The new CPNI rules.Most cooperatives and other rural telephone companies have a superb record and reputation for responsive customer service. In fact, as competition encroaches more and more upon rural areas, excellent customer service is likely to be a major competitive advantage for rural telephone companies. So, how does a rural carrier comply with the new customer proprietary network information (CPNI) rules and standards without impairing its critical relationships with its customers? The new CPNI rules that took effect December 8, 2007, add safeguards against acquisition and sale of call-detail information by data brokers and existing restrictions upon use of CPNI for marketing purposes. Congress included a CPNI provision (Section 222) in the 1996 Telecommunications Act to limit use of local exchange customer data by regional Bell operating companies to market their interLATA toll services. Whereas Section 222 also referenced privacy, it remained secondary to competitive concerns until 2005, when the FCC was faced with complaints that data brokers were obtaining the call records of officials and celebrities from cellular and other carriers, then selling the data on Web sites. The commission selected the privacy language of Section 222 as its weapon for attacking these abuses, and engrafted new "anti-pretexting" rules on top of its existing CPNI marketing restrictions. [ILLUSTRATION OMITTED] The new CPNI rules create a great deal of tension between the goal of resolving ordinary and legitimate customer inquiries and the goal of preventing unauthorized disclosure of CPNI to entities posing as customers. Whereas the new regulations regarding the use of passwords to "authenticate" customers making telephone inquiries have drawn the most criticism and concern, the more dangerous aspect of the new rules is the commission's open-ended requirement that carriers take "every reasonable precaution" to protect the confidentiality of CPNI. The commission has stated that acquisition of CPNI by unauthorized entities will give rise to an inference that the carrier did not sufficiently protect its CPNI. The carrier will then bear the burden of demonstrating that it did in fact employ reasonable safeguards (in light of the sensitivity of the CPNI and the level of security threats). Carriers that run afoul of the "every reasonable precaution" standard, and associated presumption and burden of proof, may be severely penalized. During its 2006-2007 investigation of CPNI compliance, the commission has shown an affinity for $100,000 forfeitures (although some may be reduced on appeal). What CPNI Is Affected? First, carriers should understand that not all customer information is CPNI, and that not all CPNI is covered by the new anti-pretexting rules. Section 222 defines CPNI as: (1) information that relates to the quantity, technical configuration, type, destination and amount of use of a telecommunications service by a subscribing customer that is made available to the carrier solely by virtue of the carrier-customer relationship; and (2) information contained in the bills pertaining to telephone exchange and toll services received by the customer. Although this congressional prose appears pretty broad at first glance, it is expressly limited to telecommunications services. Unless and until the statute is changed, information regarding video and other non-telecommunications services provided to customers is not CPNI. Carriers can respond to customer telephone inquiries regarding their video services without "authenticating" the customers, and can use a customer's video-service data to market services to the customer without worrying about "opt-out" and "opt-in" authorizations. (Note, however, that a carrier may not be able to use a customer's local exchange or toll service data without appropriate authorization to market video services to the customer.) In its orders implementing Section 222, the commission has consistently and uniformly described CPNI as encompassing: (a) the telephone numbers called by a customer; (b) the telephone numbers from which a customer receives calls; (c) the frequency, duration, timing and location of a customer's phone calls; and (d) the telecommunications and information services purchased by a customer. The juxtaposition of the statutory definition and commission description raises several interesting and currently unresolved questions, including whether: (1) data regarding a customer's Internet access service is CPNI; and (2) the total dollar amount of a customer's bill is CPNI. At present, Internet access service has not been classified as a telecommunications service, but rather is considered an information service (or an information service with a telecommunications component). Similarly, the dollar amount of a customer's telephone bill is certainly "information contained in the bills pertaining" to telephone services, but is not included within the classes of information listed in the commission description of CPNI. Whereas many people may consider the Web sites they visit or the amounts of their telephone bills to be confidential, the commission would have a difficult task sustaining forfeitures relating to the handling of Internet access data or bill amounts when the CPNI status of such information is not clear. In any event, the new anti-pretexting rules currently focus solely upon the category of CPNI known as call-detail information or call records. This data pertains to the transmission of specific telephone calls to and from particular customers, and includes: (a) the telephone numbers called (for outbound calls); (b) the telephone numbers from which calls are received (for inbound calls); and (c) the date, time, duration and location of calls (for all calls). The commission has determined that call-detail information is particularly sensitive from a privacy standpoint, and is the type of CPNI most likely to be sought by pretexters, hackers and other unauthorized entities for illegitimate purposes. At the