Download presentation
Presentation is loading. Please wait.
1
PROTECTING CUSTOMER INFO FROM CYBERATTACKS
PROTECTING CUSTOMER INFO FROM CYBERATTACKS IOWA COMMUNICATIONS ALLIANCE IMPACT CONFERENCE November 9, 2016 CPNI – Wendy Harper, Senior Telecommunications Analyst Cyber Security – Jon Brown, Senior Technology Leader – Data Networks
2
Federal Communications Commission (FCC) Customer Proprietary Network Information (CPNI)
3
CPNI Background Section 222 of the Telecom Act of 1996
Created framework to govern telecommunications carriers’ protection and use of information obtained by providing the telecommunications service Congress sought to achieve balance between readily providing customer access to his/her own CPNI and protecting customers from unauthorized use or disclosure of CPNI Carrier has general duty to protect the confidentiality of CPNI Carrier may only use, disclose, or permit access to customer’s CPNI in limited circumstances as required by law;[1] with the customer’s approval; or in its provision of the telecommunications service from which such information is derived, or services necessary to, or used in the provision of, such telecommunications service Guarantees that customers have a right to obtain access to, and compel disclosure of, their own CPNI [1] See, e.g., Implementation of the Telecommunications Act of 1996: Telecommunications carriers’ Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No , Declaratory Ruling, 21 FCC Rcd 9990 (2006) (clarifying that Section 222 does not prevent a telecommunications carrier from complying with the obligation in 42 U.S.C. § to report violations of specific federal statutes relating to child pornography). Also see Declaratory Ruling, DA No , which clarifies this only applies to the extent CPNI is “required” and does not cover voluntary discloser when filing with NCMEC CyberTipline
4
CPNI Background (Continued)
CPNI Order of 1998 FCC released the CPNI Order in which it adopted a set of rules implementing Section 222 Outlined the extent to which Section 222 permits carriers to use CPNI to render the telecommunications service from which the CPNI was derived Beyond such use, the Commission’s rules require carriers to obtain a customer’s knowing consent before using or disclosing CPNI. Order Requirements require carriers to design their customer service records in such a way that the status of a customer’s CPNI approval can be clearly established; require telecommunications carriers to train their personnel as to when they are and are not authorized to use CPNI; require carriers to have an express disciplinary process in place; require carriers to maintain records that track access to customer CPNI records and to maintain such records for a period of at least one year; require the establishment of a supervisory review process for outbound marketing campaigns; and require each carrier to certify annually regarding its compliance with the carrier’s CPNI requirements and to make this certification publicly available.
5
CPNI Background (Continued)
Temporary Opt-Out Clarification FCC permitted carriers to rely on Opt-Out measures for customer approval of using their CPNI for marketing Opt-In Requirement FCC issued rules requiring Opt-In measures for customer approval for carriers’ release of CPNI to Third Parties; however, Opt-Out provisions were allowed for the release of CPNI to Affiliated Parties EPIC Petition Electronic Privacy Information Center (EPIC) filed a petition with the Commission asking the Commission to investigate telecommunications carriers’ current security practices and to initiate a rulemaking proceeding to consider establishing more stringent security standards for telecommunications carriers to govern the disclosure of CPNI. In particular, EPIC proposed that the Commission consider requiring the use of consumer-set passwords, creating audit trails, employing encryption, limiting data retention, and improving notice procedures
6
CPNI Background (Continued)
CPNI Report and Order of 2007 Since the CPNI Order of 1998, telecommunications carriers have sued many people whom they accuse of fraudulently obtaining phone records. Pretexting Practice where an individual impersonates another person and employs false pretenses, or otherwise uses trickery to obtain records. Case filed by Cingular Cingular stated that the defendant pretexter posed as an employee of Cingular and as a customer of Cingular To induce Cingular’s CSR to provide them with the call records of a targeted customer
7
CPNI Background CPNI Report and Order of 2007 (Continued)
Data brokers Businesses that operate (often via a website) by offering phone records as well as other personal information for a fee Data brokers retrieve the personal information through pretexting. Numerous complaints have been filed with the FTC against data brokers. Several states have sued data brokers for pretexting phone records. Data brokers have generally responded that there is no law prohibiting them from selling phone records FCC rules adopted on March 13, 2007, and the associated Order released on April 2, 2007 Rules became effective on December 8, 2007.
