CORRECTION: A previous version of this Advisory contained an incorrect filing deadline. The correct deadline for the 2014 calendar year CPNI Certification is March 1, 2015. Our firm is providing clients with ample advance notice to ensure that compliance obligations that must be fulfilled can be identified and implemented BEFORE the end of the calendar year. Waiting until 2015 to address 2014 CPNI compliance duties is not an option.
Under the FCC’s rules, all providers of telecommunications and interconnected VoIP services must file a CPNI Certification with the FCC which describes, in detail, the policies and procedures a service provider has instituted to safeguard CPNI and any instance of a CPNI-related breach that occurred over the past year. Compliance with the FCC’s CPNI regulations (and other customer privacy and data protection matters) must no longer be after-thoughts for companies operating in and around the telecommunications industry. The global trend is towards increased customer privacy protection, which starts with active enforcement of the rules & regulations on the books.
The FCC’s CPNI regulations must be taken seriously. The FCC’s Enforcement Bureau has reminded companies that failure to file the CPNI certification could result in fines up to $160,000 per day up to a maximum of $1,575,000. Recently Verizon agreed to pay $7.4 million to resolve a CPNI investigation regarding the company’s use of customer information to market new services.
|On February 5, 2014, the FCC issued the following Enforcement Alert regarding CPNI compliance:
This notification indicates that, consistent with past years, the FCC intends to aggressively police CPNI compliance. It is likely that the FCC’s Enforcement Bureau will issue significant fines for both non-filing of CPNI Certifications and non-compliance with the FCC’s rules. Therefore we urge all clients to ensure full compliance with CPNI regulations and file a Certification in a timely manner.
Before filing the CPNI Certification, all affected service providers must ensure that they are in full compliance with the FCC’s CPNI rules. This includes adopting stringent internal procedures safeguarding the use of and access to CPNI, among other things. A solid starting point for any company seeking to understand and comply with their obligations is to download our CPNI Compliance Manual. From there, you may require a Compliance Audit to verify compliance (additional details regarding The CommLaw Group’s CPNI Compliance Audits are provided below).
In anticipation of the March 1st deadline, our firm advises all clients providing telecommunications and interconnected VoIP services to review internal policies regarding the protection of CPNI. Since CPNI Certifications must be signed by an officer of the company, under penalty of perjury, all clients are advised to conduct an internal review to validate compliance with the FCC’s CPNI rules before executing and filing a CPNI Certification with the FCC.
To avoid the hassle of an investigation or enforcement action, even those telecommunications service providers who lacked access to and/or did not use CPNI during the past year are advised to file a CPNI Certification with the FCC. If a service provider is registered with the FCC, i.e., possesses either an FCC Filer ID or FCC Registration Number, remittance of a compliant CPNI Certification is highly recommended.
CLIENT ACTION ITEMS:
C&R Services Subscribers: Clients currently subscribed to Compliance & Reporting Service (“C&R Service”) will be contacted shortly to prepare for the upcoming CPNI Certification deadline. C&R Service clients who have questions about CPNI compliance, or would like to schedule an audit, should contact Chris Canter directly at firstname.lastname@example.org or by telephone: 703-714-1308.
Non-Subscribers: Clients not currently subscribed to C&R Services, but who require assistance with the preparation and filing of the CPNI Certification, may contact either Jonathan Marashlian at email@example.com or Linda McReynolds at firstname.lastname@example.org to schedule an audit and make appropriate arrangements to ensure timely filing.
ADDITIONAL BACKGROUND INFORMATION:
Definition of CPNI
Under federal law, CPNI is certain customer information obtained by a telecommunications provider during the course of providing telecommunications services (including interconnected VoIP) to a customer. This includes information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier.
Examples of CPNI include information typically available from call detail records (“CDRs”), such as the types of services purchased by a customer, numbers called, duration of calls, directory assistance charges, and calling patterns. CPNI does not include names, addresses, and telephone numbers, because that information is considered subscriber list information under applicable law.
CPNI Protection Procedures
Under the FCC’s rules governing CPNI, all providers of telecommunications services and interconnected VoIP service providers are required to file a CPNI Certification with the FCC annually. The CPNI Certification must outline all the steps a service provider took during the previous year to prevent unauthorized access to CPNI. Specific CPNI protection procedures include, but are not limited to:
- Enacting strict controls regulating the use of and access to CPNI
- Notifying customers about access to CPNI
- Training employees about safeguarding CPNI
- Protecting CPNI used in sales and marketing campaigns
- Notifying the FCC and law enforcement agencies of unauthorized CPNI access
- Establishing “opt-in/ opt-out” procedures for the use of CPNI by third parties
Affected service providers must also inform the FCC about any instance of unauthorized access to CPNI and formal procedures taken to prosecute “pretexters,” or third parties who attempt to illegally gain access to customer information.
The CPNI Certification must be signed by a corporate officer, attesting that the officer has personal knowledge that the company has established adequate operating procedures to ensure CPNI compliance.
If you are uncertain about the FCC’s CPNI Rules or the specific steps your company must take to ensure compliance, our firm is available to assist. The CommLaw Group routinely conducts audits of our clients’ CPNI protection and use procedures.
A CPNI Compliance Audit will not only confirm your company’s compliance during the prior calendar year or identify areas that require further attention prior to the filing of a CPNI Certification, an Audit will also ensure full compliance with the FCC’s CPNI rules in future years, thereby making future annual reviews easier, faster, and less costly.
Clients who have not authored a CPNI Certification in past years should contact our firm as soon as possible so we can conduct an audit, prepare and file a comprehensive, fully-compliant CPNI Certification. Clients who submitted a CPNI Certification last year should still conduct an internal review to ensure continued compliance with CPNI rules before authorizing the filing of a CPNI Certification, which must be filed under oath and penalty of perjury.
Custom-tailored CPNI Documents Available to Clients
In addition to CPNI compliance audits, our firm can provide custom-tailored compliance documents necessary to manage internal CPNI compliance and to support CPNI certification before the FCC. These documents include a custom-tailored Policies & Procedures Manual which outlines the steps your company has adopted to ensure full compliance with CPNI regulations. Clients can also purchase customizable CPNI compliance document templates for a reduced price.