Concerns over identity theft and invasion of privacy took another turn recently with the adoption of rules designed to sharply limit the opportunities for pretexting. The new rules should be of interest to individuals, businesses and telephone companies.
"Pretexting" refers to the unauthorized release of call detail or other private information by a communications carrier to one pretending to be the customer of record. Call detail information includes numbers called, the date and time of the call, and its duration. Data like this are classified as a form of "customer proprietary network information" (or "CPNI" in FCC parlance).
Congress acted last year to criminalize pretexting. In recent days, the Federal Communications Commission adopted an additional series of rules applicable to the carriers under its jurisdiction, as well as to voice-over-Internet providers ("VoIP").
The FCC's rules, which generally become effective in six months, prohibit carriers from making unauthorized disclosures of call detail information absent the customer's provision of a password. Without the password, carriers may only release phone call data 1) by sending them to the address of record; 2) by the carrier calling the customer at the telephone number of record; or 3) at a carrier retail location upon presentation of a valid photo ID.
Online account access must also be password-protected. Here, however, the new rules go beyond password protection for call detail records to include any and all customer information, such as home address.
The new rules also require carriers to notify customers immediately whenever the address of record, the password, a backup mechanism for forgotten passwords, or an online account is created or changed.
Carriers must notify law enforcement authorities and customers whenever a security breach has occurred (a provision that does not apply in the case of disclosures to law enforcement authorities, or in the case of investigations of fraudulent service, for example).
Carriers must secure affirmative consent ("opt-in") before sharing CPNI with joint venture partners or independent contractors for the purpose of marketing communications-related services. This aspect of the rules also applies to all customer-specific information, not just call detail records.
Carriers must file annually with the FCC a certified report detailing actions taken against data brokers and any consumer complaints regarding unauthorized disclosure of CPNI.
The new rules are applicable not just to telecommunications carriers, but also to VoIP companies that offer the capability for interconnected service with the public switched telephone network.
Significantly, the new rules do not necessarily apply in the case of business customers. For business customers with a dedicated account representative (i.e., those which need not access the telephone company via a call center) and a contract with the carrier spelling out CPNI protections, the carrier may rely upon the alternative arrangement specified in the contract as long as it complies with general FCC requirements for the protection of CPNI.
The FCC has not been insensitive to concerns that customers may find frustrating the use of a password in order to access their own information (many of us being prone to creating and promptly forgetting passwords). In such situations, carriers may devise a backup authentication procedure, as long as it is not dependent on readily available biographical or account information. In other words, it should be something other than a Social Security number or mother's maiden name, for example. The FCC expects that the backup might include a question shared only with the carrier. Similarly, the new rules are not intended to prevent routine communications regarding service/billing questions or disputes. According to the FCC, if a customer, having initiated a call to a carrier, is able to provide the data pertinent to a specific issue or complaint (e.g., number called, date/time and amount charged for the call), then the carrier may proceed with its routine customer inquiry procedures with any disclosures limited to the specific call detail information provided by the customer (without prompting).
Finally, the Commission has also invited comments as to 1) whether it should also require carriers to adopt password protection for all CPNI, not just call detail records; 2) whether carriers should maintain logs of all customer contacts (i.e., an audit trail); 3) whether carriers should be required to adopt physical safeguards for CPNI; 4) whether the Commission should limit periods of data retention by carriers; and 5) whether the Commission should adopt rules protecting the privacy of customer information stored in mobile communication devices. This last requirement may include rules applicable to carriers and/or manufacturers so as to provide a means for erasing customer information (e.g, before an old cell phone is discarded).