Printer Friendly

The fight to protect CPNI.

Everything comes with a cost. It's just a fact of life. When the rumblings for enhancing the security of customer proprietary network information (CPNI) began in 2005, it was just a matter of time before the costs to carriers and consumers would follow. With telcos across the nation gearing up to file their CPNI compliance certificates to the FCC for the second year, it seems fitting to take a look at the costs that have been incurred by carriers and consumers in the fight to secure privacy.

Pub Up Your Dukes

In 2006, the FCC's investigations into CPNI offenses revealed that dozens of Internet data brokers were selling lists of phone numbers--for as little as $89--called by users of cell phones, landlines, unlisted lines and VoIP. The illegally obtained information included the call origin, termination, duration, and date and time the call was made. Given the sanctity of privacy to Americans, it didn't take long before lawmakers essentially ruled that telecommunications carriers would be guilty until proven innocent if there was a CPNI breach that could be traced to telco databases.

The seriousness with which the FCC would be enforcing CPNI compliance was foretold by the actions taken during its investigation. In January 2006, the commission requested that the five largest wireline and wireless carriers submit their CPNI compliance certificates. The inquiry led to the issuance of notices of apparent liability (NALs) to AT&T and Alltel for failing "to have a corporate officer with personal knowledge execute an annual certificate stating that the company has established operating procedures adequate to ensure compliance with the commission's rules governing protection and use of CPNI."

The FCC proposed a monetary forfeiture of $100,000 to both organizations. In July 2006, AT&T reached a consent decree and agreed to contribute $550,000 to the commission to resolve both its $100,000 NAL and its self-reported failure of opt-out mechanisms for use of its customers' CPNI. A month later, Alltel closed the book on its NAL by paying the full $100,000. The CPNI response from large carriers led the commission to issue a letter of inquiry (LOI) requiring that all telecommunications carriers submit their most recent certification. Responses to that call for CPNI certificates resulted in 10 companies receiving NALs, citing that each company "apparently failed to comply with the requirement that it maintain a CPNI compliance certificate and/or the requirement that it provide a statement accompanying its compliance certificate explaining how its operating procedures ensure that it is or is not in compliance with the FCC's CPNI rules."

The proposed forfeiture for each telco was $100,000 regardless of the size of the carrier. Shoreham Telephone Co. in Vermont, with just 3,500 access lines, was one of the small companies to receive an NAL. According to Shoreham President Don Arnold, the NAL was resolved with a "highly reduced" forfeiture.

Asked if other companies had been able to reduce the proposed $100,000 forfeiture, Janice Wise, director of media relations for the FCC Enforcement Bureau, stated, "Since they are pending matters before the commission, I am unable to discuss specifics."

Round One

Shortly after the deadline for filing the 2007-2008 CPNI compliance certificates, the commission threw its first enforcement punch based on the more stringent legislation. In the omnibus order issued on February 24, 2009, the FCC proposed fining 548 companies S20,000 each for not filing the annual compliance report. VoIP providers, wireless providers, paging services, long-distance service providers and the like seemed to far outnumber the rural carriers included in the order.

In a press statement, Michael Copps, the FCC's interim chairman at the time, said, "I have long stressed the importance of protecting the sensitive information that telecommunications carriers collect about their customers. The broad nature of this enforcement action hopefully will ensure substantial compliance with our [privacy] rules going forward as the commission continues to make consumer privacy protection a top priority."

When the omnibus order grabbed headlines, some spectators might have concluded that round one was over, yet other spectators wanted to know more. How many of the order's blows had landed? Wise said, "Responses from the companies in the omnibus order are in various stages of review. I can confirm, however, that some have paid the proposed forfeiture without response to the NAL."

However, in a review of FCC orders and notices, at least five of the rural companies listed in the omnibus order received consent decrees canceling their NALs, though each of the carriers did have to make a "voluntary contribution" of $1,000. The order against at least one other rural carrier was proven to have been made in error by the FCC, and it was subsequently dropped. In just these instances, the government received a total of $5,000 in contributions versus the omnibus order's potential forfeitures totaling $120,000.

Round Two

With the omnibus order having hit those companies that failed to submit the CPNI certificate, the commission then focused on the content of the filings submitted. A review of commission orders identified just five rural providers that were issued NALs due to noncompliant certificates. Suggested forfeitures were $1,000 or $2,000 depending on the compliance error.

The two most common compliance issues that hooked these carriers were: 1) failing to submit an annual CPNI compliance certificate that provides an explanation of any actions taken against data brokers; and 2) failing to submit an annual CPNI compliance certificate that provides a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.

One carrier in the heartland wishing to remain unnamed shared that it had filled out the CPNI certificate the same way it had when it responded to the FCC's 2006 LOI. In the 2006 filing, the carrier did not have any CPNI-related customer complaints, and so that item was left blank. The thought was that a blank meant there was nothing to report. In the 2006-2007 filing, the FCC didn't share that view and issued the NAL. The lesson learned: Each and every field must have a written comment, even if that comment is "None."

McClure Telephone Co. (McClure, Ohio) was issued an NAL with a suggested forfeiture of $1,000 for allegedly submitting a certificate that wasn't signed by a company officer. General Manager Duane Schroeder explained that the company's filing had been correctly signed, so it challenged the NAL and won. However, it was an empty victory because attorney fees came to around $500. Adding research and staff time, Schroeder estimates McClure ended up dishing out the same amount of money as the fine.