present time, call-detail information is the only type of CPNI that requires password authentication (or the shared secret, mail or call-back alternatives) before it can be furnished over the telephone to calling customers. The commission is considering in the pending CPNI rulemaking whether to extend password authentication requirements to all types of CPNI sought by customers and purported customers over the telephone. However, at present, carriers can provide service information, bill amounts and other non-call-detail CPNI over the telephone as long as they establish in an "appropriate manner" that the caller is authorized to receive the CPNI. Because it is not yet clear whether "I knew the customer's voice," caller ID and other potential authentication alternatives for rural carriers will be deemed appropriate. To otherwise satisfy the "every reasonable precaution" standard for CPNI that is not call-detail information, we have advised clients to play it safe by requiring passwords for the release of all CPNI over the telephone to calling customers. Requests for Call-Detail Information From 'Customers' The new anti-pretexting rules prohibit the disclosure of any call-detail information for a residential customer account over the telephone to any caller unless the caller furnishes the password established previously by the actual customer for the subject customer account and telephone number, or unless the caller satisfies the carrier's back-up customer authentication method. The commission has determined that the benefits of minimizing the risk of data broker acquisition of call records outweigh any potential inconvenience or delay in resolving certain legitimate customer inquiries. Note, however, that these procedures apply expressly only to the call-detail information category of CPNI, and that they can be whittled down. First, the prohibitions address only the call-detail information of residential and single-line business customers. Carriers and their multi-line business customers are free to contract for different CPNI protection and procedures. Second, callers able to provide (without prompting) all of the necessary call detail can have their questions or problems resolved during their call without resorting to passwords or alternatives. For example, if a customer calls to dispute certain toll calls on her bill, has the bill in front of her, and provides the called number, date, duration and charge for each disputed toll call, the carrier's representative can proceed to address or resolve the matters during the customer's call without requiring a password or other method to authenticate the customer. Residential customers may establish prearranged passwords with their carriers to obtain call-detail information over the telephone, and must do so to access online accounts. Passwords may be established: (a) at the time service is commenced; (b) by going personally to the carrier's office and producing a valid photo ID; (c) by arranging for the carrier to call the customer at the telephone number of record; or (d) by obtaining a randomly generated personal identification number (PIN) by phone, e-mail or mail from the carrier and then providing this PIN to the carrier during a call to establish the password. The commission has stated that carriers may not use readily available biographical information (e.g., Social Security numbers, mothers' maiden names, home addresses and birthdates) or account information (e.g., telephone numbers and recent bill amounts) to authenticate customers for purposes of establishing their passwords. However, the commission does not appear to have any authority over customers to regulate the specific passwords they select. Carriers should inform customers that certain biographical and account information does not make secure passwords, but carriers ought to have a reasonable defense if the customer disregards this advice and chooses a risky password anyway. For situations where a customer cannot remember his password, the new rules permit and encourage carriers to use a back-up authentication method such as a "shared secret" procedure. A shared secret is one or more prearranged question-answer combinations that are known to the customer and the carrier but are not widely known (e.g., the customer's favorite color, food, movie, team, player, etc.). A customer with Denver Broncos paraphernalia all over his yard and vehicles probably should not use "favorite sports team" as his shared secret. If a caller needing to be furnished call-detail information cannot provide a password but can answer the shared secret question(s) for the subject customer account, the carrier's representative can proceed to furnish the information during the customer's call. Note that caller ID may not be used to authenticate callers for purposes of providing them with call-detail information. Where a caller does not have, or cannot remember, either a password or the shared secret answer(s), a carrier can no longer provide call-detail information during the call. Rather, the carrier may instead either: (1) send the requested information to the subject customer's postal or e-mail address of record (which must have been established in the carrier's billing and service records for at least 30 days); or (2) terminate the customer's call, and arrange to call the customer back at the telephone number of record (the telephone number associated with the call-detail information). Whereas the commission asserts that it does not want its new CPNI rules to hinder routine customer service operations regarding service/billing issues, there will be disruptions and uncertainties that must be resolved in the future. For example, relatives and friends of elderly customers will need to access their call-detail information and other CPNI to resolve billing questions and make service changes. Whereas the new rules protect elderly customers from theft and misuse of their CPNI by unscrupulous persons, the commission did not intend to force adult children