Presentation on theme: "Customer Proprietary Network Information (CPNI) NCTIA Training Session May 23, 2007."— Presentation transcript:
Customer Proprietary Network Information (CPNI) NCTIA Training Session May 23, 2007
Agenda Definitions Current CPNI Rules Overview of Compliance Manual Overview of Compliance Certification New CPNI Rules Q & A
Customer Proprietary Network Information (CPNI) CPNI is defined in Section 222(f) of the Communications Act as (A) information that relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any customer of a wireline or wireless telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier (except that CPNI does not include subscriber list information)
What does that mean? Generally, CPNI includes personal information regarding a consumers use of his or her wireline and/or wireless telecommunications services. CPNI encompasses information such as: (a) the telephone numbers called by a customer; (b) the frequency, duration and timing of a customers phone calls, and (c) the telecommunications and information services purchased by a customer (including, but not limited to, local exchange, toll, cellular, paging, data transmission, call waiting, call forwarding, call blocking, PIC freeze, three-way calling, conference calling, voice mail, Internet access, call back, caller identification, call trace and toll denial services). While not absolutely clear, it appears that CPNI may also include the telephone numbers from which a customer receives calls. Unless and until the FCC or the courts declare otherwise, companies should treat such incoming call information as CPNI.
Subscriber List Information Subscriber list information (that is, subscriber names, addresses, phone numbers and/or advertising classifications that a carrier or its affiliate have published, or provided for publication, in a telephone directory) is deemed to be more like aggregate customer information than personal, individually identifiable customer information. It may be used by a carrier (or disclosed to its agents, independent contractors, affiliates and/or third parties) to publish telephone directories without the approval of the listed subscribers. Subscriber list information must be provided by carriers to third parties for the purpose of publishing directories. NOTE: Unlisted phone numbers are not included in subscriber list information, and may not be used by a carrier, or disclosed to its affiliates or third parties, for the purpose of publishing telephone directories.
Current CPNI Rules Designate a CPNI Compliance Officer Establish a CPNI training procedure Establish a CPNI Policy Manual Provide annual customer notification Be able to clearly establish a customers CPNI approval prior to the use of CPNI Establish Disciplinary Rules and Procedures for violation of established CPNI Policies
CPNI Compliance Officer The CPNI Compliance Officer is responsible for: (1) communicating with the Companys attorneys and/or consultants regarding CPNI responsibilities, requirements and restrictions; (2) supervising the training of Company employees and agents who use or have access to CPNI; and (3) receiving, reviewing and resolving questions or issues arising within the Company regarding use, disclosure, or provision of access to CPNI. (4) review and approve all out-bound marketing activities and campaigns for compliance with CPNI restrictions.
Training Requirements Before accessing, using, disclosing or distributing any customers CPNI, a Company employee or agent must complete the companys CPNI Training Program
Who must be trained? Various Company employees, agents and independent contractors may access, use, disclose or distribute customer records containing CPNI. These employees and agents may include: (a) officers and managers; (b) customer service representatives; (c) dispute resolution personnel; (d) accountants and bookkeepers; (e) billing and collection personnel; (f) sales and marketing representatives; (g) account representatives; (h) technicians and installers; and (i) others. Recommendation – TRAIN EVERYONE!
Permissible Uses of Proprietary Information Obtained from Other Carriers Companies may receive or obtain proprietary information (including CPNI) from other carriers for the purpose of: (a) executing changes of customer services and accounts to the other carrier; and (b) providing telecommunications services for or in conjunction with the other carrier (including services provided via interconnection, traffic exchange, reciprocal compensation, access, and bill and keep arrangements).
Permissible Uses of Proprietary Information Obtained from Other Carriers Company employees and agents may use proprietary information received or obtained from other carriers only for the purpose for which it is provided by the other carriers. If there is any uncertainty regarding the purpose intended by the other carrier, Company employees and agents are required to consult with the CPNI Compliance Officer. Company employees and agents are expressly prohibited from using proprietary information received or obtained from other carriers for purposes not intended by such carriers (particularly for uses related to the Companys marketing of its own services, including customer retention and customer win-back efforts).
Permissible Uses of CPNI Obtained from Customers Upon receiving an appropriate request from a customer, companies will disclose or distribute specified portions of the customers CPNI: (a) to a law enforcement agency; or (b) to the customer. Any and all such customer requests: (1) must be made in writing; (2) must include the customers correct billing name, address and telephone number; (3) must specify exactly what type or types of CPNI must be disclosed or provided; (4) must specify the time period for which the CPNI must be disclosed or provided; and (5) must be signed by the customer.
