The Chairwoman’s proposal is significant because it signals a potentially more active FCC in consumer protection as the Democrats solidify control of the agency following the Presidential transition and Chairwoman Rosenworcel’s elevation from Acting Chair to Chair. The scope of the proposal appears to be fairly narrow (based on the limited information currently available) but represents the second CPNI-related action proposed in the past three months. Once a fifth commissioner is confirmed, Chairwoman Rosenworcel may be able to press a broader consumer protection agenda for the agency.

At this time, little is known of the draft NPRM, because the draft of the proposal has not been released. The press release provides the best indication of what we can expect to see in the proceeding, if and when it is adopted. The FCC’s announcement explains that the proposal will:

• Eliminate the current seven business day mandatory waiting period for notifying customers of a breach;
• Require notification of inadvertent breaches; and
• Require carriers to notify the FCC of all reportable breaches, in addition to the FBI and U.S. Secret Service.

The move to update the CPNI rules may be motivated in part by T-Mobile's August 2021 disclosure that names, Social Security numbers, and other personal information belonging to more than 48 million current, former, and prospective customers had been compromised.

With the Commission still evenly split while awaiting confirmation of a third Democratic commissioner, Chairwoman Rosenworcel will need the support of at least one of the two Republican commissioners to adopt the NPRM. The proposed changes may be innocuous enough to garner such support.

The NPRM comes on the heels of an FCC proposal in October 2021 to update the CPNI rules to address SIM swap and port-out fraud, which did garner support from the Republican commissioners. The FCC also has yet to take final action on the Notices of Apparent Liability it issued to major wireless carriers in March 2020 proposing over $200 million in fines for allegedly selling access to their customers’ location information in violation of the CPNI rules. Together, these three actions signal that the FCC may be renewing its focus on privacy issues in telecommunications. In 2017, Congress used the Congressional Review Act to rescind the Commission’s 2016 broadband privacy rules. That action restricts the FCC’s ability to adopt substantially similar rules if it reclassifies broadband providers back to Title II telecommunications services.

What the FTC will do with the staff report is less clear. The Commission voted unanimously to release the report, which does not make any specific policy recommendations. Members of the Commission, however, drew their own conclusions and articulated starkly different outlooks on the report’s implications. Chair Lina Khan and Commissioner Rebecca Kelly Slaughter declared that the FCC should play a leading role in overseeing ISPs’ data practices, citing the FCC’s industry expertise and legal authority. Commissioner Christine Wilson, however, stated that “oversight of ISPs for privacy and data security issues should remain at the FTC.” ISPs’ data practices – and the broader question of whether the FCC should reclassify broadband service back to a Title II telecommunications service and re-impose strict broadband privacy rules – are likely to be prominent issues as the Biden FCC takes shape in the months ahead.

The FTC Staff Report’s Findings

The staff report is based on information the FTC obtained from the country’s six largest ISPs and three of their adtech companies. The FTC compelled the companies to provide information about their data collection and use practices through orders issued under FTC Act Section 6(b) in March and August of 2019. While this group of ISPs “represents a broad swath of the internet services offered” to U.S. consumers, their practices are not necessarily representative of ISPs in general.

The staff report raises several concerns about ISPs’ practices, beyond generally equating ISPs with large advertising platforms, which include the following examples.

• Scope and Scale of Data Collection. The staff report finds that “many” of the ISPs in the FTC’s study “have access to 100% of consumers’ unencrypted internet traffic,” potentially allowing the ISPs to obtain information about sensitive web browsing behavior. In addition, FTC staff determined that several ISPs in the study collect and use potentially sensitive, real-time location information for advertising. They are also collecting customer information from other products and services they offer—such as voice, content, smart devices, advertising, and analytics—as well as purchasing information about consumers from data brokers. According to the report, several ISPs combine data from across their product lines, though the report did not reach a conclusion about how extensively ISPs combine this data.
• Opacity and Consumer Choices. The staff report concludes that ISPs collect and use personal data more extensively than consumers expect, do not provide clear disclosures about their practices, and generally provide opt-out choices that are difficult to use.
• Potential Consumer Harm. Finally, FTC staff conclude that some of the practices observed among these ISPs could cause harm to consumers. These practices include combining data from distinct services (e.g., video, web browsing, location, and connected devices) in a manner that consumers do not expect, as well as enabling third-party data uses that could harm consumers (e.g., targeting ads in a discriminatory manner, or making location data available to third parties “without reasonable protections”).

The unanimous vote to approve and issue the FTC staff report—an increasingly rare instance of bipartisan agreement on a major issue—does not necessarily signal consensus on further steps the FTC should take on the basis of the report. Chair Khan’s remarks highlight ISPs’ practices as an example of more general problems with the privacy framework the FTC was instrumental in establishing. In her view, the report’s findings “underscore deficiencies of the ‘notice-and-consent’ framework for privacy” and that “[a] new paradigm that moves beyond procedural requirements and instead considers substantive limits increasingly seems worth considering.”

Commissioner Slaughter expressed similar sentiments in her remarks, echoing some of her previous statements calling for “clear rules on data abuses” in general, and FCC-led regulation of ISPs, specifically.

