It’s that time of year again – no, not tax time (well, not quite), but rather time to file annual Customer Proprietary Network Information (CPNI) certifications with the Commission. And just to make sure that the deadline is clearly highlighted on everybody’s “to do” list, the FCC has released an “Enforcement Advisory” reminding telecommunications carriers and interconnected VoIP providers that their CPNI certifications are due by March 1, 2010 (although they can be filed any time after January 1, 2010).
CPNI is information relating to the quantity, type, destination, location, amount of use and configuration of service provided to telecom users. While it’s the kind of data that is collected routinely by carriers in the ordinary course of their business, it is nevertheless very private information – as the FCC has recognized in Subpart U of Part 64 of its rules. That subpart requires carriers and interconnected VoIP providers to establish and maintain systems designed to ensure that subscribers’ CPNI is adequately protected.
And since the FCC is not in a position to inspect each and every company in order to confirm compliance with the rules, the Commission has dumped that particular monkey onto the backs of the companies themselves. Each year telecommunications carriers must certify that they have established appropriate procedures and processes to protect CPNI. The certificate must include a description of how the procedures ensure that the responding company is or is not in compliance with the CPNI rules and must include a summary of all consumer complaints about unauthorized release of CPNI. It should also explain any actions taken against data brokers. And a detail which is often overlooked: the certification must be signed by a company officer who must affirmatively state that he/she has personal knowledge that the CPNI safeguards which have been established are adequate to ensure compliance.
Who has to file?
First and foremost, entities “providing telecommunications services”, a universe which includes (but is not limited to), local exchange carriers, interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers. (Note that it is not clear whether such retail establishments as 7-Eleven – which have recently been treated as “resellers” by the Enforcement Bureau – are required to file CPNI reports.) One exception: “aggregators” don’t count as telecom providers in this context. An “aggregator”, of course, is “any person that, in the ordinary course of its operations, makes telephones available to the public or transient users of its premises, for interstate telephone calls using a provider of operator services”.
The CPNI certification requirement also applies to VoIP providers – that is, companies providing services that: (a) enable real-time, two-way voice communications; (b) require a broadband connection from the user’s location; (c) require Internet protocol-compatible customer premises equipment; and (d) permits users generally to receive calls that originated on, and terminate calls to, the public switched telephone network.
Last year the Enforcement Bureau launched a major offensive against companies which failed to file their CPNI certifications. The Bureau issued an “omnibus” notice of apparent liability socking a long list of carriers $20,000 each for failure to submit certifications (although it ultimately turned out that a number of the targets were wrongly accused by the FCC). The “Enforcement Advisory” (linked above) issued this year by the Bureau appears to be both a helpful guide to assist compliance and a way for the FCC to make sure that nobody can plead ignorance as an excuse for not complying this time around. In any event, last year’s fines and this year’s Advisory make abundantly clear that full compliance with the CPNI certification requirement is a high priority for the Enforcement Bureau. All companies subject to that requirement should take note,