In the wake of the pretexting scandals of 2006, in early April the FCC issued its long-awaited CPNI Order. The Commission's stated objective in adopting new rules was to increase the security of individually identifiable data regarding customers' use of telecommunications services—which the agency denominates as Customer Proprietary Network Information (CPNI)—and to prevent databroker theft of this sensitive information. However, the new rules may have the unintended consequence of significantly disrupting routine marketing activities. If they become effective, the rules would impose significant new requirements at variance with industry-standard customer authentication and breach notification practices. They should be of interest to all telecommunications carriers.
In 2006, press reports about numerous websites openly offering for sale for a modest fee wireless telephone bills—including "call detail" information such as numbers called and the time, date and duration of calls—gave rise to concern in policy circles about "databrokers" and their "pretexting" activities. Databrokers are the operators of the websites that obtain unauthorized access to and sell CPNI, usually through pretexting—deceiving carrier customer service representatives into releasing CPNI or establishing fraudulent online accounts.
Although the pretexting tactic was new to the FCC, the Commission previously had addressed the protection of CPNI. Section 222 of the Communications Act—adopted as part of the 1996 Telecommunications Act—requires carriers to safeguard CPNI against unauthorized release. The Commission implemented Section 222 by adopting strict "opt-in" rules requiring express prior customer consent for most carrier uses of CPNI, which the 10th Circuit held unconstitutional in the 1999 US West case. On remand, the Commission adopted more lenient "opt-out" rules, which allowed carriers to use CPNI in most instances provided customers received a notice in advance and have an opportunity to refuse consent or "opt out."
Following prominent media reports of pretexting and in response to a petition from the Electronic Privacy Information Center (EPIC), the Commission adopted a Notice of Proposed Rulemaking in February 2006 proposing more rigorous rules. Among the proposals was a return to a variation on the "opt-in" regime held unconstitutional in US West.
The FCC's Order
The Commission's April 2 Order adopts a number of proposals reflecting the agency's experience with CPNI protection and enforcement that regularize reporting requirements and clarify carrier obligations. For example, the Order requires carriers to file their annual certifications with the Commission on or before March 1, and to include an explanation of any actions taken against databrokers and a summary of consumer complaints. In addition, carriers must notify customers immediately of certain account changes, including whenever a password, customer response to a carrier-designated back-up means of authentication, online account, or address of record is created or changed. Notification may be via carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record. In addition, the new rules do not apply to enterprise accounts if the carrier's contract with a business customer is serviced by a dedicated account representative and specifically addresses the carrier's protection of CPNI. As the record demonstrated, enterprise accounts have not been a target of pretexter activity.
Other requirements in the Order, however, represent a significant break with existing rules. These elements of the Order may well be subject to Petitions for Reconsideration or appellate challenge. Moreover, some of these new requirements, particularly in the area of breach notification and customer authentication, will necessitate significant changes to existing carrier operations with considerable attendant expense. The new obligations of greatest concern are:
Opt-in. The Order requires carriers to obtain opt-in consent prior to disclosing CPNI to independent contractors or joint venture partners for the purpose of marketing communications-related services.
This requirement essentially imposes a ban on sharing CPNI with third-party marketing firms for the purpose of conducting targeted marketing campaigns involving communications services. In light of US West, this requirement may well face constitutional challenge.
Breach Notification. The Order requires law enforcement notification whenever a security breach results in disclosure of CPNI without the customer's authorization. No later than seven business days after a "reasonable determination of a breach," a carrier must send electronic notification to a central reporting facility of the U.S. Secret Service (USSS) and the FBI. Seven business days after notifying the USSS and FBI, a carrier may notify the customer and/or disclose a breach publicly, provided the USSS and the FBI have not requested that the carrier further postpone disclosure. The rule includes an exception allowing immediate disclosure if a carrier believes there is an "extraordinarily urgent need" to notify a customer or class of customers to avoid "immediate and irreparable harm."
The rule provides a tight, seven-business-day timeline for notifying the USSS and FBI of a breach, but is ambiguous about the trigger that starts the clock. The term "reasonable determination of a breach" is not defined. In addition, there is no de minimis exception—carriers are required to report all breaches to the USSS and FBI.
Passwords. In certain scenarios, the Commission requires passwords in order to access CPNI.
Customer-Initiated Telephone Account Access
Carriers are prohibited from providing call detail over the telephone except in three circumstances: (1) the customer provides the carrier with a pre-established password; (2) at the customer's request, the carrier sends call detail records to a customer's address of record; and (3) the carrier calls the telephone number of record to release call detail information.
Online Account Access
The Order requires carriers to password-protect online access to CPNI. Carriers are prohibited from relying on "readily available biographical information" or "account information" to authenticate a customer's identity before a customer accesses CPNI online. The Order indicates that "readily available biographical information" includes such things as the customer's Social Security number, or the last four digits of that number; mother's maiden name; home address; or date of birth, and "account information" includes such things as account number or any component thereof, the telephone number associated with the account, or amount of last bill.
Requiring authentication of existing customers without using "readily available biographical information" or "account information" significantly limits carriers' authentication options. The Commission's proposed means of authentication—calling a customer at the telephone number of record or sending a PIN via voicemail or text message to the telephone number of record—may prove too complicated or time consuming for customers seeking to complete routine transactions.
Enforcement Policy. The Commission indicates that in enforcement proceedings it will infer from evidence of unauthorized disclosures of CPNI that reasonable precautions to safeguard CPNI were not taken.
The inference that pretexting has occurred by itself, therefore indicating a carrier has not taken reasonable precautions to protect CPNI, shifts the burden to the carrier to prove it should not be subject to sanction whenever pretexting—third-party theft of carrier-controlled data—is detected. The Commission requires carriers to detect and report pretexting, but may also fine them for doing so.
The new rules will take effect six months after Office of Management and Budget approval, which will be announced by Commission public notice. The Order also contains a Further Notice of Proposed Rulemaking seeking comment on additional CPNI safeguards, as well as whether the Commission should adopt rules to ensure that CPNI is removed from discarded or refurbished mobile devices. Comments are due 30 days, and replies 60 days, after Federal Register publication.