On February 24, 2009, the Federal Communications Commission (FCC) Enforcement Bureau (Bureau) issued proposed monetary forfeitures against more than 600 telecommunications carriers that had "failed to comply with the annual certification filing requirement and did not file compliance certifications on or before March 1, 2008, for the 2007 calendar year." The FCC announced the fines in an "Omnibus Notice of Apparent Liability for Forfeiture" (Omnibus NAL) following an internal review of annual customer proprietary network information (CPNI) certifications that telecommunications carriers must file each year on or before March 1.
The FCC adopted increased privacy compliance safeguards in its EPIC CPNI Order on April 2, 2007, in response to heightened public concern about the unauthorized sale of subscriber call records by data brokers. One of those safeguards requires telecommunications carriers to file an annual CPNI compliance certification signed by an officer of the company. These and other EPIC CPNI Order compliance requirements, which took effect in December 2007, require that CPNI compliance certificates be filed each year on or before March 1 for the prior calendar year. The Bureau sent a Letter of Inquiry (“LOI”) to many if not all of the companies named in the Omnibus NAL in early September 2008, requesting evidence of their annual CPNI certification filings. The Omnibus NAL concluded that "each of the companies failed to submit satisfactory evidence of their timely filing of their annual CPNI certifications."
The Bureau has proposed a forfeiture of $20,000 for each named carrier in the NAL (as compared with proposed forfeitures of $100,000 in 2006 against larger carriers for alleged CPNI rules violations), based on a "revised" forfeiture approach designed to provide a sufficient deterrent, while recognizing that "the vast majority of the companies affected are smaller companies." At the same time, the FCC warns that, should the proposed forfeitures not sufficiently deter future non-compliant conduct, non-compliant companies "will face more severe penalties."
Also on February 24, the Bureau released additional NALs against more than 30 telecommunications carriers that allegedly filed non-compliant annual CPNI certifications by either failing to meet the certification requirements of the FCC's CPNI rules, not providing a statement of the company's procedures to ensure compliance with the FCC's CPNI rules, and/or failing to explain any actions taken against data brokers or to provide a summary of consumer complaints received in the past year pertaining to the unauthorized release of CPNI. Proposed forfeiture amounts for non-compliant CPNI certificates range from $2,000 to $10,000.
Companies subject to a NAL have 30 days from the release date of the NAL (or by March 26, 2009, for NALs released on February 24, 2009) to either pay the full amount of the proposed forfeiture or to file with the FCC a written statement seeking a reduction or cancellation of the proposed forfeiture, based upon such factors as compelling financial circumstances, a history of overall compliance or other possible mitigating circumstances. In addition, the FCC retains discretion to set a forfeiture amount on a "case-by-case basis."