8
CPNI Background (Continued)
Declaratory Ruling – 2013 June 27, 2013 (FCC 13-89) “when a telecommunications carrier collects CPNI using its control of its customers’ mobile devices, and the carrier or its designee has access to or control over the information, the carrier is responsible for safeguarding that information” Can include Customer’s use of network, including preinstalled apps Phone numbers called and received Duration of calls Phone’s location at beginning and end of each call Allowed to collect to improve networks and customer support Must protect the information FCC can take enforcement actions in the event failure to take reasonable precautions causes compromise of CPNI on a device Rules do not impose any requirements on non-carrier, third-party developers of applications that consumers may install on their own
9
CPNI Background (Continued)
FCC Broadband Privacy Enforcement Advisory Issued May 20th, 2015 (DA ) Broadband providers take reasonable, good faith steps Protect consumer privacy during the interim period after the statutory provisions of Section 222 of the Communications Act become applicable to broadband providers Interim period started after the Open Internet Order became effective on June 12th, 2015 and concludes with the effective date of any subsequent Commission action that provides further guidance and/or adoption of regulations applying Section 222 more specifically to broadband Internet access service
10
CPNI Background (Continued)
FCC Broadband Privacy Enforcement Advisory FCC’s Open Internet Order applies consumer privacy protections from Section 222 to the providers of broadband Internet access service Does not apply existing telephone-centric CPNI Rules FCC indicated that in the future it may adopt rules relating specifically to broadband service, but the statutory provisions of Section 222 still apply Enforcement Bureau will not focus on specific technical details and rules during the interim period, but plans to focus on whether the broadband providers are taking reasonable, good faith steps to comply with Section 222
11
CPNI Background (Continued)
FCC Adopts NPRM Proposing Broadband Privacy Rules Released: April 1, 2016 Comments Were Due: May 27, 2016 Reply Comments Were Due: June 27, 2016 Order Adopted: October 27, 2016 Order Released (FCC ): November 2, 2016 New privacy rules for broadband Internet service providers (ISPs) Define info protected under Section 222, customer proprietary information Customer Proprietary Network Information (CPNI) and personally identifiable information (PII) PII is a broader category collected by ISPs through provisioning broadband Internet access service
12
CPNI Background (Continued)
CPNI in Broadband Context: Service Plan Information IP and MAC Addresses and Domain Names (Other Device Identifiers) Geo-location Traffic Statistics PII Broad Definition - “any information that linked or linkable to an individual” Examples of Customer Information: Addresses, Names, Birth Dates, Social Security Numbers Addresses and Phone Numbers Financial and Employment Information IP and MAC Addresses
13
CPNI Background (Continued)
Over the years, several telecommunications carriers have been fined for failing to safeguard customer information and complying with FCC CPNI regulations. Even small carriers have been given hefty fines in the range of $100,000
14
Protecting Privacy of Consumer Broadband and Other Telco Services
FCC New Order (16-106) Gives consumers tools to choose how their ISPs use and share their personal data ISPs are the “on-ramp” to Internet Tremendous amount of PII Consumers deserve right to decide how that info is used and shared and protect their privacy
15
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
ISP (mobile or fixed) must tell customers about the collection, use, and sharing of their info Notify customers about what types of info is collected about customers Specify how and for what purposes the info is used and shared Identify types of entities with which ISP shares this info Immediate and Persistent Notification When signing up for service Update when ISP privacy policies change in significant ways Info available ISP website or mobile app Directed Consumer Advisory Committee (CAC) to develop standard privacy notice format for voluntary use as “safe-harbor” if ISP chooses to adopt it
16
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
Increased consumer choice based on sensitivity of PII Opt-In: ISP required to obtain consent to use and share sensitive info Precise geo-location, children’s info, health info, financial info, SS #s, web browsing history, app usage history, content of communication Opt-Out: Use and share non-sensitive info All other individually identifiable customer info i.e. service tier info
17
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
Exception to Consent: Use and sharing of non-sensitive info to provide and market services and equipment typically marketed with broadband service subscribed to by the customer To provide the broadband service, and bill and collect To protect the ISP and its consumers from fraudulent use of the network
18
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
De-identified Information Data that has been altered so no longer associated with individual consumer or devices ISP can use and share properly de-identified info outside consent regime Three-part test articulated by FTC in 2012 to ensure not re- identified: Alter customer info so it can’t be reasonably linked to specific individual or device Publicly commit to maintain and use info in an unidentifiable format and to not attempt to re-identify data Contractually prohibit the re-identification of shared info
19
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
ISP can’t refuse to serve customers who don’t consent to use and sharing of their info FCC will determine on ICB the legitimacy of programs that relate service price to privacy protection Consumer should not be forced to choose between paying inflated prices and maintaining privacy
20