The ISP disclosure practices described by the FTC staff report are subject to the FCC’s Transparency Rule. In 2017, although the Trump FCC classified commercial ISP services as subject to FTC jurisdiction, the FCC retained a transparency rule that, among other things, requires disclosure of “accurate information” regarding commercial terms of broadband internet access services. The FCC stated that disclosure of “commercial terms” included disclosure of information collection practices and privacy policies. If ISPs failed to adequately disclose their practices, as alleged in the FTC Report, the FCC retains jurisdiction to enforce that failure to comply with the transparency rule.

Further oversight by the FTC may not be necessary in the long term if oversight of ISP data practices is moved back under the FCC’s jurisdiction, and they once again become subject to Section 222 of the Communications Act. That statute places privacy restrictions on the use of customer proprietary network information ("CPNI") by telecommunications service providers. (The Obama FCC reclassified broadband as a telecommunications service under Title II of the Communications Act and imposed net neutrality regulations as well as broadband privacy rules. The Trump FCC largely reversed the net neutrality rules, and Congress nullified the broadband privacy rules.)

Commissioner Slaughter and Chair Khan may get their wish to have the FCC jump back into the fray. The White House announced on October 26 that President Biden will nominate Jessica Rosenworcel for another term as FCC Commissioner (and named her as the permanent FCC Chair) and Gigi Sohn as the third Democratic commissioner. Both Rosenworcel and current Democratic Commissioner Geoffrey Starks have expressed support for reclassifying broadband back to Title II, and Sohn was instrumental in orchestrating Title II reclassification in 2015 under former FCC Chairman Tom Wheeler. While Title II reclassification would subject ISPs to Section 222 of the Communications Act, the FCC’s authority to create broadband-specific rules remains unclear because Congress’ repeal of the FCC’s 2016 broadband privacy rules under the Congressional Review Act prohibits the agency from adopting substantially similar rules.

In the meantime, ISPs should be prepared to entertain further oversight activity by the FTC or potential FCC examination of the adequacy of ISP disclosures under its transparency rule.

This enforcement action marks a series of firsts. It is the first CPNI enforcement action since the pre-2016 CPNI regulations were reinstated following the repeal of the broadband privacy rules by Congress in 2017. This is also the first large consumer protection enforcement action under Chairman Pai’s leadership—up to now, Chairman Pai has eschewed the principle-based enforcement of his predecessor in favor of more clear-cut rules violations. The action also generated criticism both for being too soft (and too late) and for potentially being beyond the Commission’s jurisdiction.

Section 222 of the Communications Act requires carriers to protect the confidentiality of CPNI, which consists of specific customer data carriers get from consumers simply by providing them telecommunications service—or in statutory terms, “solely by virtue of the carrier-customer relationship.” This includes location information that carriers receive from wireless phones almost constantly so that calls and data can be routed to a customer both when the customer is using the phone and when the phone is in standby mode. Except for certain defined uses, carriers can only use, disclose, or permit access to CPNI with customer approval. But the FCC has also found that approval requirements alone are not enough, so the CPNI rules specify that carriers must employ “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI,” such as when a person pretends to be a particular customer or authorized person to obtain access to CPNI—a practice known as “pretexting.”

The FCC alleges that each of the four carriers failed to take reasonable measures to prevent unauthorized access to location information by third parties that improperly disclosed that information without customer approval. Specifically, each carrier sold access to location information to “aggregators,” who then resold access to third-party location-based service providers, who in turn allegedly sold or provided access to individualized location information to unauthorized parties. Each carrier relied on contracts that obligated aggregators to require third-party location-based service providers to obtain customer consent before accessing a customer’s location information from the aggregators. However, the carriers did not independently verify that consent was actually being obtained. In the FCC’s view, the contracts did not amount to reasonable measures to protect CPNI and held the carriers responsible for the failure to obtain customer consent on the basis that the third-party service providers were acting on the carriers’ behalf. The FCC was unconvinced by arguments that the information was primarily for non-common carrier data services, instead of telecommunications services, and that the location information obtained when the phone is on standby mode is materially different than information obtained when a customer is on a call.

Based on these apparent violations, the FCC proposed fines of $57 million for AT&T, $48 million for Verizon, $91 million for T-Mobile, and $12 million for Sprint. The FCC calculated these proposed fines based on four factors:

• First, the FCC determined the number of aggregators and third-party service providers that had access the information at any given time by looking at the contracts—the more entities that received the information, the greater the proposed fine.
• Second, the FCC relied on a continuing violation theory, concluding that each day the contracts were in place was an additional violation of the CPNI rules. As a result, the size of the fine increased for each successive day a carrier allegedly continued to allow third-party service providers to access customer location information without reasonable safeguards.
• Third, the FCC calculated the continuing violation from June 9, 2018—or 30 days after publication of a New York Times article that first brought the location sharing to light—on the basis that the article’s publication was the first time the carriers were put on notice about the inadequacy of their practices and because a carrier cannot be “expected to fully investigate and take remedial actions on the same day it learns that its safeguards are inadequate.” This approach also marks a departure from prior enforcement actions, which had not included a “cure” period previously.
• Fourth, the FCC upwardly adjusted the proposed fine by amounts ranging from 25-100 percent to reflect the apparent seriousness of the violations and the remediation efforts undertaken by each carrier.

The FCC’s actions are proposed fines. As the Commission customarily notes, neither the allegations nor the proposed sanctions in the Notices of Apparent Liability are final Commission actions. The parties will be given an opportunity to respond and the Commission will consider the carriers’ responses before taking any final action to resolve the matters.

Despite moving forward on the proposed fines, the FCC Commissioners appear split on the specifics of the enforcement approach. Commissioner O’Rielly expressed serious reservations even as he voted in support of the action, citing a concern that the FCC does not have all the relevant facts and expressing interest in the carriers’ argument that their practices are outside FCC jurisdiction. Conversely, Commissioner Rosenworcel dissented, not because she sides with the carriers, but because she believes the proposed fines should be higher. She particularly expressed disdain for the 30-day curing period and the reduction in the fine proposed for each successive day of continuing violation. Commissioner Starks supported the action overall, but dissented entirely on the forfeiture calculation approach, arguing the FCC should have based the fine on the number of consumers actually harmed and not on the number of contracts the carriers entered into.

Each carrier will have the opportunity to respond to the proposed fines in approximately 30 days. The responses typically are not made public but we will continue to monitor the proceedings for developments and will provide updates as they occur.

As the Commission notes in the summary of today’s action, “because the CRA does not include direction regarding the removal . . . of the voided language from the Code of Federal Regulations, the FCC must publish this document to effect the removal of the voided” rule’s text. The Commission further explains that the publication of the previous rules is not an exercise of rulemaking authority, but rather simply effectuates what Congress had already done, and therefore today's action is neither subject to public comment nor to judicial review. The FCC's action is effective today and does not substantively modify the CPNI rules in effect immediately prior to the issuance of the 2016 Privacy Order.

In June, the FCC issued an Order that formally recognized the CRA's disapproval of the 2016 Privacy Order and dismissed eleven petitions for reconsideration of the new privacy rules. The June Order noted that the reinstated rules would not apply to broadband service, which would be subject only to the text of Section 222 of the Communications Act, as amended. The June Order was met with a strong partial dissent from Commissioner Clyburn, who challenged the Commission's decision not to place the item on public comment or to provide consumers with privacy rules beyond the "bare text of section 222" and "decade-old rules for legacy voice."

For providers, today's action formalizes what we've known for some time: the old CPNI rules are back in effect for non-broadband telecommunications carriers and providers of interconnected VoIP, and the statutory text of Section 222 continues to apply to broadband providers until further action.

At the Federal Communications Commission’s (“FCC”) Open Meeting on October 27, the Commission voted along party lines (3-2) to impose more stringent rules on broadband Internet service providers (“ISPs”). Chairman Tom Wheeler, along with Commissioners Rosenworcel and Clyburn voted in favor of the item, while Commissioners Pai and O’Rielly voted against it.

The new rules clarify the privacy requirements applicable to broadband ISPs pursuant to Section 222 of the Communications Act. The new rules also apply to voice services and treat call-detail records as “sensitive” in the context of voice services.

According to an FCC press release issued immediately after the meeting, these rules “establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information.” The Commission further asserts that this approach is consistent with the existing privacy framework of the Federal Trade Commission (“FTC”).

The actual text of the order is not yet available, but a fact sheet and press release outline the core components of the order. Under the order, mobile and fixed broadband ISPs will apparently be subject to the following requirements:

• Opt-in: ISPs must obtain affirmative consent from consumers to use and share “sensitive” information. Under the new rules, the following categories of information are included as sensitive: precise geo-location information, financial information, health information, children’s information, Social Security numbers, web browsing history, app usage history, and the contents of communications.
• Opt-out: ISPs can use and share “non-sensitive” information unless a customer “opts out.” All other individually identifiable customer information is considered “non-sensitive,” and may be used by ISPs consistent with consumer expectations.
• Exceptions to Consent: Customer consent can be inferred for certain purposes specified in the statute, such as provision of broadband service, billing and collection, and marketing of services and equipment that are ancillary to broadband service. In such cases, no further consent is required beyond creation of the customer-ISP relationship.
• Notice & Transparency: ISPs must notify customers about the types of information collected, the uses that could be made of such information, and with whom such information may be shared. Although ISPs must provide such information to customers from the outset, it is a continuing obligation – ISPs must update their customers of material changes to their privacy policies and make such information persistently available on their website or mobile app. Moreover, in response to contemporary “pay for privacy” controversies, the Commission will impose heightened disclosure requirements where ISPs offer discounts in exchange for greater rights to use customer information. Finally, the Commission has directed its Consumer Advisory Committee to develop a privacy notification standard that will afford a safe harbor to adopting providers.

