Telecom Tickler 2011 - CPNI Certifications Due By March 1

Posted on January 30, 2011 by Michelle A. McClure

Heads up, all you telecommunications carriers and interconnected VoIP providers! Your annual reports certifying compliance with the Customer Proprietary Network Information (CPNI) rules are due by March 1, 2011. And you don’t have to take our word for that: the Commission has issued a helpful reminder notice to make sure that you’re on top of this chore. The Commission has also helpfully provided a copy of an acceptable template for CPNI certifications, as well as a series of Frequently Asked Questions (FAQ). 

As we have explained before (here and here, for example), the CPNI rules are designed to safeguard customers’ CPNI against unauthorized access and disclosure. Since 2008, the rules have required that telecommunications carriers and interconnected VoIP providers have an officer sign and file with the Commission a compliance certificate, annually, stating that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must also provide: (a) a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules; and (b) an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.  

The Commission takes this reporting requirement very seriously.

As we have previously reported, in 2009 the FCC issued Notices of Apparent Liability (NAL) to hundreds of carriers who had apparently failed to file their reports. The standard forfeiture per violation – $20,000. The Commission was in a shoot-first-ask-questions-later mode, as a number of the targeted carriers eventually demonstrated that they had, in fact, submitted their reports. But there were still plenty of carriers who ended up paying a fine (whether directly in response to the NAL or after entering a consent decree with the Commission). 

Historically, there appears to have been some confusion as to precisely who must file annual CPNI certifications. In its recently-released FAQ, the Commission offers examples of “telecommunications carriers” subject to the reporting requirement: “local exchange carriers (LECs) (including incumbent LECs, rural LECs and competitive LECs), interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers.” But look out: the FCC cautions (in italics, mind you) that “this list is not exhaustive”.

This is not something that can or should be left to guesswork: as in most other areas of the law, ignorance is no excuse. If you are a telecommunications carrier or an interconnected VoIP provider, it would behoove you to tie down, sooner rather than later, whether you are required to file a certification. (Your communications counsel would be a good place to start, if you have any questions.) Remember: If you are in the broad universe of entities required to file the certification but you fail to do so for whatever reason, you’re almost certainly looking at a $20,000 forfeiture (not to mention the aggravation and legal fees normally associated with responding to an NAL).

 
Tags: , , , , , , , ,

Telecom Tickler, 2010 - CPNI Certifications Due By March 1

Posted on January 20, 2010 by Michelle A. McClure

It’s that time of year again – no, not tax time (well, not quite), but rather time to file annual Customer Proprietary Network Information (CPNI) certifications with the Commission. And just to make sure that the deadline is clearly highlighted on everybody’s “to do” list, the FCC has released an “Enforcement Advisory” reminding telecommunications carriers and interconnected VoIP providers that their CPNI certifications are due by March 1, 2010 (although they can be filed any time after January 1, 2010). 

CPNI is information relating to the quantity, type, destination, location, amount of use and configuration of service provided to telecom users. While it’s the kind of data that is collected routinely by carriers in the ordinary course of their business, it is nevertheless very private information – as the FCC has recognized in Subpart U of Part 64 of its rules. That subpart requires carriers and interconnected VoIP providers to establish and maintain systems designed to ensure that subscribers’ CPNI is adequately protected. 

And since the FCC is not in a position to inspect each and every company in order to confirm compliance with the rules, the Commission has dumped that particular monkey onto the backs of the companies themselves.  Each year telecommunications carriers must certify that they have established appropriate procedures and processes to protect CPNI. The certificate must include a description of how the procedures ensure that the responding company is or is not in compliance with the CPNI rules and must include a summary of all consumer complaints about unauthorized release of CPNI. It should also explain any actions taken against data brokers. And a detail which is often overlooked: the certification must be signed by a company officer who must affirmatively state that he/she has personal knowledge that the CPNI safeguards which have been established are adequate to ensure compliance.

Who has to file?

First and foremost, entities “providing telecommunications services”, a universe which includes (but is not limited to), local exchange carriers, interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers. (Note that it is not clear whether such retail establishments as 7-Eleven – which have recently been treated as “resellers” by the Enforcement Bureau – are required to file CPNI reports.) One exception: “aggregators” don’t count as telecom providers in this context. An “aggregator”, of course, is “any person that, in the ordinary course of its operations, makes telephones available to the public or transient users of its premises, for interstate telephone calls using a provider of operator services”.

The CPNI certification requirement also applies to VoIP providers – that is, companies providing services that: (a) enable real-time, two-way voice communications; (b) require a broadband connection from the user’s location; (c) require Internet protocol-compatible customer premises equipment; and (d) permits users generally to receive calls that originated on, and terminate calls to, the public switched telephone network.

Last year the Enforcement Bureau launched a major offensive against companies which failed to file their CPNI certifications. The Bureau issued an “omnibus” notice of apparent liability socking a long list of carriers $20,000 each for failure to submit certifications (although it ultimately turned out that a number of the targets were wrongly accused by the FCC). The “Enforcement Advisory” (linked above) issued this year by the Bureau appears to be both a helpful guide to assist compliance and a way for the FCC to make sure that nobody can plead ignorance as an excuse for not complying this time around. In any event, last year’s fines and this year’s Advisory make abundantly clear that full compliance with the CPNI certification requirement is a high priority for the Enforcement Bureau. All companies subject to that requirement should take note,
Tags: , , , , , , ,

CPNI Certificate No-Shows Spanked For $20K Each

Posted on February 25, 2009 by Michelle A. McClure

More fines on the way as FCC ramps up CPNI enforcement

Look out below! The Commission has lowered the boom on telecommunications carriers who apparently didn’t file their Customer Proprietary Network Information (CPNI) certifications when they were supposed to last March. An “Omnibus Notice of Apparent Liability” (ONAL) was issued late on February 24 directed against some 600 carriers.   At $20,000 per violation, the FCC’s take could run upwards of $12,000,000.

As we reminded one and all a couple of weeks ago, in 2007 the Commission began requiring each carrier to submit (by March 1 of each year, starting in 2008) to the Commission a compliance certificate, signed by a company official, stating that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules. The seriousness of this requirement apparently didn’t sink in fully with a large number of carriers, all of whom seem simply to have ignored it. That’ll be $20,000, please – payable to Uncle Sam. (Of course, each carrier identified in the ONAL will have the opportunity to explain why it should not be liable for a forfeiture – but since they have all already had an opportunity to demonstrate that they did in fact comply with the certification rule, and since they all apparently came up short in that department, it’s difficult to be optimistic about their chances at avoiding a fine at this stage.)

Coincident with the ONAL, Acting Chairman Copps issued a statement emphasizing “the importance of protecting the sensitive information that telecommunications carriers collect about their customers.” According to Copps, “The broad nature of th[e ONAL] hopefully will ensure substantial compliance with our CPNI rules going forward as the Commission continues to make consumer privacy protection a top priority.” This is in keeping with other recent statements by the Acting Chairman in which he has characterized the FCC as a “consumer protection agency”.

In addition to the 600 or so forfeitures assessed in the ONAL, there appear to be more in the pipeline: the FCC has indicated that another batch of CPNI-related forfeitures is in the works. From the information released thus far, this second batch involves carriers which filed “non-compliant” certifications. In other words, they at least tried to jump through the certification hoop (unlike the 600 tagged with $20K fines in the ONAL), but for some reason(s) they didn’t do it the right way. They will likely be hit with $10,000 fines.

This flurry of activity underscores the importance of filing the required CPNI certification by March 1, as we have previously reminded all carriers.
Tags: , , , ,

Court Tosses Challenge to "Opt-in" Requirement for CPNI Disclosure

Posted on February 16, 2009 by Michelle A. McClure

Commission compels carriers to conclusively tie down customer’s consent

The U.S. Court of Appeals for the D.C. Circuit has issued a decision upholding the Commission’s 2007 Order relating to the necessary mechanism for obtaining customer approval for release of customer proprietary network information (“CPNI”). That mechanism imposes greater burdens on carriers than had been the case prior to 2007.

Under the Communications Act, certain customer information – including the customer’s specific calling plans, special features, pricing and terms, and details about whom they call and when – is deemed “proprietary” and is supposed to be kept confidential.  Still, that information is useful for carriers’ marketing purposes: some carriers directly market new or different services to their customers based on CPNI, while others contract with joint venturers or outside third parties to use this information to market for them. 

Before using CPNI for marketing, carriers must have the customer’s approval. The big question in this case is how that approval is supposed to be obtained.

