This is to remind our clients that the Federal Communications Commission’s (FCC) rules require every telecommunications and interconnected VoIP service provider (including wireless, cable telephony, and even paging and calling card providers) to execute and file an annual officer certification that it is in compliance with the FCC's Customer Proprietary Network Information (CPNI) regulations. The annual certification for calendar year 2015 must be filed with the FCC by March 1, 2016. The FCC just issued its annual CPNI“Enforcement Advisory,” admonishing service providers that it has taken aggressive enforcement actions in this area against thousands of providers for a mere failure to file this annual certification, and has imposed penalties of up to $25 million for failures to comply with the CPNI rules.
Though broadband Internet access service has now been reclassified as a telecommunications service under the FCC’s 2015 Open Internet Order, and is therefore subject to the statutory obligations contained in Section 222 of the Communications Act, the FCC’s new advisory expressly confirms that the Commission’s CPNI rules, including the annual certification requirement, do not apply to broadband services. However, the FCC has warned providers to take steps to protect the privacy of the information they obtain from broadband customers, and it is expected to propose CPNI-like rules for broadband services this spring. Service providers should carefully review their CPNI procedures and other privacy policies to assure that these documents accurately reflect these changes in laws.
2016 CPNI Certification
The FCC has periodically reminded service providers that failure to comply with the CPNI rules or timely file the required annual certification could subject violators to penalties in the millions of dollars.
As a refresher, the following is a brief overview of key elements of the FCC's CPNI annual certification requirements. Note that all of this information must pertain to the past calendar year (2015):
- An officer of the company must sign the compliance certificate;
- The officer must affirmatively state in the certification that s/he has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules;
- The company must provide a written statement accompanying the certification explaining in detail how its operating procedures ensure that it is in compliance with the CPNI rules;
- The company must include a clear explanation of any actions taken against data brokers;
- The company must include a summary of all consumer complaints received in the prior year concerning unauthorized release of CPNI, or a clear statement that there were no such complaints; and
- The company must report any information in its possession regarding the processes that "pretexters" are using to attempt to gain access to CPNI, and what steps it is taking to safeguard customers' CPNI.
Importantly, in order to truthfully certify to these matters and provide the required information, a service provider must have an effective CPNI compliance program in operation.
We have assisted many clients in the creation and implementation of CPNI compliance programs and employee training materials. We have also successfully defended clients against FCC enforcement actions, in many cases obtaining outright cancellation of proposed penalties or settlements involving payments of a small fraction of the amount proposed by the FCC. We would be happy to assist you in preparing and filing this annual FCC certification, crafting or revising your CPNI compliance program, reviewing your opt-out procedures, or to answer any questions you may have.
As the Commission prepares to launch its rulemaking to impose specific new customer privacy rules and sanctions on broadband service providers, companies should consider how they may be affected if the existing rules are extended to broadband service. For example:
- Marketing: FCC rules impose use limitations on CPNI, permitting telecom providers to use CPNI for marketing only within the same category of services to which the customer already subscribes, requiring opt-out consent before using it for other types of communications services, and requiring affirmative opt-in consent to use it for broader marketing purposes. Additionally, the FCC confirmed last year that it was reviewing whether Verizon's use of a tracking "supercookie" violated its consumer privacy and data security rules. Companies should understand how they use broadband subscriber information to inform their marketing information and programs for other services, including video, to effectively evaluate how the Commission’s current enforcement activities and any proposed rules may affect their practices.
- CPNI Notice: Broadband service providers may have to extend CPNI-type notification requirements and associated recordkeeping obligations to Internet customers in the future. If companies intend to use information learned from providing broadband services for marketing, they may need to consider the choices offered to consumers for such use, whether such choices will need to be expanded to fit new rules (when proposed and finalized), what notifications and protection measures would be required to offer those choices, and how consumer choices will be honored. Failure to honor consumer opt-out could result in enforcement actions and significant liability, as evidenced by a $7.4 million Verizon settlement in 2014.
- Heightened Authentication: The FCC’s current rules for voice service require that online access to CPNI must be protected by passwords established after authenticating the customer’s identity not based on any readily available biographical or account information. Some telecommunications and VoIP providers have already implemented this requirement across all services, so application to broadband may not pose significant additional difficulty in those cases. However, for broadband providers newly subject to FCC privacy requirements, and for other providers that previously did not apply the rules to broadband, this would be among the most burdensome of the FCC rules to implement. Companies should assess how they would apply heightened authentication and password requirements to broadband, if they do not already exist. And as discussed below, even in the absence of new rules, the FCC currently expects all providers of phone and/or broadband services to use reasonable security measures to protect customer information.
- Account Change Notices: The CPNI rules require service providers to immediately notify customers when there is a change or establishment of a password on their account, the creation or change to a back-up authentication method, the creation of an online account, or a change to the address of record, including an email address. Even in the absence of new rules, the FCC may consider sending such notifications a “reasonable” security practice and therefore already required. Companies should assess whether their current processes should include notices for customer-initiated changes in broadband service account information.
What to do now
Whatever rules are ultimately adopted, it is important for companies to recognize that the general duty to protect broadband customer privacy under Section 222 already is in force and that broadband service providers are subject to expanded requirements to protect consumer privacy and new limitations on the use of customer data under the FCC’s recent Open Internet Order. Through recent enforcement actions that have included monetary fines for the failure to protect customer information, the FCC has created a roadmap of sorts for what companies should be doing now. This includes:
- Designating a “Privacy Officer” – in recent enforcement orders, the FCC has required companies to designate a senior corporate manager who is a certified privacy professional to act in this role.
- Conducting risk assessments, in accordance with NIST standards and with reference to the NIST Cybersecurity Framework.
- Maintaining an information security program that includes:
- reasonable administrative, technical, and physical safeguards;
- reasonable measures to protect customer “proprietary information” (“PI”) and CPNI that is collected or maintained by service providers;
- policies and procedures to identify the extent of PI/CPNI collected or maintained, minimize collection, and restrict access to PI/CPNI;
- reviews to evaluate the effectiveness of the program and update as necessary;
- conducting audits and testing of select processes and systems that contain or process PI/CPNI;
- developing and implementing a threat monitoring program.
- Maintaining oversight of third party service providers.
- Creating an incident response plan and routinely testing the effectiveness of the plan through testing exercises.
- Conducting employee training and ensuring that your own service vendors receive security awareness training.
- Monitoring your program to ensure effectiveness.
If you haven’t already done so, you should continue to ensure that you adopt measures to safeguard broadband customers’ private information, without waiting for the results of the FCC’s rulemaking.