This is to remind our clients that, pursuant to 47 U.S.C. § 222(c), the Federal Communications Commission (FCC) requires every telecommunications and interconnected VoIP service provider (including wireless, cable telephony, and even paging and calling card providers) to execute and file an annual officer certification that it is in compliance with the FCC's Customer Proprietary Network Information (CPNI) regulations. The annual certification for calendar year 2014 must be filed with the FCC by March 1, 2015. The FCC has taken aggressive enforcement actions in this area against thousands of providers for a mere failure to file this annual certification, with penalties of up to $100,000. Moreover, this past September, Verizon agreed to pay $7.4 million to settle an FCC action arising from a failure to send CPNI “opt-out” notices to new customers.
Further, as the FCC considers the reclassification of broadband Internet Access Service to a Title II regulated telecommunications service as part of its “net neutrality” order later this month, service providers should be thinking ahead to the possible CPNI implications and expanded reporting obligations in that may result from any reclassification.
2015 CPNI Certification
The FCC issued its annual Enforcement Advisory this week, reminding service providers that their CPNI certifications must filed by March 1, 2015. This is in addition to other periodic reminders to service providers that failure to comply with the CPNI rules or to file the required annual certification on time could subject violators to penalties in the millions of dollars.
As a refresher, following is a brief overview of key elements of the FCC's CPNI annual certification requirements. Note that all of this information must pertain to the past calendar year (2014):
- An officer of the company must sign the compliance certificate;
- The officer must affirmatively state in the certification that s/he has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules;
- The company must provide a written statement accompanying the certification explaining in detail how its operating procedures ensure that it is in compliance with the CPNI rules;
- The company must include a clear explanation of any actions taken against data brokers;
- The company must include a summary of all consumer complaints received in the prior year concerning unauthorized release of CPNI, or a clear statement that there were no such complaints; and
- The company must report any information in its possession regarding the processes that "pretexters" are using to attempt to gain access to CPNI, and what steps it is taking to safeguard customers' CPNI.
Importantly, in order to truthfully certify to these matters and provide the required information, a service provider must have an effective CPNI compliance program in operation.
We have assisted many clients in the creation and implementation of CPNI compliance programs and employee training materials. We have also successfully defended clients against FCC enforcement actions, in many cases obtaining settlements involving payments at a small fraction of the original FCC proposal, and in others obtaining outright withdrawal of FCC allegations of rule violations. We would be happy to assist you in preparing and filing this annual FCC certification, crafting or revising your CPNI compliance program, reviewing your opt-out procedures, or to answer any questions you may have.
As the Commission finalizes its plan for the reclassification of broadband Internet access service to a Title II telecommunications service, broadband service providers should consider the potential implications of the CPNI rules for their operations and the potential expansion of reporting requirements going forward. While the Commission has indicated that it will forbear from enforcing certain provisions of Title II, Chairman Wheeler’s recent Fact Sheet expressly contemplates the application of CPNI protections to broadband. Although this change would not affect annual reporting until 2016, unless the FCC grants some sort of deferral, some substantive CPNI requirements could become applicable to broadband immediately. The specific plan and its application remain unclear, but we hope the FCC will heed the strong arguments for at least delaying the extension of CPNI rules that were written for voice services until the Commission can determine the proper application to broadband service. In the meantime, some of the considerations for broadband service providers include:
- Marketing: FCC rules impose use limitations on CPNI, permitting carriers to use CPNI for marketing only within the same category of services to which the customer already subscribes, requiring opt-out consent before using it for other types of communications services, and requiring affirmative opt-in consent to use it for broader marketing. Because the families of services have been defined around traditional telephone services it is unclear how this will be applied to broadband service. Companies may need to re-assess how they use broadband subscriber information to inform their marketing information and programs for other services, including video.
- CPNI Notice: Broadband service providers may have to extend CPNI notification requirements and associated recordkeeping obligations to Internet customers. If companies intend to use information learned from providing broadband services for marketing, they should consider the choices offered to consumers, whether such choices will need to be expanded under the CPNI rules, what notifications and protection measures would be required to offer those choices, and how consumer choices will be honored. Failure to honor consumer opt-out could result in enforcement actions and significant liability under the CPNI rules, as evidenced by the $7.4 million Verizon settlement in 2014.
- Heightened Authentication: The FCC’s rules require that online access to CPNI must be protected by passwords established after authenticating the customer’s identity not based on any readily available biographical or account information. Some telecommunications and VoIP providers have already implemented this requirement across all services, so application to broadband may not pose significant additional difficulty in those cases. However, for broadband providers newly subject to this rule, and for other providers that previously did not apply them to broadband, this rule is among the most burdensome of the CPNI rules to implement. The CPNI rules also require valid photo identification for in-person to access CPNI. Service providers should carefully study the existing rules to consider how to implement these authentication and password requirements for broadband, which may require changes to their existing procedures.
- Account Change Notices: The CPNI rules require service providers to immediately notify customers when there is a change or establishment of a password on their account, the creation or change to a back-up authentication method, the creation of an online account, or a change to the address of record, including an email address. Companies should consider whether they will need to expand their notification process to include customer-initiated changes in broadband service account information and, if so, the additional operational requirements that would need to be put in place to do so.
- Breach Notifications: The existing CPNI rules require notification to the US Secret Service and FBI “when a person, without authorization or exceeding authorization, has intentionally gained access to, used or disclosed CPNI.” These breach reporting requirements would now be extended to broadband service, which would further complicate existing breach reporting obligations under state law and could result in further consumer confusion, given the disparate definition of a breach under the rules. Companies should consider how they would expand their current CPNI monitoring and tracking to their broadband service.
- Annual Certification: In the annual compliance certification, all of the requirements outlined above in the 2015 reporting obligations would be extended to broadband service. Companies should consider which officer of the company will have the requisite knowledge required to attest to personal knowledge that their procedures are adequate to ensure compliance with the FCC’s rules – whatever they may end up being.
While we wait to see the outcome of the reclassification effort and the details of any Commission order, and the subsequent appeals, companies should not wait to consider the implications of Section 222 on their operations. In going through this exercise, companies can start to lay the foundation now for any potential FCC rulemaking that would extend Section 222 to broadband services, in terms of what would best protect consumer privacy and what would be required in terms of timing and resource allocation.