Federal Action to Protect Confidential Telephone Record Information
Perhaps the hottest telecommunications related topic now before the FCC and the Congress is Customer Proprietary Network Information (CPNI). CPNI is defined in the Communications Act as “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” Practically speaking, CPNI includes information such as telephone numbers called by a consumer; the frequency, duration and time of such calls; and any services purchased by the consumer, such as call waiting. CPNI therefore includes very sensitive personal information.
Every telephone communications carrier has a general duty to protect the confidentiality of CPNI. However, carriers may use, disclose or permit access to customer’s CPNI in limited circumstances: (1) as required by law; (2) with the customer’s approval; or (3) in their provision of the telecommunications service from which such information is derived, or services necessary to or used in the provision of such telecommunications service. The Act also guarantees that customers have a right to obtain access to and compel disclosure of their own CPNI. In addition, under the relevant section of the law, every telecommunications carrier must disclose CPNI upon affirmative written consent by the customer “to any person designated by the customer.” However, carriers cannot disclose CPNI to third parties without customer consent.
In addition to having restrictions on the use and disclosures of CPNI, the FCC has also adopted rules designed to ensure that telecommunications carriers establish safeguards to protect against unauthorized use or disclosure of CPNI. In recent months, it has emerged that the CPNI confidentiality procedures of many carriers are insufficient. It is alleged that so-called data brokers are able to obtain telephone call records from carriers by various surreptitious and fraudulent means, such as impersonating a customer, a technique known as “pretexting.” This has caused a major public outcry, resulting in activity at the FCC and in Congress.
FCC Proceeding
The FCC has issued a Notice of Proposed Rulemaking which seeks comment on practices to strengthen carrier CPNI protection requirements. The FCC seeks comment on how CPNI is now being provided to the public contrary to law and concerning whether existing procedures by which customers consent to CPNI disclosure to third parties are sufficient to protect the privacy of CPNI. For example, the FCC is considering requiring the use of customer “passwords” before CPNI is disclosed to anyone, including the customer, and requiring carriers to maintain “audit trails” which would record all instances when a customer’s CPNI was accessed. It has also been proposed that CPNI data stored by a carrier should be “encrypted.” The FCC is considering other approaches as well and may act within this year.
Proposed Legislation
Members of Congress have also introduced various bills dealing with CPNI which are now before the relevant Senate and House committees.
On March 2, 2006, the Senate Judiciary Committee reported a bill to the full Senate which make the “stealing and selling” of CPNI a federal offence. Under this bill, it would be a crime punishable by up to five years imprisonment for anyone to: (1) obtain “confidential records information” from a telecom carrier without authorization; (2) make false statements or representations to a customer of the telecom carrier to obtain such records; (3) provide false documentation to a telecom carrier to obtain such records; or (4) access customer records of a carrier via the Internet. The bill separately prohibits the sale of confidential phone information, imposing increased penalties if violations are part of a “pattern” of illegal activity.
Senator George Allen (R-VA) and several of his colleagues have also introduced more detailed CPNI legislation, which is now being considered by the Senate Commerce Committee. It would also prohibit (1) the acquisition of any person’s CPNI without that person’s affirmative written consent; (2) any misrepresentation that a person had consented to the acquisition and use of his or her CPNI to acquire such information; (3) obtaining unauthorized access to the data processing systems or records of a telecommunications carrier or IP enabled voice service provider in order to acquire the CPNI of one or more persons; (4) the sale or offer for sale of CPNI; and (5) any request that another person obtain CPNI from a carrier knowing that the person obtaining the information from such carrier would do so in an unlawful manner.
This legislation would also require the FCC to revise or supplement its regulations to the extent the FCC determined that such revisions were necessary to ensure the security and confidentiality of CPNI. The FCC would be authorized to protect CPNI from unauthorized access or use that would result in harm or inconvenience and ensure that any revised or supplemental regulations were similar in scope to the FTC’s regulations. The legislation would increase the penalties for carriers for violation of their CPNI obligations by imposing new criminal and civil forfeitures.
The bill also provides that state attorneys general could bring a civil action on behalf of the residents of their states in a U.S. district court to enforce the legislation. As presently written, the legislation would preempt any state statute, regulation or rule with respect to CPNI. However, it is currently being proposed in committee to delete this provision and allow the states also to regulate CPNI under their own laws.
On April 25, 2006, the House of Representatives passed H.R. 4709, a CPNI bill, by a unanimous voice. Under the bill, those fraudulently obtaining or attempting to obtain phone records, or selling or transferring them, would face fines of up to $250,000 (for individuals) or $500,000 (for organizations) and up to 10 years in prison. In aggravated fraud cases, fines would double and be punishable by an additional five years in prison. This would be applicable to mobile phone, wireline and voice over IP records. Law enforcement requests would be exempt. The House bill focuses on pretexters and those who cooperate with them and not on carriers and their responsibilities to protect CPNI.
Those bills will likely be merged into one bill and passed this year. And whether or not this occurs, the FCC will adopt additional CPNI regulations. Obtaining of CPNI from data brokers will probably be made illegal sometime this year, and carrier CPNI protection requirements will be substantially strengthened.