FCC Takes Action Against “Pretexting”

» Articles » Legal Articles » Article

June 06, 2007

The Federal Communications Commission (FCC) has adopted new rules regarding the protection of customer proprietary network information (CPNI), which will become effective sometime in the fourth quarter of 2007. This action is part of an overall government crackdown on “pretexting,” the term for the unauthorized obtaining of telecommunications customer information from carriers through misrepresentation of a caller’s identity. Pretexting became an important issue in 2006, after the disclosure of its widespread use by private investigators and senior management of Hewlett-Packard, which had sought to investigate leaks of information to journalists by some of its directors. In December of 2006, Congress enacted legislation providing for terms of imprisonment of up to 10 years for pretexting.

Highlights of the FCC’s order include the following:

1. Carrier Authentication Requirements
After the effective date of the new rules, telecommunications carriers may, if they receive a telephone call from someone identifying him or herself as a customer, only disclose that customer’s call detail information (i.e., information about specific calls made or received by that customer, a subset of CPNI), if the customer first provides the carrier with the correct password previously supplied by the customer. Carriers may create a back-up customer authentication method in the event of a lost or forgotten password, involving “shared secrets,” that is, a question/answer combination known to the customer and carrier but “not widely known.” Customers cannot use as a back-up method “easily obtainable biographical information,” such as their mother’s maiden name.

2. Notice of Unauthorized Disclosure of CPNI
No later than within 7 business days after the “reasonable determination” of a CPNI breach, carriers will be required to notify the U.S. Secret Service and the FBI. Carriers, except under extraordinary circumstances, will not be able to notify customers or disclose the breach to the public until 7 business days have passed after notification to law enforcement, and that period can be extended by law enforcement. Carriers will have to maintain records of such breaches and notifications for 2 years.

Continue reading below

FREE Legal Training from Lorman

Lorman has over 37 years of professional training experience.
Join us for a special white paper and level up your Legal knowledge!

Litigation or Legal Holds for Reasonably Anticipated or Actual Litigation
Presented by John E. Delaney

Learn More

3. Joint Venture and Independent Contractor Use of CPNI
The FCC has modified its existing rules to clarify that carriers must obtain “opt-in” consent from each customer before disclosing that customer’s CPNI to a carrier’s joint venture partner or an independent contractor for the purpose of marketing communications-related services to that customer. This marks a change in FCC policy from requiring only “opt-out” disclosure notification to such customers, and may essentially preclude the use of independent contractors to assist in carrier marketing, as opt-in consent is very hard to obtain. This particular modification may become the subject of court challenges on First Amendment grounds.

4. Annual CPNI Certification
Each year a telecommunications carrier must have an officer, as agent of the carrier, sign a compliance certificate. The officer must state in the certificate that he or she has personal knowledge that the company has established operating procedures which ensure that it is in compliance with the FCC’s CPNI rules. The FCC has now modified this rule to require that the certificate be filed each year by March 1 with the FCC Enforcement Bureau. It must also describe any actions taken against pretexters in the past year.

According to the FCC’s new rules, the FCC will take “strong enforcement measures” to enforce its new CPNI requirements even though it does not prescribe any particular method by which carriers must protect CPNI. The FCC takes a “flexible” approach, but places carriers “on notice” that the FCC will infer from evidence that a pretexter has obtained unauthorized access to a customer’s CPNI that the carrier did not sufficiently protect the customer’s CPNI or CPNI generally, rendering the carrier liable to enforcement action, including forfeitures.

The new rules obviously represent the FCC’s reaction to the recent pretexting abuses and their efforts to protect consumer privacy. But if upheld by the courts, the new rules also will substantially increase telecom carrier costs and potential liabilities.

For more information, e-mail Peter M. Connolly at [email protected] or call toll free, 1-888-688-8500.

More Legal Articles

The material appearing in this web site is for informational purposes only and is not legal advice. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. The information provided herein is intended only as general information which may or may not reflect the most current developments. Although these materials may be prepared by professionals, they should not be used as a substitute for professional services. If legal or other professional advice is required, the services of a professional should be sought.

The opinions or viewpoints expressed herein do not necessarily reflect those of Lorman Education Services. All materials and content were prepared by persons and/or entities other than Lorman Education Services, and said other persons and/or entities are solely responsible for their content.

Any links to other web sites are not intended to be referrals or endorsements of these sites. The links provided are maintained by the respective organizations, and they are solely responsible for the content of their own sites.