Help in your Corner

There's another cost consideration for rural carriers: the consequences of legal actions that could be taken in the event of a data breach. According to Peter Elliott, president and CEO of Telcom Insurance Group, "From a telecom provider stance, there are two aspects to CPNI to be concerned about: 1) There's a breach of data related to the carrier's own customer; and 2) there's a data breach that happens when a carrier is acting as a billing agent for another company. [If that were to happen] you could have liability to a customer or a class action suit if information such as Social Security numbers, bank accounts or credit-card information used for automatic billing is obtained."

Elliott explained that the Federal Trade Commission (FTC) is looking at CPNI-type requirements aimed at finance groups extending credit. However, as the act evolves, it potentially could have implications for creditors and could open up a whole other set of legal issues in the event of a data breach.

"Virtually every single state has data regulation rules that allow the attorney general to set in motion and take action, so it's conceivable that you could have three different parties take action with you," he said.

While breaches may not be an issue for most rural telcos, the potential consequences of a breach may make purchasing insurance worth considering.

"There's been a spike in liability-related type claims that we never would have seen in prior years. They seem to be driven by economic/financial hardships of the time," Elliott said. It should be noted that this type of insurance does not cover "a cost of doing business" such as failing to file paperwork on time.

Up Against the Ropes

Insurance or no, the reality is that carriers have no choice when it comes to conforming to the Electronic Privacy Information Center (EPIC) CPNI order and amended rule 47 C.F. R. Section 64.2009(e). While the outlay by rural carriers to implement the order has not been quantified, it has cost money. For most carriers, operational adjustments avoided adding new employees, but expenditures have been made for such things as training, seminars, staff education, customer communications to set up security, consultant fees to set up CPNI policies and, in some cases, additional charges for customizing billing software.

And what have taxpayers shelled out for the scrutiny of CPNI compliance certificate filings by the FCC? Wise responded, "Staff resources were allocated to meet the demand of the project."

Given the nebulous expense incurred because of the order, has the legislation helped reduce customer information breaches to data brokers? Wise said, "The enhancement of the commission's CPNI rules in the EPIC order brought greater carrier recognition of the issue."

The Identity Theft Resource Center (ITRC) keeps track of each breach that is verified by media sources or government notification lists. The organization compiles an annual statistics report, which includes information such as the name of the affected company, its breach category and the number of exposed records. The percentage of the total reported annual breaches for each category from 2005 to 2008 is shown in Table 1.
Table 1: Percent of Data Breaches by Category

 '05 '06 '07 '08

Banking/Credit/Financial 12.7 9.7 7.0 11.9

Business 15.9 20.9 28.9 36.6

Educational 47.8 24.9 24.9 20.0

Government/Military 13.4 30.5 24.7 16.8

Medical/Health Care 10.2 14.0 14.6 14.8

Source: Identity Theft Resource Center

Based on a review of all of the individual breaches in the "Business" category over the years, none appear to involve rural telco providers. However, the ITRC reports do provide some useful information for carriers. The reports are compiled from individual reports, and those often contain the method by which the CPNI was breached. That information can help identify issues that need to be addressed in creating a stronger CPNI policy.

Based on a review of the individual breach reports, the leading reasons for breaches include: theft of a computer and/or electronic storage device due to a break-in, or from the home or car of an employee; employee theft of files; throwing sensitive documents in a dumpster or recycle bins; sending a computer out for repair; inadvertently mailing sensitive information to incorrect addresses; and attaching documents to e-mail.

Computer hacking also is common. Some of the intrusion methods include: tapping into a T-l line; stealing an employee's username and password; compromises through a third-party vendor's Web-based system; and leveraging weaknesses after software upgrades.

Consumer Victory?

While the carriers and taxpayers have taken the cost hit, how have the new legislative measures that were intended to protect CPNI been received? In rural areas where the phone companies have known their customers for years and have forged a reputation for providing outstanding customer service, carriers seem united in the feedback they've endured. Some customers think having to provide a security password or show ID to obtain information about their bill is silly. Having to set up authorization for another family member to question or resolve billing issues also is a hassle. Ultimately, customers realize that the carriers have no choice, but CPNI compliance is far from being considered a knockout victory for privacy.

The Decision

A representative of one Kansas carrier expressed her opinion about asking for security information: "To me it's not very good customer service, but what can we do?" Unfortunately, the answer seems to be nothing.

"CPNI has been one of the most heavily enforced areas of regulations," staled Jonathan Marashlian, partner of the CommLaw Group, which offers telcos assistance with CPNI issues. Whether that trend continues will be known only after the 2008-2009 CPNI filings are submitted.

Anna Henry is a freelance writer and sole proprietor of Headline Ink, a marketing communications and technical writing firm. She can be reached at
COPYRIGHT 2009 National Telephone Cooperative Association
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2009 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:customer proprietary network information regulations
Author:Henry, Anna
Publication:Rural Telecommunications
Geographic Code:1USA
Date:Nov 1, 2009
Previous Article:Small but strong: strategies for business success in rural America.
Next Article:Snow in June? Viewers and Telcos adjust to DTV.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters