It’s that time of year again – that is, if you happen to be a telecommunications carrier or interconnected VoIP provider. If you’re one of them, your Customer Proprietary Network Information (CPNI, for short . . . but you already knew that) certifications are due at the Commission by March 1, 2012. The FCC has issued a convenient “Enforcement Advisory” to remind one and all of the deadline. Like similar advisories in past years, this year’s includes a helpful list of FAQs and a suggested template showing what a certificate should look like.
As we have explained before (last year, for example), the CPNI rules are designed to safeguard customers’ CPNI against unauthorized access and disclosure. (If you’re a glutton for punishment and want to read the actual rules, you can find them in Subpart U of Part 64 of the Commission’s rules. Here’s a link that will take you there, but don’t say we didn’t warn you.) Since 2008, the rules have required that telecommunications carriers and interconnected VoIP providers have an officer sign and file with the Commission a compliance certificate, annually, stating that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must also provide: (a) a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules; and (b) an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.
The Commission takes this reporting requirement very seriously – so seriously, in fact, that it has in many instances initiated forfeiture proceedings against carriers who, as it turned out, had fully complied with the rules.
In light of that experience, it’s a good idea not only to get the report filed on time, but also to be sure to get, and keep, records demonstrating what you filed and when you filed it. That way, if the FCC wrongly accuses you (as it has wrongly accused others in the past), you will ideally be able to avoid a considerable amount of hassle, not to mention liability for any fine.
Who, exactly, needs to file this report? In its recently-released FAQ, the Commission offers examples of “telecommunications carriers” subject to the reporting requirement: “local exchange carriers (LECs) (including incumbent LECs, rural LECs and competitive LECs), interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers.” But look out: the FCC cautions (in italics, just like last year) that “this list is not exhaustive”.
(The Commission emphasizes that aggregators are not required to file. An aggregator is “any person that, in the ordinary course of its operations, makes telephones available to the public or transient users of its premises, for interstate telephone calls using a provider of operator services.”)
This is not something that can or should be left to guesswork: as in most other areas of the law, ignorance is no excuse. If you are a telecommunications carrier or an interconnected VoIP provider, it would behoove you to tie down, sooner rather than later, whether you are required to file a certification. (Your communications counsel would be a good place to start, if you have any questions.) Remember: If you are in the broad universe of entities required to file the certification but you fail to do so for whatever reason, you’re almost certainly looking at a $20,000 forfeiture (not to mention the aggravation and legal fees normally associated with responding to an NAL).