Heads up, all you telecommunications carriers and interconnected VoIP providers! Your annual reports certifying compliance with the Customer Proprietary Network Information (CPNI) rules are due by March 1, 2011. And you don’t have to take our word for that: the Commission has issued a helpful reminder notice to make sure that you’re on top of this chore. The Commission has also helpfully provided a copy of an acceptable template for CPNI certifications, as well as a series of Frequently Asked Questions (FAQ).
As we have explained before (here and here, for example), the CPNI rules are designed to safeguard customers’ CPNI against unauthorized access and disclosure. Since 2008, the rules have required that telecommunications carriers and interconnected VoIP providers have an officer sign and file with the Commission a compliance certificate, annually, stating that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must also provide: (a) a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules; and (b) an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.
The Commission takes this reporting requirement very seriously.
As we have previously reported, in 2009 the FCC issued Notices of Apparent Liability (NAL) to hundreds of carriers who had apparently failed to file their reports. The standard forfeiture per violation – $20,000. The Commission was in a shoot-first-ask-questions-later mode, as a number of the targeted carriers eventually demonstrated that they had, in fact, submitted their reports. But there were still plenty of carriers who ended up paying a fine (whether directly in response to the NAL or after entering a consent decree with the Commission).
Historically, there appears to have been some confusion as to precisely who must file annual CPNI certifications. In its recently-released FAQ, the Commission offers examples of “telecommunications carriers” subject to the reporting requirement: “local exchange carriers (LECs) (including incumbent LECs, rural LECs and competitive LECs), interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers.” But look out: the FCC cautions (in italics, mind you) that “this list is not exhaustive”.
This is not something that can or should be left to guesswork: as in most other areas of the law, ignorance is no excuse. If you are a telecommunications carrier or an interconnected VoIP provider, it would behoove you to tie down, sooner rather than later, whether you are required to file a certification. (Your communications counsel would be a good place to start, if you have any questions.) Remember: If you are in the broad universe of entities required to file the certification but you fail to do so for whatever reason, you’re almost certainly looking at a $20,000 forfeiture (not to mention the aggravation and legal fees normally associated with responding to an NAL).