• Data Protection: The new rules impose requirement that ISPs utilize reasonable data security measures. To fulfill said requirement, ISPs may: a) adopt current industry best practices; b) provide accountability and oversight for security practices; c) use robust customer authentication tools; and d) conduct data disposal consistent with FTC best practices and the Consumer Privacy Bill of Rights.
• Breach Response: ISPs must notify affected customers of breaches within 30 days of the determination of a breach. They must notify the Commission, FBI, and Secret Service within 7 business days if a breach affects 5,000 or more customers. If a breach affects fewer than 5,000 customers, the ISPs must contemporaneously notify the Commission and affected customers (within 30 days).

In the fact sheet, the Commission states that ISPs serve as “a consumer’s ‘on-ramp’ to the Internet,” observing that “[p]roviders have the ability to see a tremendous amount of their customers’ personal information that passes over that Internet connection” and asserting that consumers should have the right to decide how such information is used and shared.

The Commission intends for the rules “to evolve with changing technologies and encourage innovation.”

De-identified Information:

ISPs may utilize de-identified information without consumer consent. De-identified information consists of data sets that have been modified so that they can no longer be traced to individual users or devices. However, in recognition of the fact that ISPs might otherwise have the ability and incentive to re-identify customer information, the order adopts a three-part test which the FTC created in 2012 to determine whether de-identified information may be shared without consumer consent.

Pursuant to this framework, in order for an ISP to rely on de-identification without notice and consent, it must:

1. Alter customer information so that it cannot reasonably be linked to a specific individual or device.
2. Publicly commit to (a) maintain and use the data in an unidentifiable format and (b) make no efforts to re-identify the information.
3. Contractually prohibit re-identification of shared information.

The Commission appears to be concerned with the bargaining power differential between customers and providers. In an effort to give consumers greater leverage, the order bans ISPs from “take-it-or-leave-it” offers and forces them to serve customers who do not consent to the commercial use or dissemination of their information.

The order also purportedly addresses a recent controversy over mandatory arbitration clauses in ISP-consumer contracts by reiterating the right of consumers to utilize the Commission’s informal dispute resolution process, and signals the Commission’s intent to more directly address the matter in a rulemaking in February 2017.

* * *

Commissioners Pai and O’Rielly both voiced strong dissents. Commissioner Pai emphasized that these rules were out of sync with FTC standards, warned that “[n]othing in these rules will stop edge providers from harvesting and monetizing your data,” and expressed concern that the order sets forth “one-sided rules that will cement edge providers’ dominance in the online advertising market.”

Commissioner O’Rielly expressed frustration with the order’s new opt-in requirements, stating that the use of an “opt-in consent mechanism results in far fewer individuals conveying their consent than is the case under an opt-out consent mechanism even when substantial benefits are at stake.”

FTC Chairwoman Edith Ramirez released a statement praising the order:

“I am pleased that the Federal Communications Commission has adopted rules that will protect the privacy of millions of broadband users. The rules will provide robust privacy protections, including protecting sensitive information such as consumers’ social security numbers, precise geolocation data, and content of communications, and requiring reasonable data security practices. We look forward to continuing to work with the FCC to protect the privacy of American consumers.”

Although the full order has yet to be released, at a press conference following the meeting, Chairman Wheeler indicated there was a relatively strong chance it will be released at some point in the next 24 to 48 hours.

Details aside, it is clear that today’s decision (if upheld) will change the communications and privacy landscape. We will post updates here as we learn more about the new Broadband Privacy rules.

Finally, Kelley Drye will soon offer a free webinar that will unpack the new order. Once the full order becomes available, we will announce the date and time of the webinar.

This rulemaking proceeding stems from the 2015 Open Internet Order, which reclassified BIAS as a telecommunications service and applied several of the FCC’s core consumer protection provisions—including Section 201 and 222 of the Communications Act—to BIAS. Section 201(b) prohibits “unjust or unreasonable” practices, which the FCC has interpreted to require reasonable data security practices. Section 222 (and the Commission’s interpretations of that section) establishes a complex framework for the protection of proprietary information (PI), carrier proprietary information (CPI), and customer proprietary network information (CPNI). CPNI, in short, is the information that a carrier has about its customer solely by virtue of the customer-provider relationship. However, because the CPNI rules promulgated pursuant to Section 222 were designed with traditional telecommunications services in mind, the FCC declined to impose those rules on BIAS, instead opting for a rulemaking proceeding to create new broadband CPNI rules.

While the Commission will not release the text of the NPRM until after the March 31st Open Meeting, Chairman Wheeler’s Fact Sheet sheds some light on the likely direction of the item. Specifically, the proposal will rely on three “core principles”: choice, transparency, and security. With respect to choice, the proposal establishes a consent framework similar to the existing framework, which permits certain uses of customer data without the need for additional consent (e.g., billing and managing the network), but requires opt-out or opt-in consent from the customer before using or sharing customer data in other circumstances (e.g., marketing communications related-services to which the customer does not subscribe or marketing non-communications-related services). As for transparency, the proposal would require BIAS providers to offer clear, conspicuous, and understandable information about the provider’s privacy practices. With respect to security, the item proposes to require BIAS providers to “take reasonable steps to safeguard” customer data, including specific minimum standards for data security. The proposal also would impose data breach notification requirements that would require BIAS providers to notify affected customers within 10 days of discovery, to notify the Commission no later than 10 days after discovery, and to notify law enforcement (i.e., FBI and Secret Service) about larger breaches within 7 days of discovery. The Commission will also seek comment on other approaches for implementing privacy rules.

