FCC Takes Action Against “Pretexting”
The Federal Communications Commission (FCC) has adopted new rules regarding the protection of customer proprietary network information (CPNI), which will become effective sometime in the fourth quarter of 2007. This action is part of an overall government crackdown on “pretexting,” the term for the unauthorized obtaining of telecommunications customer information from carriers through misrepresentation of a caller’s identity. Pretexting became an important issue in 2006, after the disclosure of its widespread use by private investigators and senior management of Hewlett-Packard, which had sought to investigate leaks of information to journalists by some of its directors. In December of 2006, Congress enacted legislation providing for terms of imprisonment of up to 10 years for pretexting.
Highlights of the FCC’s order include the following:
1. Carrier Authentication Requirements
After the effective date of the new rules, telecommunications carriers may, if they receive a telephone call from someone identifying him or herself as a customer, only disclose that customer’s call detail information (i.e., information about specific calls made or received by that customer, a subset of CPNI), if the customer first provides the carrier with the correct password previously supplied by the customer. Carriers may create a back-up customer authentication method in the event of a lost or forgotten password, involving “shared secrets,” that is, a question/answer combination known to the customer and carrier but “not widely known.” Customers cannot use as a back-up method “easily obtainable biographical information,” such as their mother’s maiden name.
2. Notice of Unauthorized Disclosure of CPNI
No later than within 7 business days after the “reasonable determination” of a CPNI breach, carriers will be required to notify the U.S. Secret Service and the FBI. Carriers, except under extraordinary circumstances, will not be able to notify customers or disclose the breach to the public until 7 business days have passed after notification to law enforcement, and that period can be extended by law enforcement. Carriers will have to maintain records of such breaches and notifications for 2 years.
3. Joint Venture and Independent Contractor Use of CPNI
The FCC has modified its existing rules to clarify that carriers must obtain “opt-in” consent from each customer before disclosing that customer’s CPNI to a carrier’s joint venture partner or an independent contractor for the purpose of marketing communications-related services to that customer. This marks a change in FCC policy from requiring only “opt-out” disclosure notification to such customers, and may essentially preclude the use of independent contractors to assist in carrier marketing, as opt-in consent is very hard to obtain. This particular modification may become the subject of court challenges on First Amendment grounds.
4. Annual CPNI Certification
Each year a telecommunications carrier must have an officer, as agent of the carrier, sign a compliance certificate. The officer must state in the certificate that he or she has personal knowledge that the company has established operating procedures which ensure that it is in compliance with the FCC’s CPNI rules. The FCC has now modified this rule to require that the certificate be filed each year by March 1 with the FCC Enforcement Bureau. It must also describe any actions taken against pretexters in the past year.
According to the FCC’s new rules, the FCC will take “strong enforcement measures” to enforce its new CPNI requirements even though it does not prescribe any particular method by which carriers must protect CPNI. The FCC takes a “flexible” approach, but places carriers “on notice” that the FCC will infer from evidence that a pretexter has obtained unauthorized access to a customer’s CPNI that the carrier did not sufficiently protect the customer’s CPNI or CPNI generally, rendering the carrier liable to enforcement action, including forfeitures.
The new rules obviously represent the FCC’s reaction to the recent pretexting abuses and their efforts to protect consumer privacy. But if upheld by the courts, the new rules also will substantially increase telecom carrier costs and potential liabilities.