Communications Litigation Today was a service of Warren Communications News.

Commission Releases Long-Awaited CPNI Rule Changes

April 3, 2007 by Howard Buskirk|Miscellaneous

The FCC Mon. released long-awaited rules on how carriers must protect customer proprietary network information (CPNI).

The Commission agreed to a request by the FBI and the Secret Service to bar carriers from notifying customers of breaches for 7 days after federal authorities are told. Comrs. Copps and Adelstein issued partial dissents.

The Commission changed its rules to require carriers to get “opt-in consent” before sharing customer data with joint venture partners or independent contractors for marketing purposes. The FCC also extended CPNI rules to interconnected VoIP service, requiring all covered carriers to file an annual certification with the Commission. Should federal and state CPNI rules conflict, the order said, “the carrier should bring the matter to our attention in an appropriate petition.” The FCC seeks comment on more steps it can take to protect CPNI.

Most rule changes were telegraphed by the FCC before releasing the order, approved weeks ago (CD March 15 p2).

Copps said that under the rules approved many customers wouldn’t learn of a breach for up to 2 weeks after it occurs. “Worse, the FBI and the… Secret Service would have the ability to keep victims of these unauthorized disclosures in the dark even longer, perhaps indefinitely,” he said, adding that this is like burglary victims not being told they've been robbed.

“There may be circumstances in which a delayed notification regime would be reasonable, for example, when an investigation of a large-scale breach of a database might be compromised because mass notification via the media is required,” Copps said. “The Commission, however, adopts a rule that, in my opinion, is needlessly overbroad.”

Adelstein voiced similar concerns, citing the possibility of “unnecessary and even indefinite delay” of consumer notice without govt. accountability. “The Commission gives the Federal Bureau of Investigation a potentially open-ended ability to delay customer notification of security breaches,” he said: “While I expect that the FBI will work as quickly as possible to identify any investigative issues, I find no statutory basis… for granting the FBI a blank check to delay notice to customers.”

Carriers that don’t obey the rules face penalties, Chmn. Martin said: “Compliance with our consumer protection regulations is not optional for any telephone service provider. We need to take whatever actions are necessary to enforce these requirements to secure the privacy of personal and confidential information of American customers.”