FCC Approves Tough New CPNI Rules for Carriers

The FCC approved on circulation a long-awaited order revising rules on how wireless and wireline carriers have to guard customer proprietary network information (CPNI), sources confirmed Wed. The order began circulating on the 8th floor in late Dec. Sources expect the order to be released as early as today (Thurs.).

The FCC stuck with a strict ban on carriers sharing CPNI with vendors doing billing and marketing, unless a subscriber “opts in,” sources said. Carriers have said the record in the proceeding is “devoid of evidence” that an opt-in requirement will foil pretexting, but apparently weren’t able to persuade the Commission to embrace that rationale.

In a key late development, DoJ modified demands that a carrier notify the FBI and Secret Service whenever a pretexter violates CPNI rules, without having to provide immediate notice to subscribers. The Commission accepted the revised DoJ position.

Rebuffing carriers, DoJ fused to limit the law enforcement notification requirement to significant breaches. But the department did move to mollify carriers on one point.

In its revised filing, submitted this week, DoJ clarified that carriers won’t be asked to violate state law requiring notice to customers of CPNI violations. Under the revised FCC rule, carriers still can’t notify customers for 7 business days, “notwithstanding any state law to the contrary.” The revised language makes clear: “This section does not supersede any statute, regulation, order, or interpretation in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only to the extent of the inconsistency.”

DoJ also clarified that a carrier must maintain a record of breaches discovered, but only insofar as that information is available. Carriers still must maintain records of breaches for 2 years.