If you’re a telecommunications carrier or interconnected VoIP provider, now’s the time to get out your calendar, turn it to early February or so, and mark in big red letters: “CPNI CERTIFICATIONS DUE MARCH 1, 2013”. And don’t forget to follow up by that important deadline.
CPNI here refers, of course, to Customer Proprietary Network Information (but you probably already knew that), and the certifications that are due at the Commission by March 1, 2013 are required by the FCC’s rules (as you hopefully already knew as well.) The FCC has issued a convenient “Enforcement Advisory” to remind one and all of the deadline. Like similar advisories in past years, this year’s includes a helpful list of FAQs and a suggested template showing what a certificate should look like. Heads up, though – this year’s advisory specifies that CPNI includes the numbers of calls made and received; advisories in past years referred only to “phone numbers called”. Additionally, in this year’s advisory voicemail is specifically included among the services covered by CPNI.
As we have explained annually for the past several years, the CPNI rules are designed to safeguard customers’ CPNI against unauthorized access and disclosure. The rules themselves are set out in Subpart U of Part 64 of the Commission’s rules, if you want to check them out yourself. Here’s a link that will take you there, but you might want to stock up on No-Doz® before heading there.
Since 2008, the rules have required that telecommunications carriers and interconnected VoIP providers have an officer sign and file with the Commission a compliance certificate, annually, stating that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must also provide: (a) a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules; and (b) an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.
The Commission takes this reporting requirement very seriously – historically the FCC has doled out five-digit fines to non-compliant carriers. (In fact, the FCC’s zeal is such that, in many instances, it has initiated forfeiture proceedings even against carriers who, as it turned out, had fully complied with the rules.)
In light of this, it’s a good idea not only to get the report filed on time, but also to be sure to get, and keep, records demonstrating what you filed and when you filed it. That way, if the FCC wrongly accuses you (as it has wrongly accused others in the past), you will ideally be able to avoid a considerable amount of hassle, not to mention liability for any fine.
Who, exactly, needs to file this report? In its recently-released FAQ, the Commission offers examples of “telecommunications carriers” subject to the reporting requirement: “local exchange carriers (LECs) (including incumbent LECs, rural LECs and competitive LECs), interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers.” But the FCC cautions (in italics, as it has in past years) that “this list is not exhaustive”.
(The Commission emphasizes that aggregators are not required to file. An aggregator is “any person that, in the ordinary course of its operations, makes telephones available to the public or transient users of its premises, for interstate telephone calls using a provider of operator services.”)
This is not something that can or should be left to guesswork: as in most other areas of the law, ignorance is no excuse. If you are a telecommunications carrier or an interconnected VoIP provider, it would behoove you to tie down, sooner rather than later, whether you are required to file a certification. (Your communications counsel would be a good place to start, if you have any questions.)
Remember: If you are in the broad universe of entities required to file the certification but you fail to do so for whatever reason, you’re almost certainly looking at a $20,000 forfeiture (not to mention the aggravation and legal fees normally associated with responding to an NAL).