As we previously advised, the Federal Communications Commission (FCC) reinstated its customer proprietary network information (“CPNI”) rules governing the privacy obligations of telecommunications and VoIP service providers under Section 222. As a result, the annual certification for calendar year 2017 must be filed with the FCC by March 1, 2018. The FCC recently issued a Public Notice reminding service providers of this obligation and admonishing them that it has taken aggressive enforcement actions in this area against many service providers for failure to comply with the CPNI rules. The Notice makes clear that the Commission has authority to impose penalties of just under $200,000 for each day of a violation, up to a maximum of nearly $2 million, for failure to comply with the CPNI rules. Accordingly, every telecommunications and interconnected VoIP service provider (including wireless, cable telephony, and even paging and calling card providers) must once again execute and file an annual certification of its compliance with the FCC’s CPNI rules.
Clients that have filed annual CPNI certifications in the past may recall that no certification was required in 2017 because the FCC had eliminated the annual certification requirement when it adopted new CPNI rules as part of its 2016 broadband privacy rulemaking. However, following the 2016 presidential and congressional elections, in 2017 Congress repealed the new FCC privacy framework in its entirety, invoking its authority under the Congressional Review Act. See our July 5, 2017 advisory. This legislative action had the practical impact of reinstating the prior CPNI rules, including the annual officer certification requirement. The FCC followed suit by formally reinstating these rules in September 2017. As a result, all of the “old” CPNI rules, including the annual certification filing requirement, are back in effect.
2018 CPNI Certification
The following is a brief overview of key elements of the reinstated FCC CPNI annual certification requirements. Note that all of this information must pertain to the past calendar year (2017):
- An officer of the company must sign the compliance certificate;
- The officer must affirmatively state in the certification that s/he has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules;
- The company must provide a written statement accompanying the certification explaining in detail how its operating procedures ensure that it is in compliance with the CPNI rules;
- The company must give a clear explanation of whether any actions were taken against data brokers in the preceding year, and include a description of any such actions;
- The company must clearly state whether or not any customer complaints were received in the preceding year concerning unauthorized release of CPNI, and include a summary of any such complaints; and
- The company must report any information in its possession regarding the processes that “pretexters” are using to attempt to gain unauthorized access to CPNI, and what steps the company is taking to safeguard customers’ CPNI.