Importantly, while some had hoped that the FCC would harmonize its privacy and data security rules with the ex post enforcement approach of the Federal Trade Commission (FTC), the FCC here appears to double-down on its existing ex ante approach to privacy and data security regulation. As a result, the rulemaking has the potential to further expose tensions between the FCC and FTC with respect to privacy and data security policy. This remains a critical issue for businesses to monitor as this item moves forward.

Like most FCC items, the devil is in the details, and unfortunately we will not know those details until the Commission releases the text of the NPRM. That said, here are a few of the unanswered questions that we will be tracking:

• How will the proposed rules define broadband CPNI?
• Will there be different proposed rules for mobile and fixed BIAS?
• How will the proposed rules apply to non-BIAS data services (such as connected home products) that a broadband provider offers to its customers?
• Will the FCC propose specific rules for “proprietary information” under Section 222(a)?
• Will the FCC revise its “basket of services” approach to traditional services?
• How will the FCC’s rules affect third-party apps that rely on data from carriers to provide their services?
• Will these rules include an annual certification requirement, as the existing rules do?
• How will this rulemaking proceeding affect the existing CPNI rules for traditional telecommunications services?

As explained in more detail below, this settlement represents the latest in a growing trend in aggressive enforcement of the Commission’s privacy and data security rules. As the Commission continues to find new ways to apply its rules against carriers—and begins to implement its 2015 Open Internet Order against broadband Internet access service providers—providers should take steps to bring themselves (and their vendors) into compliance.

Background

The consent decree stems from data breaches that occurred at AT&T customer call centers in Mexico, Colombia, and the Philippines between 2013 and 2014. Through its investigation, the FCC determined that call center employees had gained unauthorized access to CPNI and other personal information in a scheme to supply third parties with unlock codes for AT&T mobile phones. The Mexico breach affected 68,701 customer accounts, while the Colombia and Philippines breaches affected at least another 211,000 customer accounts.

In the consent decree, the Commission argues that AT&T’s conduct violated two provisions of the Communications Act of 1934—Section 201(b) and Section 222(c)—along with the Commission’s CPNI safeguards and breach reporting rules. As we explained in an earlier blog post, the Commission relied on Section 201(b) in its Notice of Apparent Liability against YourTel and TerraCom, which it issued late last year based on similar data breaches involving vendor security practices. The AT&T action is indicative of the Commission’s intent to continue using Section 201(b) to protect consumers’ personal information and require more stringent data security practices among communications companies.

Terms of the Consent Decree

Under the terms of the consent decree, AT&T agrees to pay a $25 million civil penalty, and to implement a wide-ranging compliance plan, which includes the following key elements:

• Risk Assessment. AT&T must perform a risk assessment to identify internal risks of PI or CPNI breaches by employees and vendors, and to evaluate the sufficiency of existing policies, procedures, and practices designed to protect against a data breach.
• Information Security Program. AT&T must establish a written information security program to protect against CPNI and PI breaches by employees and vendors. AT&T must keep this information security program up-to-date and address deficiencies and gaps as they appear. These provisions of the consent decree will remain in effect for seven years.
• Compliance Manual and Training. AT&T must develop and distribute a compliance manual to relevant employees and vendors (and the vendors’ employees) explaining Section 222, the FCC’s CPNI rules, the terms of the consent decree, and all operating procedures that employees and vendors’ employees must follow. As with the information security program, AT&T must periodically review and revise the compliance manual to ensure it is current and accurate. Further, AT&T must establish and implement a compliance training program to ensure compliance with Section 222, the CPNI rules, and the operating procedures.

In a separate blog post on the Commission's website, Kris Monteith, Acting Chief of the Consumer and Governmental Affairs Bureau, provided consumers with action items to protect them from theft of smart devices and personal information. Among other things, Monteith recommended that consumers set strong passwords or PINs, or to take advantage of biometric and fingerprint authentication technologies. Providers should consider communicating similar advice to their subscribers.

What’s Next?

We don’t expect the Commission’s privacy and data security enforcement push to end any time in the near future. Quite the opposite. As the Commission notes in its press release announcing the consent decree, this action is its fifth major enforcement action—totaling over $50 million in penalties—in the last year related to consumer privacy and data security.

Further, as the Commission begins to implement its 2015 Open Internet Order, we expect the EB to seek out new and creative ways to stretch its privacy and data security authority against providers, both for the providers’ own actions, as well as those of their vendors (both here and abroad). Moreover, as the Commission embarks on its effort to draft privacy and data security rules for BIAS, we expect vigorous debate about how best to protect consumers without imposing undue or unwarranted burdens on providers.

As a result, providers interested in getting involved in these debates should continue to monitor developments and contact counsel for assistance. Additionally, all telecommunications and broadband providers alike should take affirmative steps to inventory their own data security policies, procedures, and practices, as well as those of their vendors, to ensure compliance with FCC rules and guidance.

