Today the Office of Federal Register published a final rule from the Federal Communications Commission (FCC or Commission) that formally voids the rule changes in the Commission’s 2016 Privacy Order—which Congress invalidated in a 2017 Congressional Review Act (CRA) joint resolution earlier this year—and reinstates the voice-centric customer proprietary network information (CPNI) rules “in
At the Federal Communications Commission’s (“FCC”) Open Meeting on October 27, the Commission voted along party lines (3-2) to impose more stringent rules on broadband Internet service providers (“ISPs”). Chairman Tom Wheeler, along with Commissioners Rosenworcel and Clyburn voted in favor of the item, while Commissioners Pai and O’Rielly voted against it.
The new rules clarify the privacy requirements applicable to broadband ISPs pursuant to Section 222 of the Communications Act. The new rules also apply to voice services and treat call-detail records as “sensitive” in the context of voice services.
According to an FCC press release issued immediately after the meeting, these rules “establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information.” The Commission further asserts that this approach is consistent with the existing privacy framework of the Federal Trade Commission (“FTC”).
It’s official: next Thursday, March 31, 2016, the FCC will vote on a Notice of Proposed Rulemaking seeking comment on a proposed framework for new privacy and data security rules for broadband Internet access service (BIAS) providers. This proceeding will have important implications for not only the broadband providers subject to the rules, but also for the Internet ecosystem as a whole.
This rulemaking proceeding stems from the 2015 Open Internet Order, which reclassified BIAS as a telecommunications service and applied several of the FCC’s core consumer protection provisions—including Section 201 and 222 of the Communications Act—to BIAS. Section 201(b) prohibits “unjust or unreasonable” practices, which the FCC has interpreted to require reasonable data security practices. Section 222 (and the Commission’s interpretations of that section) establishes a complex framework for the protection of proprietary information (PI), carrier proprietary information (CPI), and customer proprietary network information (CPNI). CPNI, in short, is the information that a carrier has about its customer solely by virtue of the customer-provider relationship. However, because the CPNI rules promulgated pursuant to Section 222 were designed with traditional telecommunications services in mind, the FCC declined to impose those rules on BIAS, instead opting for a rulemaking proceeding to create new broadband CPNI rules.
On April 8, 2015, the Federal Communications Commission (“FCC” or the “Commission”) Enforcement Bureau (“EB”) reached a $25 million consent decree with AT&T over privacy and data security breaches involving its customers’ proprietary information (“PI”) and customer proprietary network information (“CPNI”) at three of AT&T’s international call centers. Under the terms of the settlement, AT&T must implement a wide-ranging compliance plan, notify affected customers of the breach (and provide free credit monitoring services), and report any noncompliance or future breaches to the Commission.
As explained in more detail below, this settlement represents the latest in a growing trend in aggressive enforcement of the Commission’s privacy and data security rules. As the Commission continues to find new ways to apply its rules against carriers—and begins to implement its 2015 Open Internet Order against broadband Internet access service providers—providers should take steps to bring themselves (and their vendors) into compliance.
Earlier today, the Federal Communications Commission released an enforcement advisory reminding telecommunications carriers and interconnected VoIP providers of the upcoming annual customer proprietary network information (“CPNI”) certification due by March 2, 2015. For Kelley Drye’s own advisory on this CPNI filing requirement, please see the attached alert.
On October 28, 2014, the Federal Communications Commission (“FCC” or the “Commission”) announced that it had joined the Global Privacy Enforcement Network (“GPEN”), a network of privacy enforcement and regulatory bodies from around the world that engages in collaboration and coordination on cross-border privacy enforcement actions.
On October 24, the FCC, over the dissent of its two Republican commissioners, issued a Notice of Apparent Liability (NAL) proposing a fine of $10 million to Lifeline eligible telecommunications carriers (“ETCs”) TerraCom, Inc. and YourTel America, Inc. for violations of laws protecting “phone customers’ personal information.”
This is the agency’s first data security case and the largest privacy action in the Commission’s history. See News Release. Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.
According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.” The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft. …
On September 16, the Federal Communications Commission issued a Notice of Apparent Liability (“NAL”) against PTT Phone Cards, Inc., (“PTT”) for a litany of alleged violations of rules applicable to international telecommunications carriers in general and one applicable to pre-paid calling card providers in particular. In short, the NAL alleges that, for over three years, PTT violated “virtually all of [the] regulatory obligations” applicable to international carriers and one specifically applicable to pre-paid calling card providers. The proposed forfeiture of $493,327 was arrived at through a straightforward application of the Commission’s base forfeiture amounts or penalties that the agency has recently applied for similar violations. While the Commission normally considers mitigating and aggravating factors to adjust penalties downward or upward, in the NAL it did not expressly do so, despite what it called “PTT’s apparent pattern of noncompliance” and “the seriousness, duration, and scope of PTT’s apparent violations.” Instead, it simply proposed standard penalties for each apparent violation, giving a casebook glimpse into what awaits entities that provide international and/or calling card services without first obtaining necessary FCC authority and without making requisite filings with the Commission, contributions into applicable federal funds, and payments of federal regulatory fees.…
On September 3, 2014, Verizon agreed to pay $7.4 million to resolve an investigation into possible misuse of customers’ personal information in a number of tailored marketing campaigns. Prompted by a self-disclosure from the company, the FCC investigated Verizon’s use of customers’ subscription and call information to market new services. Such use is restricted by Section 222 of the Communications Act and the Federal Communications Commission’s CPNI rules. Verizon’s consent decree is notable for more than its size. …
It’s time again for carriers to submit the annual Customer Proprietary Network Information (CPNI) certification to the FCC. Telecommunications carriers and interconnected VoIP providers are required to certify annually their compliance with the FCC’s CPNI protection rules. The 2014 report covers calendar year 2013 and will be due by March 3, 2014 (March 1 falls …