It’s that time of year again – time for our annual reminder to most (but not necessarily all) telecommunications carriers and interconnected VoIP providers that your CPNI certifications are due by March 1, 2016.
As described by the Enforcement Bureau, CPNI – Customer Proprietary Network Information to the uninitiated – includes “some of the most sensitive personal information that carriers have about their customers as a result of their business relationship”. Think phone numbers of calls made or received, or the frequency or duration of calls, etc. … basically the same stuff the NSA has apparently been collecting for years. While the NSA is not required to file CPNI certifications with the FCC, most telecom carriers aren’t so lucky.
The Bureau has issued its annual “Enforcement Advisory” as a convenient reminder to one and all of the fast-approaching deadline. Like similar advisories in past years, this year’s includes a helpful list of FAQs and a suggested template showing what a certificate should look like.
The potential fines for CPNI violations run to $160,000 a pop (up to a max of $1,575,000) – no small potatoes. And let’s not forget that CPNI violations have a way of adding up fast. For example, the Advisory reminds us that just last April AT&T agreed to pay $25 million to wrap up an investigation into unauthorized access to CPNI and other sensitive customer information by AT&T call center employees. And in 2014, Verizon entered into a Consent Decree arising from a CPNI-related investigation; as a result, Verizon ended up forking over $7.4 million to the Commission.
As those dollar figures indicate, the Commission takes CPNI compliance (including the annual reporting requirement) very seriously. Historically it has doled out five-digit fines to non-compliant carriers. In fact, the FCC’s zeal is such that, in many instances, it has initiated forfeiture proceedings even against carriers who, as it turned out, had fully complied with the rules.
In light of this, it’s a good idea not only to get the report filed on time, but also to be sure to get, and keep, records demonstrating what you filed and when you filed it. That way, if the FCC wrongly accuses you (as it has wrongly accused others in the past), you will ideally be able to avoid a considerable amount of hassle, not to mention liability for any fine.
As we have explained annually for the past several years, the CPNI rules are designed to safeguard customers’ CPNI against unauthorized access and disclosure. The rules themselves are set out in Subpart U of Part 64 of the Commission’s rules. If you’re a true glutton for punishment (or if you’re concerned that you may have OD’d on NoDoz), you can check them out here.
So what, exactly, needs to be filed? Since 2008, the rules have required that telecommunications carriers and interconnected VoIP providers have an officer sign and file with the Commission a compliance certificate, annually, stating that she or he has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must also provide: (a) a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules; and (b) an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.
Who, exactly, needs to file this report? In its FAQs, the Commission offers examples of “telecommunications carriers” subject to the reporting requirement: “local exchange carriers (LECs) (including incumbent LECs, rural LECs and competitive LECs), interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers.”
The FCC cautions (in italics, as it has in past years) that “this list is not exhaustive”, but this year it also emphasizes that some “telecommunications carriers” are not subject to these requirements. Those who enjoy an exemption: entities deemed to be “telecommunications carriers” only because they provide broadband Internet access services. (Readers may recall that, when the Commission adopted its “Open Internet” (a/k/a Net Neutrality rules) last year, it announced that it would forbear from applying existing CPNI rules in the context of broadband Internet access services.) The exemption does not apply to any services previously found to be subject to the CPNI rules.
The Bureau’s Advisory again emphasizes that aggregators are not required to file. An aggregator is “any person that, in the ordinary course of its operations, makes telephones available to the public or transient users of its premises, for interstate telephone calls using a provider of operator services.”
This is not something that can or should be left to guesswork: as in most other areas of the law, ignorance is no excuse. If you are a telecommunications carrier or an interconnected VoIP provider, it would behoove you to tie down, sooner rather than later, whether you are required to file a certification. (Your communications counsel would be a good place to start, if you have any questions.)
Remember: If you are in the broad universe of entities required to file the certification but you fail to do so for whatever reason, you’re almost certainly looking at a $20,000 forfeiture (not to mention the aggravation and legal fees normally associated with responding to an NAL).