Ensuring Compliance With FCC Privacy Rules
Thomas K. Crowe, Esq.
In September 2008, the Enforcement Bureau of the FCC sent letters of inquiry to thousands of communications providers for suspected violations of the agency's privacy or "customer proprietary network information" (CPNI) rules. The FCC's actions indicate a heightening of enforcement activity in this area and the need for prompt and careful compliance.
Consequently, it is essential that all covered communications providers - including wireless service providers, prepaid long-distance providers, postpaid long-distance providers and VoIP providers, among others - have policies and procedures in place to ensure compliance with FCC CPNI regulatory obligations.
It is not enough for a provider to simply create policies and procedures without thoroughly implementing them. Providers operating in today's regulatory environment must implement systems that will achieve full CPNI compliance lest they face serious enforcement liability and consequences. In the past, the bureau typically has assessed proposed fines of $100,000 for failure to comply with CPNI regulations. In 2007 alone, proposed forfeitures in this amount were assessed against 13 different companies. Thus, it is essential for a provider to implement an overall compliance plan that permeates the entire organization from upper-level management to independent contractors.
Here are a few recommended business practices intended to maximize CPNI compliance and reduce the risk of an FCC enforcement action.
Create Written Privacy Policy. One of the most important requirements of the FCC's new rules is that providers now must file annually a written privacy policy with the FCC by March 1 of every year. This written privacy policy must describe the procedures and procedure changes implemented by the provider to prevent the unauthorized disclosure of CPNI during the past calendar year.
To fulfill this requirement, a provider should design and implement procedures that comply with the FCC's CPNI rules, and that also are tailored to match its business practices. However, for a provider to avoid potential liability, it should design and implement procedures that also include any additional precautions the provider deems necessary to prevent the unauthorized disclosure of CPNI. The FCC views the explicit requirements set forth by its rules as only the minimum threshold for compliance and has stated that it expects providers to take any additional steps to protect the privacy of CPNI that are feasible for the provider.
Ensure Annual FCC Certification Filing. Along with the filing of its annual written CPNI privacy policy, providers also must file a CPNI certificate with the FCC by March 1 of every year. This certificate must be signed by an officer of the provider and must state that this officer has personal knowledge that the company has established policies that ensure compliance with the FCC's CPNI regulations. The certification also must contain details of any customer complaints during the past year related to the unauthorized release of CPNI and details of any actions taken by the company during the past year against information brokers.
Assess Authentication Procedures. A provider must authenticate (or verify) a customer prior to disclosing any CPNI to that customer during a customer-initiated telephone contact, online account access or an in-store visit. This authentication must establish clearly the customer's identity, and can be performed through the use of a password, an e-mail sent to the customer's e-mail account of record, or a phone call to the customer's phone number of record, among other methods. However, any method used by a provider must not rely on a customer's readily available biographical information or account information.
In addition to authenticating a customer prior to disclosing CPNI, the FCC requires providers to notify customers immediately of certain account changes related to authentication, including whenever any of the following are created or changed: a password, a customer response to a provider-designed backup means of authentication, an online account, or an address of record.
Customers have a legal right to access their CPNI, and providers must have systems in place to allow customers access to their CPNI, to properly authenticate the identity of customers requesting access to CPNI, and to notify customers of account changes related to authentication. Developing these systems will entail training customer service representatives, creating a computer system to allow online access to CPNI, and implementing other procedures needed to develop compliant authentication procedures.
Review Training Methods; Train Employees. The FCC's CPNI rules specifically require providers to train their personnel as to the circumstances under which CPNI may, and may not, be used or disclosed. Providers also must establish an express disciplinary process for instances where corporate personnel do not comply with established policies. A substantial training program and an explicit disciplinary process are critical for a provider to create a culture of compliance. As explained above, it is essential for a company to not merely pay lip service to the FCC's CPNI rules but rather instill in each of its employees (and independent contractors) an awareness and understanding of the company's CPNI compliance obligations. Providers should use both written materials and live training sessions to ensure this. Additionally, compliance training should be tailored to the responsibilities of the employees and contractors at each organizational level, from corporate executives to customer service representatives.