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
Strengthen Protection of Consumer Info ISP take reasonable measures to protect consumer data Guidelines: Implement up-to-date and relevant industry best practices Including available guidance on how to manage security risks responsibly Provide appropriate accountability and oversight of its security practices Implement robust consumer authentication tools Properly dispose of data consistent with FTC best practices and Consumer Privacy Bill of Rights
21
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
Data Breach Consumer right to know when their data has been compromised ISP determines that an unauthorized disclosure PII has occurred, unless determines no harm is reasonably likely to occur In event of reportable breach, ISP required to notify: Affected customers of breaches of their data ASAP, but no later than 30 days after determined breach FCC, FBI, US Secret Service when affecting 5,000 or more customers – no later than 7 days after determined breach FCC at same time as customers are first notified of breaches affecting fewer than 5,000 customers
22
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
Harmonizes Broadband and Voice Rules New rules also apply to voice services and treat call-detail record as sensitive info FCC providing clear and consistent privacy and data security protections for customers of all telecommunications services FCC intends to proceed with rulemaking in February 2017 to address mandatory arbitration requirements in contracts for communication services
23
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
Implementation Timeline (After Publication of Summary of the Order in Federal Register) Data Security Requirements = 90 days after publication Data Breach Notification Requirements = Approximately 6 months after publication Notice and Choice Requirements = Approximately 12 months after publication Small providers will have additional 12 months for compliance
24
Protecting Privacy of Consumer Broadband and Other Telco Services (Continued)
New Rules Do Not: Regulate privacy practices of websites or apps (FTC authority) i.e. Twitter or Facebook Regulate other services of broadband providers i.e. Operations of social media websites Address issues such as governmental surveillance, encryption, or law enforcement
25
CPNI Overview CPNI Definition
Customer Proprietary Network Information (CPNI) is defined by the FCC as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier- customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.”[1] [1] 47 U.S.C. § 222(h)(1)
26
Key Definitions Readily Available Biographical Information
“information drawn from the customer’s life history and includes such things as the customer’s social security number, or the last four digits of that number; mother’s maiden name; home address; or date of birth” Account Information “information that is specifically connected to the customer’s service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill’s amount”
27
Key Definitions (Continued)
Address of Record “whether postal or electronic, is an address that the carrier has associated with the customer’s account for at least 30 days” Telephone Number of Record “Telephone number associated with the underlying service, not the telephone number supplied as a customer’s contact information”
28
Key Definitions (Continued)
Valid Photo ID “a government-issued means of personal identification with a photograph such as a driver’s license, passport, or comparable ID that is not expired” Note: Valid photo ID should be utilized for in-store access to CPNI Call Detail Information “information that pertains to the transmission of specific telephone calls, including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call”
29
Key Definitions (Continued)
Communication-related services “means telecommunications services, information services typically provided by telecommunications carriers, and services related to the provision or maintenance of customer premises equipment”
30
CPNI Examples Call Detail Called and calling numbers
Duration, time, and frequency of the calls Anything in the call detail that is due to the company/customer relationship Non-call Detail Calling features purchased (call waiting, caller ID, etc) Specific dollar amounts billed Anything that is due to the company/customer relationship
31
Non-CPNI Examples Customer name Customer address Telephone number
Any other public information (such as can be found in phone book, directory, etc) If customer information is unpublished or not publicly known then this would be CPNI
32
Authorized Release of CPNI
CPNI Disclosure Customer Initiated Telephone Call Non-Call Detail CPNI Must authenticate customers before discussing non-call detail CPNI with a customer Call Detail CPNI Must require the associated account password (that is not prompted by readily available account information or biographical information first) be supplied by the authorized account customer before providing call detail to the customer. If password not supplied, then the other three means of call detail release approved by the FCC may be utilized: 1. Call back customer at telephone of record 2. Mail to address of record 3. Customer come in with valid government-issued photo ID Without the password, employee may discuss call detail information provided by the customer that is not prompted by the employee, other call detail not provided by customer CANNOT be discussed with out the password or other three approved methods
33
Authorized Release of CPNI (Continued)
CPNI Disclosure (Continued) Online Access Must authenticate customer prior to allowing access to CPNI related telecommunications service account After authenticated, customer can only gain access to CPNI related to a telecommunications service account through a password Authentication and Password CANNOT be prompted by readily available biographical or account information In-store Access Must present valid photo ID that matches the account information
34
Authorized Account Contacts
