Final reminder, Customer Proprietary Network Information (“CPNI”) Certifications must be filed with the FCC by March 1st.
Under the FCC‘s rules, all providers of telecommunications and interconnected VoIP services must file a CPNI Certification with the FCC. The Certification must contain a statement of compliance which: (a) describes, in detail, the policies and procedures a service provider has instituted to safeguard CPNI and (b) reports any instances of CPNI-related breaches during the past year.
Before filing the CPNI Certification, all affected service providers must ensure that they are in full compliance with the FCC‘s CPNI rules. This includes adopting stringent internal procedures safeguarding the use of and access to CPNI, among other things.
To avoid a wasteful and disruptive FCC investigation or enforcement action, all affected service providers are advised to file a CPNI Certification with the FCC, even those providers who lacked access to and/or did not use CPNI during the past year. If a service provider is registered with the FCC, i.e., possesses either an FCC Filer ID or FCC Registration Number, remittance of a compliant CPNI Certification is highly recommended. Last year, the FCC‘s Enforcement Bureau released an Omnibus CPNI Notice of Apparent Liability finding over 660 service providers apparently liable for fines of up to $20,000; the majority of these investigations remain open.
CLIENT ACTION ITEMS:
In anticipation of the March 1st deadline, our firm advises all clients providing telecommunications and interconnected VoIP services to review internal policies regarding the protection of CPNI. Since CPNI Certifications must be signed by an officer of the company, under penalty of perjury, all clients are advised to conduct an internal review to validate compliance with the FCC‘s CPNI rules before we execute and file a CPNI Certification with the FCC.
Clients who have not authored a CPNI Certification this past year should contact our firm as soon as possible so we can conduct an audit, prepare, and file a comprehensive, fully-compliant CPNI Certification (See CPNI Audits below).
C&R Services Subscribers: Clients currently subscribed to the firm‘s Compliance & Reporting Service (“C&R Service”) will be contacted shortly to prepare a CPNI Certification. C&R Service clients who have questions about CPNI compliance, or would like to schedule an audit, should contact Chris Canter directly at cac@commlawgroup.com or by telephone: 703-714-1308.
Non-Subscribers: Clients not currently subscribed to C&R Services, but who require assistance with the preparation and filing of the CPNI Certification, may contact either Jonathan Marashlian at jsm@commlawgroup.com or Chris Canter at cac@commlawgroup.com to schedule an audit and make appropriate arrangements to ensure timely filing.
CPNI AUDITS
If you are uncertain about the FCC‘s CPNI Rules or the specific steps your company must take to ensure compliance, our firm is available to assist. The CommLaw Group routinely conducts audits of our clients‘ CPNI protection and use procedures. Our standard legal fee schedule for performing a CPNI Compliance Audit is set forth below:
| CPNI Compliance Audit Legal Fee Schedule
First-Time CPNI Compliance Audit: $500 – $1,500[1] Refresher CPNI Compliance Audit: $250 – $500 |
A CPNI Compliance Audit will not only confirm your company‘s compliance during the prior calendar year or identify areas that require further attention prior to the filing of a CPNI Certification, an Audit will also ensure full compliance with the FCC‘s CPNI rules in future years, thereby making future annual reviews easier, faster, and less costly.
ENFORCEMENT PENALTIES
The FCC‘s CPNI regulations must be taken seriously. Over the past several years, the FCC issued several forfeitures in excess of $100,000 against carriers for allegedly failing to comply with existing CPNI requirements. Last year, over 660 service providers were fined $20,000 each, and several dozen more were fined between $2,000 and $6,000 for a variety of minor deficiencies.
Our firm expects that the FCC will continue to monitor CPNI compliance just as stringently in the upcoming year. For this reason, all companies providing telecommunications and interconnected VoIP services should file a fully-compliant CPNI Certification in a timely manner.
ADDITIONAL BACKGROUND INFORMATION:
Definition of CPNI
Under federal law, CPNI is certain customer information obtained by a telecommunications provider during the course of providing telecommunications services (including interconnected VoIP) to a customer. This includes information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier.
Examples of CPNI include information typically available from call detail records (“CDRs”), such as the types of services purchased by a customer, numbers called, duration of calls, directory assistance charges, and calling patterns. CPNI does not include names, addresses, and telephone numbers, because that information is considered subscriber list information under applicable law.
CPNI Protection Procedures
Under the FCC‘s rules governing CPNI, all providers of telecommunications services and interconnected VoIP service providers are required to file a CPNI Certification with the FCC annually. The CPNI Certification must outline all the steps a service provider took during the previous year to prevent unauthorized access to CPNI. Specific CPNI protection procedures include, but are not limited to:
- Enacting strict controls regulating the use of and access to CPNI
- Notifying customers about access to CPNI
- Training employees about safeguarding CPNI
- Protecting CPNI used in sales and marketing campaigns
- Notifying the FCC and law enforcement agencies of unauthorized CPNI access
- Establishing “opt-in/ opt-out” procedures for the use of CPNI by third parties
Affected service providers must also inform the FCC about any instance of unauthorized access to CPNI and formal procedures taken to prosecute “pretexters,” or third parties who attempt to illegally gain access to customer information.
The CPNI Certification must be signed by a corporate officer, attesting that the officer has personal knowledge that the company has established adequate operating procedures to ensure CPNI compliance.
[1] Fees based on good faith estimates; actual cost may vary slightly depending on the size and scope of each particular client‘s organization and circumstances revealed during the audit process.