to travel hundreds of miles to obtain the call-detail information necessary to assist their parents with bills and service changes. Our law firm has been exploring reasonable alternatives (such as powers of attorney, and three-way calls involving the carrier, elderly customer and adult child to clarify the authority of the adult child and the use of the elderly customer's password) that will adequately safeguard the CPNI of elderly customers while allowing them to be assisted by designated relatives or friends. A second area of concern comprises inbound calls from customers to inquire about or order new, additional or modified services. Under the existing CPNI marketing rules, the carrier's representative may read the calling customer a brief notice and obtain the customer's consent to use CPNI during the call to help the customer with her selection. In addition, if the carrier's representative must disclose call-detail information during the call, the caller must provide her password or answer the shared secret question(s). Other Matters The new CPNI rules also address requests for CPNI made in person at the carrier's office or store. Such information may be provided if the person furnishes a valid picture ID with a name and address that match the subject customer's name and address of record. We realize that it will be embarrassing in rural communities to request a picture ID from a friend with whom the carrier's representative has spoken daily or weekly for the past 20 years. Our advice is to do it anyway to avoid problems with less recognizable individuals that may also be at the location, and to blame the ID requirement on the commission or the carrier's attorney. In rural service areas that do not contain prominent politicians or celebrities, the predominant security threat regarding call-detail information is likely to come from individuals who want to learn who is calling or being called by their spouses, ex-spouses, boyfriends or girlfriends. Often, such individuals will try to get a friend employed by a carrier to obtain the data as a favor. Carriers need to warn their employees of the dangers inherent in such behavior, both to the carrier and to the employee's future job security. Gerard J. Duffy is a partner with Blooston, Mordkofsky, Dickens, Duffy & Prendergast. He can be reached at gjd@bloostonlaw.com. RELATED ARTICLE: Existing CPNI Marketing Rules The CPNI marketing restrictions require appropriate customer authorizations (via opt-out or opt-in procedures) before carriers, affiliates and independent contractors can use CPNI to target customers for particular marketing pitches. These restrictions generally do not apply when the same marketing message is sent to all of a carrier's customers (or all customers within a particular area), or when the marketed service is within the same category or package of services currently purchased by the customer. Where customer authorization is required, the less stringent opt-out procedure (customer deemed to approve unless the customer responds negatively) applies to marketing by carriers and by their affiliates selling communications-related services, while the more stringent opt-in procedure (customer must affirmatively approve) applies to marketing by independent contractors and by affiliates selling non-communications-related services. RELATED ARTICLE: New And Modified CPNI Reporting Requirements 1. Annual Certification of CPNI Compliance (due at commission by March 1). This is an expanded version of the annual certification formerly required to be placed in a carrier's files. It must be signed by an officer of the carrier, and must include the magic words that he or she "has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the commission's CPNI Rules (47 C.E.R. [section][section]64.2001 through 64.2011)." It must include the following three attachments: (1) a statement explaining how the carrier's operating procedures ensure that it is in compliance with the CPNI rules; (2) a statement describing and explaining the actions (if any) taken by the carrier against data brokers during the previous calendar year, and; (3) a summary of all customer complaints (if any) received by the carrier during the previous calendar year concerning the unauthorized release of CPNI. 2. Notice to Customers of Account Changes (to customer whenever applicable). A carrier must notify customers immediately of certain changes in their accounts that may affect privacy or security matters. The triggering events include changes or requests for changes in passwords, shared secret questions and answers, and addresses of record, as well as any significant element of the customer's online account. The notice may be provided via a telephone call, voice mail or text message to the customer's telephone number of record; or a written notice mailed to the customer's address of record (the prior address of record if the change includes a change in the customer's address of record). The notice must identify only the general type of change and must not reveal the changed information. 3. Notice of CPNI Security Breach (to USSS and FBI, when applicable). A carrier must notify the U.S. Secret Service and the Federal Bureau of Investigation no later than 7 days after a security breach results in the disclosure of the customer's CPNI to a third party without the customer's authorization. The carrier may not notify its customers, the news media or the public of the breach for at least seven full business days thereafter, and may be required by law enforcement to extend this "blackout" period. Whereas a small percentage of CPNI security breaches may have national security implications, this requirement appears somewhat over the top. During a period when substantial terrorist threats exist, it does not appear particularly effective to have the Secret Service and FBI investigating hundreds or thousands of CPNI security breaches involving jealous spouses or lovers. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion