If you’re a telecommunications carrier (and FYI – we’re not just talking about POTS and cellular here – think VoIP operators, satellite operators, international resellers and others as well), the FCC wants to be sure that you don’t forget that your annual CPNI certifications are due between January 1 and March 1. The Commission has issued a public notice reminding everyone about those certifications, and also helpfully providing a suggested template to be used. CPNI – which stands for Customer Proprietary Network Information – is information relating to the quantity, type, destination, location, amount of use and configuration of service.
CPNI is inherently private information, and the FCC’s CPNI rules are designed to protect customers’ CPNI against unauthorized access and disclosure. (While the CPNI rules have been on the books since the late 1990s, the FCC’s interest in enforcing them increased dramatically in 2007 after media disclosures of “pretexting” practices used to obtain CPNI surreptitiously. For further background on CPNI, see the May and September, 2007 issues of FHH Telecom Law.)
One measure adopted by the Commission in 2007 is the annual certification requirement. Each year, telecommunications carriers must have an officer sign and file with the Commission a compliance certificate stating that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must provide a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules. Additionally, the carrier must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.
Awareness of this obligation – or at least compliance with it – appears to have been a bit sketchy in 2008 (the first year in which certification was required), as evidenced by a rash of inquiry letters sent out by the Enforcement Bureau last Fall. The inquiries sought information and documents from the addressees as to why they hadn’t gotten around to filing their certifications yet. It appears that there may have been some initial confusion as to what kinds of companies are subject to the certification requirement. While one might have thought that the rules apply only to conventional phone companies (providers of POTS and the like), the Commission appears to be taking the position that any entity which files annual Form 499s with NECA (and which, therefore, have Form 499 Filed ID Numbers) are on the hook for the certifications. That would sweep within the reach of the rules a broad universe of companies (e.g., satellite licensees, international resellers) who might not ordinarily have viewed themselves as subject to CPNI limitations.
While the other shoe has not yet dropped following the issuance of the inquiries, we anticipate that some hapless carriers will be receiving hefty Notices of Apparent Liability in their Easter baskets.
It is, of course, possible that the FCC may accept the excuse that failure to file was due to reasonable uncertainty about the working definition of “telecommunications carrier”. But it’s also possible that the Commission will not accept that excuse. In view of the Commission’s actions thus far, though, any entity that either (a) files Form 499 or (b) has a Form 499 Filer ID number or (c) might otherwise meet the definition of telecommunications carrier, should probably consult with communications counsel and, at a minimum, develop and implement a compliant CPNI program and file the requisite CPNI certification by the March 1, 2009, deadline.