Dear Clients and Friends,
As a reminder, telecommunications carriers and interconnected Voice over Internet Protocol (VoIP) providers are obligated to file their annual certification documenting compliance with the Customer Proprietary Network Information (CPNI) rules by March 1.
While on the topic of CPNI and privacy, we wanted to highlight several FCC actions taken during the last year that lead us to recommend that all of our communications clients take a fresh look at their existing policies, practices, and training covering CPNI and privacy. If your company needs to refresh, replace, or create policies, we would be happy to help.
1. Enforcement of Existing CPNI Authentication Requirements:
Last summer, the FCC issued a $20M Notice of Apparent Liability for Forfeiture against two mobile service providers for allegedly violating the FCC’s CPNI rules. While this action is equivalent to a complaint and the recipients are able to defend against it, the action should nevertheless cause regulated entities to take stock and evaluate whether existing practices are compliant. Specifically, the FCC alleged that the two service providers used biographical information and account information as the default username and password for online customer accounts, and consequently made CPNI accessible to anyone who knew or could obtain those types of information. While using readily identifiable biographical information or account information for authentication may be convenient and common, those practices are prohibited by the FCC’s CPNI rules. As a result, alternative means of authentication must be used by entities subject to the FCC’s CPNI rules.
2. Pending Changes to the CPNI Rules to Address Port-Out and SIM Change Fraud Schemes:
On Dec. 8, 2023, the FCC issued a Report and Order that will require wireless providers to refine their customer authentication procedures, customer notification policies, and record retention practices to protect customers from fraud schemes. Some of these revised rules will go into effect on July 8, while others will become effective after review by the Office of Management and Budget (OMB). Implementing these rule changes could require changes to terms, policies, and procedures. A petition seeking additional time to implement the rule changes remains pending.
3. Pending Changes to the CPNI Breach Rules:
In December of 2023, the FCC significantly revised its existing security breach rules for the first time in 16 years. Service providers should be aware of these changes, such as the expanded definition of “covered data” to include Personally Identifiable Information (PII) in addition to data meeting the definition of CPNI. These rules will become effective after review by the OMB. Implementing these rule changes will require changes to internal policies and procedures.
The privacy and security of consumer data is likely to remain a focus of the FCC this year, especially as the agency considers reclassifying broadband internet access as a common carrier service.