Permissible Uses of CPNI Obtained from Customers Because of the danger of unauthorized access to CPNI, companies should not distribute a customers CPNI directly to a requested third party other than a recognized law enforcement agency. In the absence of an appropriate written request from the customer, a company will provide the customers phone records or other CPNI to a law enforcement agency only in response to a warrant or subpoena that specifies the particular CPNI to be furnished.
Special Rules If a company provides local exchange or interexchange services, its employees and agents may use, disclose, or permit access to CPNI derived from its provision of local exchange service or interexchange service, without customer approval, to provide customer premises equipment (CPE), call answering, voice mail or messaging, voice storage and retrieval services, fax store and forward, and protocol conversion.
Special Rules (Contd) If a company provides wireless service, its employees and agents may use, disclose, or permit access to CPNI derived from its provision of Commercial Mobile Radio Services, without customer approval, to provide customer premises equipment (CPE) and information services.
Marketing Activities Marketing activities that do not use CPNI are not restricted in any manner by the federal CPNI requirements. Companies may send direct mail advertisements to households and businesses in various geographic areas (including communities, neighborhoods and zip codes) as long as they do not use CPNI to design the direct mail campaign or to target particular recipients. Such direct mail advertisements may be included as inserts in the monthly bills sent to the Companys customers, as long as CPNI is not used to target particular customers or to provide particular bill inserts to particular customers. In other words, companies cannot determine customers of one service based on CPNI to target market another service.
Annual Certification Sec. 64.2009 (e) A telecommunications carrier must have an officer, as an agent of the carrier, sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart.
Compliance Manual All carriers should have a written compliance manual to train their personnel as to when they are and are not authorized to use CPNI, and carriers must have an express disciplinary process in place.
CPNI – Q & A (Contd) What are some permissible uses of CPNI obtained from customers? The Companys employees may access and use CPNI, without customer approval, to provide or market to the customer the same category or package of services to which the customer currently subscribes. It can also be used to provide or market adjunct-to-basic services. These services would include customer calling features, inside wire maintenance, etc.) What does that mean? It means if a customer subscribes to local telephone service, CPNI derived from local telephone service may be used to market new, additional or modified local exchange services to the customer. However, that same CPNI from the provision of local telephone service may NOT be used to provide or market cable television service to the customer.
CPNI – Q & A (Contd) What is a spouse (or other person) allowed to do on an account? If an account holder has given permission to allow the spouse to make changes or inquiries on the account, then we will honor that request. For new requests to allow other than the account holder access to account information, companies should require the customer to complete an authorization form PRIOR to allowing other persons to inquire into or make changes to an account. What information can we release to IXCs when they call into the office to verify PICs? An IXC should call in and provide the name and telephone number and ask to verify if the customer is PICd to their carrier. They are entitled to know if the customer is or is not PICd to them and whether or not the customer has a PIC Freeze. They can also verify the date the customer was PICd to their service.
CPNI – Q & A (Contd) REMEMBER: If you are offering a promotion indiscriminately to all customers, CPNI does not apply. It only applies when you use customer specific CPNI to market services. If a customer has not opted-out, it is permissible to use CPNI to market other telecommunications services to that customer.
New CPNI Rules – FCC 07-22 Carrier Authentication Requirements Notice to Customer of Account Changes Notice of Unauthorized Disclosure of CPNI Joint Venture and Independent Contractor Use of CPNI Annual CPNI Certification CPNI Regulations Applicable to Interconnected VOIP Service Enforcement Proceedings Business Customers
Carrier Authentication Requirements Carriers are prohibited from releasing call detail information during customer-initiated telephone contact except when the customer provides a password. If the customer does not provide a password, the carrier may release the call detail information by sending it to an address of record or by the carrier calling the customer at the telephone number of record.
Carrier Authentication Requirements Carriers are also required to provide mandatory password protection for online account access. Carriers are permitted to provide CPNI to customers based on in-store contact with a valid photo ID.
Carrier Authentication Requirements Address of record means, whether postal or electronic, the address that the carrier has associated with the customers account for at least 30 days. Carriers can call the customer at the number of record but cannot rely on Caller ID as an authentication method, because pretexters can easily replicate Caller ID numbers.
Carrier Authentication Requirements If a customer is able to provide to the carrier, during a customer-initiated telephone call, all of the call detail information necessary to address a customer service issue (i.e., the telephone number called, when it was called, and, if applicable, the amount charged for the call), then the carrier is permitted to proceed with its routine customer care procedures. Under this circumstance, a carrier may not disclose any call detail information about the account other than the call detail information that the customer provides unless the customer first provides a password.
Establishment of Password Protection New Customers – carriers may request the customer establish a password at the time of service initiation. The carrier must still authenticate the customer at that time. Existing Customers – carriers must first authenticate the customer by calling the customer at the telephone number of record, or a carrier could use a Personal Identification Number (PIN) method of authentication.