Employees may only discuss and/or provide CPNI information to an Authorized Account Contact (AAC) for that particular account being discussed Note Regarding Non-AACs: Payments may be received from non-AACs, as long as the employee does not provide CPNI information to them If the customer can provide details of a call, those provided details can be discussed but additional information can not be provided
35
Authorized Account Contacts (Continued)
Important Note: If a customer requests access to information contained in call detail records (such as the called number, length of call, etc.), a password is required No password supplied, then use other three methods approved by the FCC Calling back the number of record Mailing to the address of record Customer providing valid government issued photo ID Employees are forbidden from supplying call detail record information to anyone without the account password (or other three methods), even if Caller ID indicates that the customer is calling from the telephone number of record Other non-call detail information, such as discussing calling features purchased, etc., may be disclosed without a password, but only after the customer has been authenticated
36
Password Protection Establishing a Password New Customers
Require new customers to establish a password at the time of service initiation Easily authenticated at that time by showing government issued photo ID If customer does not set up a password, but later decide to establish one by either calling into the Company or stopping into the Company office, employees must first authenticate the customer without the use of readily available biographical information or account information. Security Questions Couple security question should also be answered by the customer in case the password is forgotten
37
Password Protection (Continued)
Use of Password Call detail request Politely explain to the customer that the FCC requires the customer to provide the account password before this information may be disclosed If the customer is unable to provide the password, the employee should ask the account security questions to the customer and if answered correctly, may then provide the requested call detail record information and establish a new password (notification should be sent for this) If the customer is unable to provide the password and does not answer the two selected security questions correctly, or if the customer refuses to set up a password, the employee should explain the following options and may share the call detail records by only the three following methods: Calling the customer back at the telephone number of record Mailing or ing the information to the address of record (address must be on company file for at least 30 days) Authenticating the customer’s identity in person with a valid government-issued photo identification
38
Password Protection (Continued)
On-line Account Access Company must appropriately authenticate both new and existing customers seeking access to account information online Carrier must not authenticate the customer based on readily available biographical information or account information FCC requires the use of passwords for on-line account review and billing access FCC does not require carriers to reinitialize existing passwords for online customer accounts, but a carrier cannot base online access solely on readily available biographical information, or account information, or prompts for such information FCC allows carriers to create back-up customer authentication methods for lost or forgotten passwords in line with the back-up authentication method framework established for the password protection for customer-initiated telephone contact
39
Password Protection (Continued)
On-line Account Access (Continued) If a customer cannot provide a password or the proper response for the back-up authentication method to access an online account, the carrier must re-authenticate the customer based on the authentication methods adopted in the Order prior to the customer gaining online access to CPNI FCC expects carriers to block access to the customer’s account if repeated unsuccessful attempts are made when trying to log in Note: FCC allowed a 6-month extension for small entities to become compliant with this portion of the new rules regarding on-line access, therefore this became effective June 8, 2008
40
Account Change/Activity Notification
FCC requires the Company to notify customers immediately of certain account changes, including: Password created or changed Customer response to security questions created or changed Online account created or changed Address of record (Physical or Electronic) created or changed Authorized customer was added to the account (Suggested) Notification can be sent via voic or text message to telephone number of record or by mail to address of record Notification must be generic in nature, listing what changed but not what it was changed to Example: list that the address changed, but don’t state the new address
41
Business Customer Exemption
Some business customer accounts contain privately negotiated CPNI safeguards, as established in an account contract If the contract with the business customer is serviced by a dedicated account representative as the primary contact The contract specifically addresses protection of the business customer’s CPNI Exemption does not apply if the business customer has to go through a call center to reach CSR Authentication rules do not have to be followed for that particular business customer, however the remainder of the CPNI rules still needs to be followed
42
Reporting Procedures Law Enforcement Notification