Customer and Law Enforcement Notification. Providers must have systems in place to officially notify law enforcement in event of a breach or unauthorized access to CPNI. According to the FCC's CPNI rules, a provider must notify the U.S. Secret Service and FBI (via a link on the FCC's Web site) of a breach of or unauthorized access to its customers' CPNI no later than seven business days after it discovers the breach or unauthorized access. Additionally, for seven business days after notifying law enforcement, the provider may not notify its customers or publicly disclose the breach or unauthorized access. However, if the provider believes there is an extraordinarily urgent need to notify its customers in order to avoid an irreparable harm, it may immediately notify the affected customers after first consulting with the relevant law enforcement agency. Conversely, if either the U. S. Secret Service or FBI determines that disclosure would impede its investigation, the law enforcement agency can compel a provider to delay disclosure of a breach or unauthorized access to its customers and the public for a more extensive period.
Systems will need to be developed that ensure notice to law enforcement agencies and customers within the mandated time parameters. Providers also should review each CPNI breach incident to determine how the breach or unauthorized access occurred, and to determine what policy changes must be implemented to prevent similar incidents in the future.
Assess Marketing Practices. Some of the most significant recent changes to the FCC's CPNI regulations involve the approval required from a customer before that customer's CPNI can be used for marketing purposes. With either opt-out or opt-in approval from a customer, a provider (and its agents and affiliates that provide communications-related services) may use CPNI for the purpose of marketing communications-related services to that customer. However, opt-in approval from a customer is required before disclosing CPNI to independent contractors or joint venture partners for marketing purposes.
The FCC'S CPNI rules regarding opt-in approval are complex. For example, the FCC has requirements regarding the timing of opt-in approval, recordkeeping of past opt-in approvals, and the languages that the opt-in approval must use. A provider may obtain opt-in approval through written, oral or electronic methods, and the FCC has regulatory requirements specific to each method.
Before using CPNI in any marketing campaign, a provider should develop systems which will ensure it obtains the proper approval from its customers and that it complies with the FCC's specific rules governing the use of CPNI for marketing purposes. To ensure compliance with the FCC CPNI rules, a provider should review all of its third-party arrangements to determine whether it is providing CPNI to outside parties or allowing outside parties to have access to its CPNI. If a provider is sharing CPNI with outside parties, the provider should:
a) confirm the third party with whom it has shared CPNI complies with all applicable laws and regulations regarding CPNI;
b) ensure adequate contractual protections exist for CPNI; and
c) determine whether there is a need for opt-in customer consent.
To avoid potentially complex compliance issues, providers may wish to consider adopting a policy of not disclosing CPNI to independent contractors or joint venture partners for the purpose of marketing communications-related services.
Appoint a CPNI Compliance Coordinator. Although not required by the FCC's CPNI rules, a provider should assign the responsibility of managing its CPNI compliance obligations to one individual. In a large organization, this responsibility could be delegated to several employees, but the ultimate responsibility should remain with one overall CPNI compliance coordinator. Among other tasks, this coordinator should ensure that the company's CPNI policies and procedures are properly implemented, that the company's employees receive CPNI training, and that the company's annual CPNI certification and privacy policy are timely filed with the FCC. This coordinator also should periodically consult with counsel to ensure the company's CPNI procedures are legally current.
Ensuring compliance with the FCC's CPNI regulatory requirements is no easy task. Achieving this will require a comprehensive approach which, among other things, will span establishing a personnel training and disciplinary process; developing a system for notifying law enforcement in the event of a breach or unauthorized access; assessing marketing practices and third-party agreements to ensure CPNI access is appropriately restricted; establishing written privacy policies and ensuring a summary of such policies is filed annually with the FCC along with the requisite FCC certificate; and assigning an overall CPNI Compliance Coordinator. Covered communications providers that have not already devised CPNI policies and procedures to conform to the new FCC regulations and implemented those policies throughout all levels of the organization should do so without delay.
This article was originally published in Xchange Magazine, December 2008, http://www.xchangemag.com/articles/ensuring-compliance-with-fcc-privacy-rules.html.