Establishment of Password Protection Establishment of PIN – a PIN can be used to authenticate the customer. The PIN can be sent to the customers address of record that the carrier has on file for at least 30 days. The customer can use the PIN to authenticate himself if he cannot remember his password.
Establishment of Password Protection For accounts that are password protected, a carrier cannot obtain the customers password by asking for available biographical information, or account information, to prompt the customer for his password.
Establishment of Password Protection Readily available biographical information includes such things as the customers social security number, or the last 4 digits of the social security number; mothers maiden name; a home address; or date of birth.
Customer Notification of Account Changes Carriers are required to notify customers immediately when a password, customer response back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This may be through carrier-originated voicemail or text message to the telephone number of record or sent to the address of record. Such notification must not reveal the changed account information. Notification may not be sent to the new account information
Online Account Access Carriers are required to password protect online access to CPNI. Carriers are prohibited from relying on readily available biographical information, or account information to authenticate a customers identity before a customer accesses CPNI online. A carrier must appropriately authenticate both new and existing customers seeking access to CPNI online.
Business Customer Exemption If a carriers contract with a business customer is serviced by a dedicated account representative as the primary contact, and specifically addresses the carriers protection of CPNI, then the authentication rules do not apply to these specific business customers.
Notice of Unauthorized Disclosure of CPNI A telecommunications carrier shall notify law enforcement of a breach of its customers CPNI no later than seven business days after a reasonable determination of a breach. The report will be sent via electronic notification through a central reporting facility to the United States Secret Service and the Federal Bureau of Investigation The FCC will maintain a link to the reporting facility at www.fcc.gov/eb/cpni.
Notice of Unauthorized Disclosure of CPNI A carrier may notify the customer and/or disclose the breach publicly after seven business days following notification to the USSS and the FBI, if the USSS and FBI have not requested that the carrier continue to postpone disclosure. Carriers must maintain a record of any discovered breaches, as well as the USSS and FBI responses to the notifications for a period of two years. The record must include the date the carrier discovered the breach, the date the carrier notified law enforcement, a detailed description of the CPNI that was beached, and the circumstances of the breach.
Additional Protection Measures Adoption of the rules in the Order does not relieve carriers of their fundamental duty to remain vigilant in their protection of CPNI, nor does it insulate them from enforcement action for unauthorized disclosure of CPNI. Carriers are free to take additional protective steps such as encryption to protect CPNI databases from hackers and other unauthorized attempts from third parties to access CPNI.
Joint Venture and Independent Contractor Use of CPNI Carriers are required to obtain opt-in consent from a customer before disclosing that customers CPNI to carriers joint venture partner or independent contractor for the purpose of marketing communications-related services to that customer.
Annual Certification Filing Carriers are required to file their annual CPNI certification with the FCC, including an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. The annual certification must be made publicly available.
Annual Certification Filing The certification must be signed by an officer of the company with personal knowledge that the carrier is in compliance with the FCCs CPNI rules. Must include an accompanying statement explaining how the carriers procedures ensure it is in compliance with the CPNI rules. (i.e., the carrier may explain its training program, the disciplinary process applicable to improper disclosure of CPNI, the process used to ensure opt-out elections are recorded and followed.)
Annual Certification Filing Carriers may file certifications confidentially with the FCC. If requesting confidential treatment, must file redacted and non- redacted versions. Carriers are reminded that certification is required even if the carrier does not use CPNI for marketing purposes, as the obligation to protect CPNI from improper disclosure exists regardless of whether the carrier uses it for marketing purposes.
Interconnected VOIP Service The FCCs CPNI rules will apply to all providers of interconnected VOIP service. A service offering is Interconnected VOIP if it offers the capability for users to receive calls from or terminate calls to the PSTN regardless of whether access to the PSTN is directly through the interconnected VOIP provider or through arrangements with a third party.
Implementation The rules become effective six months after the Orders effective date or on receipt of OMB approval, whichever is later. The FCC will issue a Public Notice when OMB approval is received. Small entities will have an additional six months to implement the rules pertaining to the online carrier authentication requirements.
Enforcement The FCC declined to create a Carrier Safe Harbor to immunize carriers from possible sanction for disclosing CPNI without appropriate authorization. When investigating compliance with the CPNI rules, the FCC will consider whether the carrier has taken reasonable precautions to prevent the unauthorized disclosure of a customers CPNI. The FCC will infer that a pretexter obtained unauthorized access to CPNI due to the carrier not sufficiently protecting the CPNI. The FCC may impose sanctions, including forfeiture.
FNPRM Should password protection apply to all CPNI, not just call detail. Should the FCC adopt rules pertinent to audit trails. Should the FCC adopt rules concerning the physical transfer of CPNI among companies. Should the FCC limit data retention. Should the FCC adopt rules pertaining to the protection of information stored in Mobile Communications Devices.