The Commission has zigzagged back and forth on this issue over the years. In the late 1990s it imposed an “opt-in” requirement under which the carrier had to obtain an express OK from the customer before the customer’s CPNI could be used. This was obviously a pain for the carrier. More to the carrier’s liking was the “opt-out” approach, which provided that the carrier could use CPNI for marketing unless the customer affirmatively told it not to. 

In its 2007 Order the FCC required carriers to obtain “opt-in consent” from a customer before disclosing the CPNI to a carrier's joint venture partner or independent contractor. The Commission adopted these more strict requirements in the context of the pretexting problems which came to national attention several years ago. 

National Cable &Telecommunications Association and intervenors, Qwest Communications International Inc. and Verizon, challenged this “opt-in” requirement . Their challenge was based on a claim that the 2007 Order either violated the First Amendment, or was arbitrary in violation of the Administrative Procedure Act, or both – the D.C. Circuit found that the NCTA didn’t make itself particularly clear on that point. But it didn’t really matter, since the court swatted away the challenge quite easily on all counts.

After a review of the constitutionality of the 2007 Order and its “opt-in” requirements, the court determined that CPNI is commercial speech (a category of speech that is subject to less rigorous constitutional protection) and that the Commission's requirements were adequately supported by the evidence in the record. In so doing, the court found that protection of a customer's interest in the privacy of his own communications data is a substantial governmental interest – one which justifies the relatively minimal burden of an “opt-in” requirement. The Court’s ruling means that carriers must continue to obtain “opt-in” consent from a customer before disclosing that customer’s CPNI to a joint venture partner or independent contractor for the purpose of marketing communications-related services to that customer.
Tags: , , , ,

Telecom Tickler: CPNI Certifications Due By March 1

Posted on January 22, 2009 by Michelle A. McClure

If you’re a telecommunications carrier (and FYI – we’re not just talking about POTS and cellular here – think VoIP operators, satellite operators, international resellers and others as well), the FCC wants to be sure that you don’t forget that your annual CPNI certifications are due between January 1 and March 1.  The Commission has issued a public notice reminding everyone about those certifications, and also helpfully providing a suggested template to be used. CPNI – which stands for Customer Proprietary Network Information – is information relating to the quantity, type, destination, location, amount of use and configuration of service.

CPNI is inherently private information, and the FCC’s CPNI rules are designed to protect customers’ CPNI against unauthorized access and disclosure. (While the CPNI rules have been on the books since the late 1990s, the FCC’s interest in enforcing them increased dramatically in 2007 after media disclosures of “pretexting” practices used to obtain CPNI surreptitiously. For further background on CPNI, see the May and September, 2007 issues of FHH Telecom Law.)

One measure adopted by the Commission in 2007 is the annual certification requirement. Each year, telecommunications carriers must have an officer sign and file with the Commission a compliance certificate stating that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must provide a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules. Additionally, the carrier must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.

Awareness of this obligation – or at least compliance with it – appears to have been a bit sketchy in 2008 (the first year in which certification was required), as evidenced by a rash of inquiry letters sent out by the Enforcement Bureau last Fall. The inquiries sought information and documents from the addressees as to why they hadn’t gotten around to filing their certifications yet. It appears that there may have been some initial confusion as to what kinds of companies are subject to the certification requirement. While one might have thought that the rules apply only to conventional phone companies (providers of POTS and the like), the Commission appears to be taking the position that any entity which files annual Form 499s with NECA (and which, therefore, have Form 499 Filed ID Numbers) are on the hook for the certifications. That would sweep within the reach of the rules a broad universe of companies (e.g., satellite licensees, international resellers) who might not ordinarily have viewed themselves as subject to CPNI limitations.

While the other shoe has not yet dropped following the issuance of the inquiries, we anticipate that some hapless carriers will be receiving hefty Notices of Apparent Liability in their Easter baskets.

It is, of course, possible that the FCC may accept the excuse that failure to file was due to reasonable uncertainty about the working definition of “telecommunications carrier”. But it’s also possible that the Commission will not accept that excuse. In view of the Commission’s actions thus far, though, any entity that either (a) files Form 499 or (b) has a Form 499 Filer ID number or (c) might otherwise meet the definition of telecommunications carrier, should probably consult with communications counsel and, at a minimum, develop and implement a compliant CPNI program and file the requisite CPNI certification by the March 1, 2009, deadline.
Tags: , , , , ,