In addition to identifying the relevant CPNI rules and certification format, the FCC’s advisory highlighted common certification errors such as failing to explain how the filer’s operating procedures ensure compliance with the CPNI rules or failing to have an officer certify the filing based on “personal knowledge.” The FCC’s advisory also emphasized the potential for monetary penalties for noncompliance with the CPNI protection and certification filing rules. As noted in the advisory, enforcement penalties for noncompliance can include monetary forfeitures of up to $160,000 for each violation or each day of a continuing violation (up to a maximum of $1,575,000). The FCC actively enforces the CPNI rules and, as addressed in Kelley Drye’s September 5, 2014 blog post, the FCC recently entered into a $7.4 million consent decree with Verizon to resolve a CPNI investigation. Accordingly, carriers and VoIP providers should timely file the annual CPNI certification and review their practices to ensure compliance with the CPNI rules.

The FCC’s announcement represents the latest step in its headlong march into privacy and data security matters. This past June, the FCC launched a brand new cybersecurity initiative, “The New Paradigm,” which will include a private-sector-driven effort to improve cyber-readiness in the communications industry. In September, the FCC reached a $7.4 million settlement with Verizon over alleged violations of the Customer Proprietary Network Information (“CPNI”) rules. And just two weeks ago, the FCC released a Notice of Apparent Liability (“NAL”) proposing multi-million dollar fines against two wireless providers, YourTel and TerraCom, based on a novel and expansive reading of Sections 222(a) and 201(b) of the Communications Act of 1934, as amended.

These recent actions demonstrate that Chairman Tom Wheeler and Enforcement Bureau Chief Travis LeBlanc are serious about expanding the FCC’s role as a privacy and security cop. As a result, communications companies – particularly those that fall within the Federal Trade Commission’s “common carrier exemption” – should take this opportunity to review all of their privacy and data security practices to ensure compliance with an evolving set of FCC privacy and security requirements.

This is the agency’s first data security case and the largest privacy action in the Commission’s history. See News Release. Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.

According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.” The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft. CPNI Violation. The NAL first alleges that the companies failed to properly protect the confidentiality of consumers’ proprietary information collected from applicants for wireless and wired Lifeline services in violation of Section 222(a) of the Communications Act, which requires that carriers protect the confidentiality of the “proprietary information” of their customers. The FCC proposes a forfeiture of $8.5 million for this violation based on precedent for base forfeitures of $29,000 for previous CPNI violations. Applying the base forfeitures to the alleged over 300,000 violations would have resulted in a proposed penalty of close to $9 billion, but the FCC settled on $8.5 million as “sufficient.”

Unjust and Unreasonable Practices. The NAL next alleges several violations of Section 201(b) of the Communications Act, which prohibits unjust and unreasonable practices, but only proposes a penalty for one such violation. The NAL proposes a $1.5 million penalty against the companies for making false representations in their website privacy policies regarding protecting customers’ sensitive personal information. The FCC alleges that the companies’ failure to follow their own privacy policies was an unjust and unreasonable practice. This forfeiture is based on precedent for a $40,000 base forfeiture for Section 201(b) violations related to deceptive marketing to consumers.

Further, the NAL alleges that by failing to employ reasonable data security practices (such as password protection or encryption) and failing to notify all potentially affected customers of the security breach, the companies apparently violated Section 201(b). However, the agency declined to propose a forfeiture for those two alleged violations because this is the first case in which it makes such findings. The NAL states that carriers are now on notice regarding these potential violations.

The Commission’s use of its authority to police “unjust and unreasonable” practices by telecommunications providers appears to represent a significant expansion of the Commission’s enforcement authority over privacy-related matters and appears to mirror the Federal Trade Commission’s privacy and data security actions under a similar statutory provision in the Federal Trade Commission Act Section 5 barring unfair and deceptive trade practices. The expansion of authority is the reason that Commissioners Pai (R) and O’Reilly (R) dissented. Both Commissioners contended that the FCC had not given fair notice of what data security practices are required. Commissioner O’Reilly also questioned the majority’s interpretation of the CPNI provisions of Section 222. While the $10 million proposed penalty is the largest privacy action in the Commission’s history and its first foray into data security enforcement, it is not likely to be its last. We expect that the FCC will continue to investigate and take enforcement action against lax data security and other practices that compromise the privacy of consumers’ personal information.

In light of the FCC’s action, all carriers, including especially Lifeline providers, should review their security and privacy practices related to customer eligibility documentation and other personal information, as well as their privacy statements and CPNI policies to ensure that consumer data is adequately safeguarded in a manner that comports not only with the FCC’s CPNI rules but also with federal and state privacy frameworks that will inform the Commission’s determination of what is “unjust and unreasonable” in this area.