Must notify law enforcement of a breach of its customers’ CPNI no later than seven business days after a reasonable determination of a breach Sending electronic notification through a central reporting facility to the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) FCC Enforcement Bureau will maintain a link to the reporting facility at Customer Notification Then Company must notify the customer and/or disclose the breach publicly after seven business days following notification to the USSS and the FBI If the USSS and the FBI have not requested that continued postponed disclosure Company may notify the customer immediately or publicly disclose the breach immediately after consultation with the relevant investigative agency, if it believes that there is an extraordinarily urgent need to notify a customer or class of customers in order to avoid immediate and irreparable harm
43
Reporting Procedures (Continued)
Maintenance of Records Company must maintain a record of any discovered breaches, notifications to the USSS and the FBI regarding those breaches, and the USSS and FBI responses to the notifications for a period of at least two years Records must include, if available, Date the breach was discovered Date Company notified the USSS and the FBI Date Company notified the customer Detailed description of the CPNI that was breached Circumstances of the breach (including steps taken to prevent the breach, how the breach occurred, and the impact of the breach) Cooperation with Law Enforcement Fully cooperate in any law enforcement investigation of such unauthorized release of CPNI or attempted unauthorized access to an account, consistent with statutory and FCC requirements Note: For carriers with breaches, the FCC can still issue forfeitures against them even if all the CPNI rules are proven to have been met. It is important for your company to go above and beyond all FCC CPNI protection rules, displaying your commitment to protecting your customers CPNI
44
Opt-In and Opt-Out Procedures
Opting Methods There are two methods of opting approval: Opt-Out – Notice stating the carrier considers the customer to have given approval of CPNI use for marketing unless the customer informs the company otherwise Opt-In – Notice requesting that the customer give permission to the company to use CPNI for third party or independent contracted marketing These approval methods must be utilized and followed before CPNI is shared either internally or externally for marketing purposes. Company must track the opting notices, keep the signed notices on file, and notate status in the company billing records. The company should not send excessive notices to their customers in any fashion that could be considered badgering or harassment Reminder: Public information such as names, addresses, and phone numbers are not considered CPNI. Companies may market to all customers based on non-CPNI. Be sure the non-CPNI marketing campaign is approved by the CPNI Compliance Officer in a supervisory review process, as all marketing should be, and goes to each customer selected by the chosen criteria Note: Company should give at least 30 day notice of opt-out opportunity to the customer before utilizing the CPNI for marketing in-house. The specific affiliates in which your company is sharing CPNI with should be disclosed on the notice. Carriers using the opt-out mechanism must provide notices to their customers every two years. See § for details
45
Opt-In and Opt-Out Procedures (Continued)
Customer must specifically “opt-in” or consent to sharing their CPNI with a joint venture or third party for marketing communication-related services Carriers may market enhancements to services the customer already has based on CPNI without customer consent Customer subscribes to local service, the carrier does not need customer approval to use the CPNI to sell calling features for that local service such as call waiting For services outside the existing scope of business the carrier must have customer permission to market the additional services and products based upon CPNI whether internal (Opt-Out) or 3rd Party (Opt-In) The customer may chose to sign an “opt-out” form, which will remove them from being able to hear about the services the carrier is marketing internally based upon CPNI for services offered outside the existing scope of service, unless the customer initiates a request to discuss a particular service Customers must be notified of their right to “opt-out” of marketing endeavors for services and products outside the existing relationship
46
Marketing Opportunities
Marketing without prior customer approval (Opt-Out or Opt-In) may only be done when there is an existing customer relationship An existing customer relationship means that the customer already has ordered a particular service or has initiated contact with the company to discuss a particular service Note: All employees, especially Customer Service Representatives, installation and repair technicians, receptionists and any other front desk and phone employees, need to be aware of the rules regarding what they may discuss with a customer in order to market more services.
47
Marketing Opportunities (Continued)
An existing customer relationship may include the following categories of service: Local voice and all related services Customer Premises Equipment, such as telephones, fax machine, head phones, etc. Second phone line Calling Features, such as Caller ID and Voic , etc. Key Systems Long distance and all related services Alternative long distance plans Bundles of long distance minutes, including increase in minutes plan or unlimited plan
48
Marketing Opportunities (Continued)
Internet and all related services Customer Premises Equipment, such as modems and routers Mailboxes Virus Protection Static IP Addresses Spam Filtering Web Storage Upgrade from dial-up Internet to high-speed DSL Upgrade from lower bandwidth DSL to higher bandwidth DSL Wireless broadband
49
Marketing Opportunities (Continued)
Wireless phone and all related services Wireless handsets and accessories Upgrade service plan for more minutes Upgrade service plan for additional users Text messaging Wireless broadband
50
Marketing Opportunities (Continued)
Bundles and all related services Only the services that are included in the customer’s particular bundle (along with all related services, such as upgrades within each bundle) may be discussed without requesting the customer’s approval to discuss other services.
