Ensuring Compliance With FCC Privacy Rules

In September 2008, the Enforcement Bureau of the FCC sent letters of inquiry to thousands of communications providers for suspected violations of the agency’s privacy or “customer proprietary network information” (CPNI) rules. The FCC’s actions indicate a heightening of enforcement activity in this area and the need for prompt and careful compliance.

Consequently, it is essential that all covered communications providers — including wireless service providers, prepaid long-distance providers, postpaid long-distance providers and VoIP providers, among others — have policies and procedures in place to ensure compliance with FCC CPNI regulatory obligations.

It is not enough for a provider to simply create policies and procedures without thoroughly implementing them. Providers operating in today’s regulatory environment must implement systems that will achieve full CPNI compliance lest they face serious enforcement liability and consequences. In the past, the bureau typically has assessed proposed fines of $100,000 for failure to comply with CPNI regulations. In 2007 alone, proposed forfeitures in this amount were assessed against 13 different companies. Thus, it is essential for a provider to implement an overall compliance plan that permeates the entire organization from upper-level management to independent contractors.

Here are a few recommended business practices intended to maximize CPNI compliance and reduce the risk of an FCC enforcement action.

Create Written Privacy Policy. One of the most important requirements of the FCC’s new rules is that providers now must file annually a written privacy policy with the FCC by March 1 of every year. This written privacy policy must describe the procedures and procedure changes implemented by the provider to prevent the unauthorized disclosure of CPNI during the past calendar year.

To fulfill this requirement, a provider should design and implement procedures that comply with the FCC’s CPNI rules, and that also are tailored to match its business practices. However, for a provider to avoid potential liability, it should design and implement procedures that also include any additional precautions the provider deems necessary to prevent the unauthorized disclosure of CPNI. The FCC views the explicit requirements set forth by its rules as only the minimum threshold for compliance and has stated that it expects providers to take any additional steps to protect the privacy of CPNI that are feasible for the provider.

Ensure Annual FCC Certification Filing. Along with the filing of its annual written CPNI privacy policy, providers also must file a CPNI certificate with the FCC by March 1 of every year. This certificate must be signed by an officer of the provider and must state that this officer has personal knowledge that the company has established policies that ensure compliance with the FCC’s CPNI regulations. The certification also must contain details of any customer complaints during the past year related to the unauthorized release of CPNI and details of any actions taken by the company during the past year against information brokers.

Assess Authentication Procedures. A provider must authenticate (or verify) a customer prior to disclosing any CPNI to that customer during a customer-initiated telephone contact, online account access or an in-store visit. This authentication must establish clearly the customer’s identity, and can be performed through the use of a password, an e-mail sent to the customer’s e-mail account of record, or a phone call to the customer’s phone number of record, among other methods. However, any method used by a provider must not rely on a customer’s readily available biographical information or account information.

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines