CPNI Enforcement Actions   On March 26, 2007, the FCC’s Enforcement Bureau (“Bureau”) released Notices of Apparent Liability and Forfeiture (“NALs”) against Amp’d Mobile (“Amp’d”), CTC Communications Corporation (“CTC”) and Easterbrooke Cellular Corporation (“Easterbrooke”) for apparent violations of the FCC’s customer proprietary network information (“CPNI”) rules.  Although the specific deficiencies varied, in each case the Bureau proposed to assess a forfeiture of $100,000, based in particular on “the serious consequences that may flow from inadequate concern for and protection of CPNI.”  The scope of the investigations that led to these penalties suggests that the Bureau is taking a far more aggressive approach to policing the CPNI rules.  All carriers, including long distance resellers, wireless providers, MVNOs and prepaid calling card providers, should review and assess their potential CPNI liability.   Background   CPNI is the personally identifiable information that is created by a customer’s relationship with a communications provider.  It includes the information on a customer’s bill and call-identifying information.  Section 64.2009(e) of the FCC’s rules requires all telecommunications carriers to have an officer sign a compliance certificate each year affirming the officer’s personal knowledge that the company maintains operating procedures that ensure compliance with the CPNI rules.  There must also be an accompanying statement that describes how the operating procedures ensure compliance.  Carriers must keep CPNI certifications on file and available to the public during regular business hours.  Although the CPNI rules do not require annual filing at the FCC, last February the Bureau (as part of an enforcement investigation) required carriers to submit the certifications on only one week’s notice.  (See our Legal Alert dated January 31, 2006.)   In the March 26 NALs, the Bureau underscored the seriousness with which it takes the protection of CPNI from such threats as “data brokers,” which offer to obtain telecommunications customer information for a fee.  This followed NALs issued by the FCC’s Enforcement Bureau in January 2006 which proposed to assess $100,000 penalties against AT&T, Inc. and Alltel Corporation for apparent violations of Section 64.2009(e).  (AT&T and Alltel subsequently settled these proceedings by entering into consent decrees with the FCC that included voluntary contributions to the U.S. Treasury.)  In setting the proposed forfeiture amounts in the three current cases, the Bureau stated that it is “guided by the principle that there may be no more important obligation on a carrier’s part than protection of its subscribers’ proprietary information.”   Violations   In each case, the Bureau sent a Letter of Inquiry (“LOI”) to the company requesting the compliance certificates for each of the last five years that the company was required to retain under Section 64.2009(e).  According to one NAL, Amp’d failed to provide the required statement accompanying the certificate explaining how its operating procedures ensure that it is in compliance with the CPNI rules.  The company’s response stated that its operating procedures ensure that Amp’d is in compliance with the rules, but it did not state how those procedures ensure compliance.  CTC’s apparent violation involved not only CTC itself but three affiliates that it acquired in 2005.  None of the documents that CTC submitted in response to the LOI contained a statement that a company officer had personal knowledge that CTC and the affiliates maintained operating procedures sufficient to ensure compliance with the CPNI rules, as required by Section 64.2009(e).  Finally, Easterbrooke was found to have violated the CPNI rules when it responded to the NAL by noting that it had no written compliance certificates for the previous five years, but that it did have policies and procedures during that time for CPNI compliance.  The Bureau found this to be a violation on its face of Section 64.2009(e), which requires actual certificates.  All three companies will have opportunities to present evidence and arguments that the proposed forfeitures should be reduced or not imposed at all.   Compliance   These three NALs indicate that the Bureau is taking a harder line against CPNI violations.  The Bureau has sent LOIs to several carriers, potentially at random.  Therefore, carriers which have not done so should review their CPNI compliance status, especially with respect to the certification requirements in Section 64.2009(e).  If an LOI is received, contact communications counsel immediately.    In addition, unlike the investigations of AT&T and Alltel in January 2006, the Amp’d, CTC and Easterbrooke LOIs requested each carrier’s compliance certificates and supporting statements for the previous five years.  Although carriers should be aware of past compliance over at least the past five years because the Bureau can use evidence of past noncompliance to increase the forfeiture amount, the FCC is only permitted to impose forfeitures for violations occurring within the past year.  Therefore, carriers should be primarily concerned with current compliance and compliance over the past year.   Please feel free to contact us if you have any questions or we can be of any assistance to you.   March 2007   Back