As we have reported in previous advisories in 2007 and 2009, the Federal Communications Commission (FCC) requires every telecommunications and interconnected VoIP service provider (including wireless, cable telephony, and even paging and calling card providers) to execute and file an annual officer certification that it is in compliance with the FCC's Customer Proprietary Network Information (CPNI) regulations.
Last Friday, Jan.15, 2010, the FCC issued an “Enforcement Advisory” reminding providers that the annual CPNI certification for calendar year 2009 must be filed by March 1, 2010, but also admonishing all providers that it will subject non-filers to enforcement actions with penalties of up to $1.5 million. This is no empty threat: over the past 18 months the FCC initiated proceedings against thousands of providers, and has compelled several settlements involving penalties of $100,000 and higher. Last week’s Enforcement Advisory included detailed FAQs on the CPNI rules and provider obligations, as well as a template certification for the upcoming filing.
Following is a brief overview of key elements of the FCC's CPNI certification requirements:
- An officer of the company must sign the compliance certificate;
- The officer must affirmatively state in the certification that she/he has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules;
- The company must provide a written statement accompanying the certification explaining in detail how its operating procedures ensure that it is in compliance with the CPNI rules;
- The company must include a clear explanation of any actions taken against data brokers;
- The company must include a summary of all consumer complaints received in the prior year concerning unauthorized release of CPNI, or a clear statement that there were no such complaints; and
- The company must report any information in the company's possession regarding the processes that "pretexters" are using to attempt to gain access to CPNI, and what steps it is taking to safeguard customers' CPNI.
Note that all of this information must pertain to the past calendar year (2009).