• FCC Notice Seeks Comment in Rulemaking to Expand CPNI Rules
  • February 22, 2006 | Author: Ross A. Buntrock
  • Law Firm: Womble Carlyle Sandridge & Rice - Washington Office
  • On the heels of its January 30 order requiring all wireline and wireless carriers to file with the Federal Communications Commission ("FCC" or "Commission") a certificate verifying that they are in full compliance with the Commission's customer proprietary network information ("CPNI") rules, yesterday the Commission released the text of the Notice of Proposed Rulemaking ("NPRM") which it adopted at its February 10, 2006 meeting.

    The NPRM responds to an August 30, 2005 petition by the Electronic Privacy Information Center ("EPIC"), which raised concerns about whether carriers' current security practices are sufficient to protect from the disclosure of CPNI. Chairman Kevin Martin was specifically asked by lawmakers to explain steps the FCC is taking to address issue of data brokers obtaining CPNI when he appeared before the House Committee on Energy and Commerce committee on February 1, 2006. In addition, members of the House Committee on Energy and Commerce sent a letter to Martin on January 23 asking about the status of EPIC's petition, including when the Commission would complete its review of the record and determine what action should be taken in response to the EPIC petition. The issue of CPNI security has gained increasing attention following news reports in recent months that Internet data brokers are selling the information and the FCC has proposed fines against AT&Tand Alltel for apparent violations of the CPNI rules.

    In his statement accompanying the NPRM Chairman Martin stated that "I support this notice because I am deeply concerned about reports of companies trafficking in personal telephone records, and I want to thank my fellow Commissioners for considering this notice expeditiously." Clearly, then, CPNI compliance is high on the FCC's enforcement radar and carriers should be mindful of that going forward.

    The Following Is A List of the Major Areas of Inquiry Set Forth in the NPRM

    The FCC asks commenters to address how they currently maintain CPNI today and how data brokers are able to obtain CPNI from carriers under existing CPNI safeguards.

    The Commission seeks comment on whether the FCC's existing CPNI rules and carriers' current practices are adequate to ensure that CPNI is protected.

    In direct response to the EPIC petition, the Commission asks whether the following measures proposed by EPIC are feasible and/or advisable:

    • Requiring carriers to adopt a consumer-set password system;
    • Requiring carriers to record audit trails which would show all instances when a customer's CPNI records were accessed, what information was disclosed and to whom;
    • Requiring data stored by carriers to be encrypted;
    • Requiring carriers to remove identifying information from customer records they maintain.
    • Requiring carriers to notify customers when the security of CPNI may have been breached.

    The FCC also seeks comment on other measures, including whether a working group should be instituted to come up with innovative ways to address CPNI issues.

    In addition, the Commission wants feedback on other ways to protect customer privacy, including whether carriers should be required to take the additional step of calling a subscriber's registered telephone number before releasing CPNI in order to verify that the caller requesting the information is actually the subscriber.

    Next Steps

    Comments will be due 30 days after the NPRM is published in the Federal Register; that publication will likely take place in the next 2 to 3 weeks, likely making comments due in mid to late April.