independent contractors for the purposes of marketing communications-related services to that customer. Prior rules required the customer to opt-out of such use of its CPNI.
- Annual CPNI Certification. A carrier’s annual certification must include an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the previous year regarding the unauthorized release of CPNI.
- Enforcement Proceedings. Carriers must take reasonable measures to discover and protect against pretexting. In enforcement proceedings, the FCC will infer from evidence of unauthorized disclosures of CPNI that reasonable precautions were not taken.
Effective Date of New Rules
The rules adopted in this Order are subject to approval by the Office of Management and Budget (OMB). The rules will become effective six months after the Order’s effective date or on receipt of OMB approval, whichever is later. The FCC will issue a Public Notice when OMB approval is received.
Carriers satisfying the definition of a “small entity” or a “small business concern” under the Regulatory Flexibility Act or Small Business Act, will be granted an additional six months to implement the rules pertaining to the online carrier authentication requirements.
 For purposes of the Order, the terms “communications carriers” and “carriers” refer to telecommunications carriers and providers of interconnected VoIP service.
 Order available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.doc.
 CPNI is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.” Practically speaking, CPNI includes information such as the phone numbers called by a consumer; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting. Id at page 5.
 “Protecting the Privacy of Your Telephone Records” FCC publication January 18, 2007 available at http://www.fcc.gov/cgb/consumerfacts/phoneaboutyou.html.
 Defined in the Order as “the practice of pretending to be a particular customer or other authorized person in order to obtain access to that customer’s call detail or other private communications records.” FCC Order April 2, 2007. Available at http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.doc.
 Petition of the Electronic Privacy Information Center for Rulemaking to Enhance Security and Authentication Standards for Access to Customer Proprietary Network Information, CC Docket No. 96-115 (filed Aug. 30, 2005) (EPIC Petition).
 See Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?: Hearings Before the Subcommittee on Oversight and Investigations of the H. Comm. on Energy and Commerce, 109th Cong. (Sept. 29, 2006) (testimony of Christopher Byron).
 Telephone Records and Privacy Protection Act of 2006, Pub. L. No. 109-476, 120 Stat. 3568 (2007) (codified at 18 U.S.C. § 1039).
 See Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?: Hearings Before the Subcommittee on Oversight and Investigations of the H. Comm. on Energy and Commerce, 109th Cong. 1 (Sept. 29, 2006) (testimony of the Joel Winston, Federal Trade Commission) (citing FTC v. Info Search, Inc., No. 1:06-CV-01099-AMD (D. Md. filed May 1, 2006); FTC v. Accusearch, Inc. d/b/a Abika.com, No. 06-CV-0105 (D. Wyo. filed May 1, 2006); FTC v. CEO Group, Inc. d/b/a Check Em Out, No. 06-60602 (S.D. Fla. filed May 1, 2006); FTC v. 77 Investigations, Inc., No. EDCV06-0439 VAP (C.D. Cal. filed May 1, 2006); FTC v. Integrity Sec. & Investigation Servs., Inc., No. 2:06-CV-241-RGD-JEB (E.D. Va. filed May 1, 2006)).
 See, e.g., California v. Data Trace USA Inc., No. GIC862672 (Cal. Super. Ct. filed Mar. 14, 2006).