PTT commenced providing prepaid calling services – reselling international telephone service – in January 2010. PTT did not obtain authorization to do so under Section 214 of the Communications Act of 1934, did not register as a provider of telecommunications by filing a FCC Form 499A, and failed, at least for several years to make other filings required by international telecommunications carriers and prepaid calling card providers. The NAL does not say how the FCC Enforcement Bureau became aware of PTT’s operations in January 2013, but the NAL notes that PTT sold its cards through grocery stores and Internet distributors and resellers, which outlets may have led to the Bureau’s discovery. A Bureau investigation commenced almost immediately, and, in April 2013, the Bureau sent a Letter of Inquiry to PTT. PTT apparently cooperated with the investigation, promptly sought Section 214 authority (although not special temporary authority while its application was pending), which the Commission granted in May 2013. Over time, extending almost to the time of the NAL, PTT sought to rectify its past failures to register and make other compliance filings. Notably, although the Commission faulted PTT in many instances for its apparent slowness in bringing itself into compliance after the Letter of Inquiry was sent, that alleged fact did not result in the aggravation of the proposed forfeitures.

While the Bureau and PTT entered into a tolling agreement – which explains why the NAL was issued more than one year after the investigation began and PTT began to make its belated compliance filings – the Commission’s proposed penalties confirms the FCC’s historic approach to treating carrier reporting and filing failures as continuing violations until they are cured. In addition, the proposed penalties reflect the Commission standard penalties for many carrier compliance breakdowns and illustrate how the failure to obtain Section 214 international authority, when required, can lead to a cascade of penalties. In particular, the Commission proposed penalties of:

• $100,000 for failure to obtain Section 214 authorization prior to providing international telecommunications services, an amount "[c]onsistent with Commission precedent," for which the FCC cited several recent forfeiture orders against prepaid calling companies;
• $150,000 for failure to file Form 499A (the annual Telecommunications Reporting Worksheet) for 2011, 2012, and 2013 in a timely fashion – $50,000 for each annual filing missed – again citing precedent where carriers had similar lapses;
• $30,000, or $10,000 per year (the base forfeiture amount), for failure to make timely required contributions to the Telecommunications Relay Service ("TRS") Fund for three consecutive annual contribution periods, beginning with 2011-2012, which contributions are based on the Form 499A reports;
• a $23,327 upward adjustment of the penalty for failure to make timely contributions into the TRS fund, 50% (the standard adjustment) of the unpaid contribution amount at the time PTT entered into a payment agreement with the Treasury Department;
• $30,000, or $10,000 per year (the base forfeiture amount), for failure to make timely required contributions to the Local Number Portability ("LNP") cost recovery mechanism for three consecutive annual contribution periods, beginning with 2011-2012, which contributions are based on the Form 499A reports;
• $20,000, or $10,000 per year (the base forfeiture amount), for late payments of regulatory fees – specifically the Interstate Telecommunications Service Provider ("ITSP") which international carriers must pay based on their international end user revenues as reported on their Form 499A reports -- for fiscal years 2011 and 2012;
• $48,000, or $3,000 per filing (the base forfeiture amount), for failure to timely file 16 quarterly certifications required of prepaid calling card companies from the first quarter of 2010 through the first quarter of 2014 (with the exception of the third quarter of 2013 which was timely filed);
• $12,000, or $3,00 per filing (the base forfeiture amount), for failure to timely file its 2011, 2012, 2013, and 2014 annual international telecommunications traffic reports international common carriers must file; and
• $80,000, or $20,000 per year (consistent with prior conditions), for failure to timely file its annual 2011, 2012, 2013, and 2014 customer proprietary network information ("CPNI") certifications that telecommunications carriers must make.

Like many carriers, Verizon chose to use the opt-out method for obtaining approval. However, between 2006 and 2013, Verizon failed to provide the opt-out notice to nearly two million residential, small business, and medium business customers. Verizon's procedure was to provide the required CPNI notification language on a customer’s first bill, but in 2012, Verizon personnel discovered that this notice had not been provided in certain customer bills. After investigation, Verizon determined that triggering criteria that generated the opt-out notices were not updated, causing certain bills not to be flagged for the notices. The notification error affected the billing systems used by the incumbent local exchange carriers and interexchange carriers Verizon Long Distance, Verizon Enterprise Solutions LLC, Verizon Select Services Inc., and Verizon Select Services of Virginia Inc. After learning of these CPNI violations, Verizon self-reported the violation, as is required by section 64.2009(f).

Under its Consent Decree with the FCC, Verizon agreed to pay $7.4 million to the U.S. Treasury, and agreed to comply with a number of remedial requirements. As is typical with current FCC settlements, Verizon agreed to implement a Compliance Plan, appoint a Compliance Officer, create a Compliance Manual, implement a Compliance Training Program, and file Compliance Reports with the Commission for the next three years. Three other aspects of the Consent Decree are particularly noteworthy.

First, the Consent Decree contains specific commitments to remedy the CPNI violations that prompted the disclosure. Verizon agreed to automate its “opt-out” process for CPNI consent, and to monitor and test the consent mechanism each month. The company will also notify customers of their right to “opt-out” of any CPNI-related marketing campaigns on every customer bill, for the next three years. Finally, Verizon will implement a CPNI opt-out process review, and identify employees who will be responsible for each step of the process. These provisions go well beyond the FCC's current rule requirements. It is the first time we've seen such detailed remedial measures in a CPNI consent decree.

