On February 5, 2016, the Federal Communications Commission’s (“FCC,” or the “Commission”) Enforcement Bureau released an Enforcement Advisory reminding telecommunications carriers and Interconnected Voice over the Internet Protocol (“I-VoIP”) providers of the upcoming March 1st filing deadline for the annual Customer Proprietary Network Information (“CPNI”) Certification, and the consequences of non-compliance with the Commission’s CPNI regulations.
The FCC Enforcement Bureau cautioned providers that failure to file “timely and complete” CPNI Certifications with the Commission would “call into question” whether the company has complied with Section 222 of the Communications Act of 1934, as amended, and the Commission’s implementing rules and regulations. Additionally, the Bureau indicated that failing to timely and accurate CPNI Certifications could potentially trigger an FCC Enforcement Bureau investigation, which in the past has led to a $25 million settlement against AT&T Services Inc. in April 2015, and a $7.4 million fine against Verizon Communications Inc. in September 2014.
Section 222 of the Act obligates both telecommunications carriers and I-VoIP providers to establish and maintain procedures designed to ensure the protection of their customers’ CPNI, which is defined as certain customer information obtained by a telecommunications provider during the course of providing telecommunications services to a customer. This includes information relating to the quantity, technical configuration, type, destination, location, and amount of use of a communications service subscribed to by any customer of a telecommunications carrier or I-VoIP provider. Examples of CPNI include information typically available from call detail records (“CDRs”), such as the types of services purchased by a customer, numbers called, duration of calls, directory assistance charges, and calling patterns. CPNI does not include names, addresses, and telephone numbers, because that information is considered subscriber list information under applicable law. (See 47 C.F.R. §§ 64.1200-2011).
Furthermore, Section 64.2009(e) of the Commission’s rules requires all service providers subject to Section 222’s requirements to file a CPNI Officer Certification annually with the FCC by March 1st. The CPNI Officer Certification must contain a statement of compliance which: (1) describes, in detail, the policies and procedures a service provider has instituted to safeguard CPNI; and (2) reports any instances of CPNI-related breaches during the past year. The CPNI Certification must outline all the steps a service provider took during the previous year to prevent unauthorized access to CPNI. Companies are required to file separate CPNI Certifications for each of its affiliates.
The recent Enforcement Advisory issued affirms that the language of a carrier’s CPNI Certification must strictly comply with the Commission’s rules and guidelines governing such filings – lest carriers risk costly investigation and enforcement actions taken against them by the FCC’s Enforcement Bureau. Accordingly, all telecommunications carriers and I-VoIP providers should review their company’s policies and procedures for compliance with Section 222 of the Act, and the Commission’s rules governing CPNI compliance.
Should you have any questions regarding your company’s CPNI compliance, please do not hesitate to contact Linda McReynolds, Certified Information Privacy Professional/U.S. (CIPP/US), at (703) 714-1318, or firstname.lastname@example.org. You may also contact Joanna Wallace at (703) 714-1317, or email@example.com.
Additionally, we note that our affiliated consulting firm, The Commpliance Group, can assist your company with its CPNI reporting obligations and all other routine FCC filings, reporting requirements, and certifications for monthly subscription rates as low as $250. Contact Chris Canter at (703) 714-1308 or firstname.lastname@example.org, or the attorney assigned to your account for more information and a customized service and fee quotation, if you are interested in outsourcing your compliance needs.