51
CPNI Disciplinary Procedures
CPNI Violations (Examples) Discussing products or services outside the existing service relationship without the customer’s permission (if Opt-Out) Marketing efforts without observing the opt-out and opt-in approval requirements CPNI Breaches Employee acts without customer authority to intentionally use, share, or disclose CPNI Examples include distributing or selling CPNI to third parties, or any action that harms the customer or the Company with the release of CPNI
52
CPNI Responsibilities
Company Responsibilities Create and Adopt CPNI Manual Employee Acknowledgement and Disciplinary Actions Designate a CPNI Compliance Officer (CPNI CO) Overlook all CPNI compliance of the FCC rules CPNI CO duties are detailed later in presentation Network Security Responsible for the safeguarding of CPNI when it is stored in a database Encryption is not required by the FCC; however, safeguard measures must be taken to protect the stored CPNI information Note: The FCC stressed its expectation that carriers will take affirmative measures to discover and protect against activity that is indicative of pretexting beyond what is required by the FCC’s current rules, and reminded carriers that the Telecom Act imposes on them the duty of instituting effective measures to protect the privacy of CPNI.[1] [1] Federal Communications Commission, First Report and Order Regarding Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No and WC Docket No , released April 2, (Page 21, #35)
53
CPNI Responsibilities (Continued)
Compliance Officer Responsibilities (Add CO responsibilities to the designated employee’s job responsibilities and duties) Ensure Annual Compliance Certification is Filed (Signed by Officer of Company with Personal Knowledge) Company’s Main CPNI Point of Contact Maintenance and Security of CPNI Track CPNI Complaints Include a summary of all complaints that were received during the past year in the annual certification filing Track Actions Taken Against Data Brokers Include a summary of such actions in the annual certification filing Track CPNI Breaches. Maintain the records for a minimum period of 2 years. Notification of Unauthorized Disclosure of CPNI Review Company Marketing Procedures Ensuring the appropriate Opt-Out and Opt-In approval requirements are met Keep details of all marketing campaigns utilizing CPNI Review and Document Company CPNI Use Train Employees on CPNI Requirements and Procedures CPNI CO will be responsible for training all company employees on CPNI requirements mandated by the FCC and the company procedures. Documentation should be kept in CPNI file. Ensure Employees are CPNI Trained Ensure Customer Notification of Account Changes/Activity Ensure Company Measures of CPNI Protection Designate Assistant CPNI CO
54
CPNI Responsibilities (Continued)
Employee Responsibilities Assist CPNI Compliance Officer (CPNI CO) in ensuring maintenance and security of the Company’s CPNI files Notify CPNI CO of any CPNI-related complaints from customers Notify CPNI CO of any breaches of CPNI rules Review and follow CPNI requirements and procedures – attend training, have your training documented in the Company CPNI file Assist in ensuring that customers are notified immediately of any account changes or activity Notify CPNI CO of any CPNI violations Assist in ensuring that sufficient measures are used to discover and protect against pretexting and unauthorized disclosures of CPNI CPNI Disclosure Customer Initiated Telephone Call Non-Call Detail CPNI Must authenticate customers before discussing non-call detail CPNI with a customer
55
CPNI Responsibilities (Continued)
Employee Responsibilities (Continued) CPNI Disclosure (Continued) Customer Initiated Telephone Call (Continued) Call Detail CPNI Must require the associated account password (that is not prompted by readily available account information or biographical information first) be supplied by the authorized account customer before providing call detail to the customer. If password not supplied, then the other three means of call detail release approved by the FCC may be utilized: 1. Call back customer at telephone of record 2. Mail to address of record 3. Customer come in with valid government-issued photo ID Without the password, employee may discuss call detail information provided by the customer that is not prompted by the employee, other call detail not provided by customer CANNOT be discussed with out the password or other three approved methods
56
CPNI Responsibilities (Continued)
Employee Responsibilities (Continued) CPNI Disclosure (Continued) Online Access Must authenticate customer prior to allowing access to CPNI related telecommunications service account After authenticated, customer can only gain access to CPNI related to a telecommunications service account through a password Authentication and Password CANNOT be prompted by readily available biographical or account information In-store Access Must present valid photo ID that matches the account information
57
FCC References Section 222 of the 1996 Telecom Act
FCC Title 47 CPNI Rules: § (Definitions) § (Use of CPNI Without Customer Approval) § (Approval Required for Use of CPNI) § (Notice Required for Use of CPNI) § (Safeguards Required for Use of CPNI) § (Safeguards on the Disclosure of CPNI) § (Notification of CPNI Security Breaches) FCC 1st Report & Order
58
Questions Wendy Harper wendy.harper@vantagepnt.com 605-995-1756
Jon Brown Questions
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.