Second, the Consent Decree contains an assertion that Verizon failed to timely notify the Commission of the CPNI failure. Section 64.2009(f) requires disclosure to the Commission within five business days of discovery of the failure. Verizon provided a notice on January 18, 2013, asserting that "during the week of January 14 ..." Verizon discovered the problem. The Consent Decree states, however, that "certain Verizon personnel discovered a potential opt-out problem in late 2012," several months before Verizon made the disclosure to the Commission. It is not clear whether this factor influenced the amount of the voluntary payment, but we suspect that it had an impact. The fact that the Commission went out of its way to include this statement in the Consent Decree should caution carriers to ensure that they are prompt in their disclosures in the future. It also emphasizes the importance of ensuring that CPNI failures are reported to the legal or regulatory department promptly, so that any potential reporting obligations can be met.

Finally, despite a potential trend we discuss in another recent blog post, Verizon does not admit any violations, and the settlement payment is described in traditional terms as a "voluntary payment." We will continue watching future consent decrees for more insight into the Commission's approach to settlements of enforcement investigations.

The FCC has consistently enforced compliance with the CPNI certification reporting requirement. As we’ve noted in prior posts, penalties for failing to file the CPNI certification have varied widely over time, but seem to have settled at $25,000 per failure to file. To avoid such exposure, filers should be sure to file the certification by the March 3 deadline. In addition, this filing provides an opportunity for filers to take time to review their CPNI policies and actual business practices to ensure they still meet the FCC’s CPNI protection requirements.

The Enforcement Advisory (which is itself almost becoming an annual ritual with the FCC) reminds carriers of the annual March 1 CPNI certification filing deadline, identifies common certification errors and highlights the monetary penalties associated with certification errors and failures to file. The Commission’s issuance of this CPNI Advisory is an indication that the FCC considers the submission of the CPNI certifications to be a high priority., and that its past history of enforcement will not change in the near term Telecommunications carriers and interconnected VoIP providers should review the advisory carefully to ensure that they are in compliance with the certification obligations of the rules.

Back in 2007, in response to the pretexting controversy, the FCC strengthened its CPNI rules to require telecommunications carriers to authenticate a subscriber’s identity before providing call detail information. The FCC rules required carriers to authenticate customers with a password or some other information that does not rely upon "readily available biographical information" before providing telephonic, online or in-store access to CPNI, including call detail information.

These rules presented a particular difficulty for prepaid calling card providers, who typically do not have the same type of information available to them about the identity of their customers. In response to a prepaid card provider's petition seeking relief from the authentication rules, the FCC's Wireline Competition Bureau has issued a waiver to all prepaid calling card providers to allow them to authenticate users solely by virtue of the PIN assigned to the card if the prepaid card provider does not have other identifying information on the end user. Under the waiver, the prepaid card provider may provide call detail information to a caller if the caller provides the PIN as authentication.

However, it is important to note that this waiver does not apply if the prepaid card provider has telephone numbers or addresses of record for the customer. Moreover, the FCC ruling concludes, for the first time, that an email constitutes an address of record for this purpose (see fn. 8). Thus, for “no pin” customers, the prepaid card provider should authenticate the customer via the telephone number(s) registered with the account. For cards purchased online, which are then delivered to an email address, the prepaid card provider should authenticate the customer using the email address provided. It is only for prepaid cards sold through traditional retail store distribution channels that a provider will lack any identifying information other than a PIN.

The FCC’s Enforcement Bureau actively enforces the filing requirement, and proposes fines for failure to file the certification at approximately this time every year. Any company that submits USF revenue reports should ensure that it is in compliance with the CPNI certification requirement.

If for any reason, your company is a telecommunications carrier or interconnected VoIP provider and you have not filed the certification for calendar year 2010, you should do so as soon as possible. And, since this usually is the time during which the Enforcement Bureau sends out its CPNI Letters of Investigation, if you've received a letter, do not delay in responding. Your window to present evidence and negotiate a settlement will close near the end of February.

The carriers involved are: VoIP Alliance, Touch-Tel USA, Phone Club Corp., DigitGlobal Communications, and StraightTel Corp.

In both orders, the Chief of the Telecommunications Consumers Division of the FCC Enforcement Bureau concluded that "no forfeiture should be imposed" with respect to the carriers identified. I would like to provide you a definitive reason for the cancellation, but the orders literally provide no explanation of the basis for that conclusion.

In one case, I believe the rationale is that the entities are interconnected VoIP providers. As we've explained previously, because of the Commission's refusal to determine if interconnected VoIP providers are telecommunications carriers, they get one free bite at FCC violations. Each of the three carriers listed in this cancellation order reports itself as an interconnected VoIP provider on its USF forms. Because of that, the FCC could not impose a fine for failing to file the CPNI certification unless the FCC had issued a Citation first.

The other case is truly mystifying. The two carriers listed in this cancellation order are listed as a "CAP/LEC" and an "IXC", respectively, in the USF filer database. Although one appears to have ceased providing business in 2007, the other provider filed a Form 499-A in April 2011. We are left to guess what circumstances justified the decision not to impose a forfeiture.