Click here for Adobe Acrobat version
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
Federal Communications Commission
Washington, D.C. 20554
In the Matter of )
AT&T Inc. )
) File No. EB-06-TC-059
Apparent Liability for ) NAL/Acct. No. 200632170003
Forfeiture ) FRN: 0004305124
NOTICE OF APPARENT LIABILITY FOR FORFEITURE
Adopted: January 30, 2006 Released: January 30,
By the Chief, Enforcement Bureau:
1.In this Notice of Apparent Liability for Forfeiture
(``NAL''), we find that AT&T Inc. (``AT&T'') apparently violated
section 64.2009(e) of the Commission's rules1 by failing to have
a corporate officer with personal knowledge execute an annual
certificate stating that the company has established operating
procedures adequate to ensure compliance with the Commission's
rules governing protection and use of Customer Proprietary
Network Information (``CPNI''). Protection of CPNI is a
fundamental obligation of all telecommunications carriers as
provided by section 222 of the Communications Act of 1934, as
amended (``Communications Act'' or ``Act''). Based upon our
review of the facts and circumstances surrounding this apparent
violation, and in particular the serious consequences that may
flow from inadequate concern for and protection of CPNI, we
propose a monetary forfeiture of $100,000 against AT&T for its
apparent failure to comply with section 64.2009(e) of the
2.The Enforcement Bureau (``Bureau'') has been
investigating the adequacy of procedures implemented by
telecommunications carriers to ensure confidentiality of their
subscribers' CPNI, based on concerns regarding the apparent
availability to third parties of sensitive, personal subscriber
information. For example, some companies, known as ``data
brokers,'' have advertised the availability of records of
wireless subscribers' incoming and outgoing telephone calls for a
fee.2 Data brokers have also advertised the availability of
certain landline toll calls.3
3.As part of our inquiry into these issues, the Bureau
directed several carriers, including AT&T, to submit their most
recent certification prepared in compliance with section
64.2009(e) of the Commission's rules. On January 27, 2006, AT&T
submitted documents constituting certifications by the SBC
Communications, Inc. (SBC) companies. AT&T, however, did not
provide any annual certification prepared by the former AT&T
Corp. Accordingly, it appears that AT&T has not prepared and
maintained a certification in compliance with section 64.2009(e)
of the Commission's rules. Therefore, we issue this proposed
4. Section 222 imposes the general duty on all
telecommunications carriers to protect the confidentiality of
their subscribers' proprietary information.4 The Commission has
issued rules implementing section 222 of the Act.5 The
Commission required carriers to establish and maintain a system
designed to ensure that carriers adequately protected their
subscribers' CPNI. Section 64.2009(e) is one such requirement.
Pursuant to section 64.2009(e):
A telecommunications carrier must have an officer,
as an agent of the carrier, sign a compliance
certificate on an annual basis stating that the
officer has personal knowledge that the company
has established operating procedures that are
adequate to ensure compliance with the rules in
this subpart. The carrier must provide a
statement accompanying the certificate explaining
how its operating procedures ensure that it is or
is not in compliance with the rules in this
5. On January 25, 2006, the Bureau directed AT&T, among
other companies, to produce the most recent compliance
certificate that it had prepared in compliance with section
64.2009(e) of the Commission's rules.7 In light of their recent
merger, and to review the compliance by both, the Bureau asked
for the most recent certification prepared for SBC as well as the
most recent certification prepared by AT&T Corp. On January 27,
2006, AT&T provided documents constituting the most recent
certifications prepared for SBC. AT&T, however, did not produce
a certification for AT&T Corp. AT&T could not demonstrate that
it had in its possession a certification that AT&T Corp. had
prepared in compliance with section 64.2009(e) of the
6. We conclude that AT&T has apparently failed to comply
with the requirement that it have an officer certify on an annual
basis that the officer has personal knowledge that AT&T has
established operating procedures adequate to ensure compliance
with the Commission's CPNI rules. For this apparent violation,
we propose a forfeiture.
IV. FORFEITURE AMOUNT
7. Section 503(b) of the Communications Act authorizes the
Commission to assess a forfeiture of up to $130,000 for each
violation of the Act or of any rule, regulation, or order issued
by the Commission under the Act.8 The Commission may assess this
penalty if it determines that the carrier's noncompliance is
``willful or repeated.''9 For a violation to be willful, it need
not be intentional.10 In exercising our forfeiture authority, we
are required to take into account ``the nature, circumstances,
extent, and gravity of the violation and, with respect to the
violator, the degree of culpability, any history of prior
offenses, ability to pay, and such other matters as justice may
require.''11 In addition, the Commission has established
guidelines for forfeiture amounts and, where there is no specific
base amount for a violation, retained discretion to set an amount
on a case-by-case basis.12
8. The Commission's forfeiture guidelines do not address
the specific violation at issue in this proceeding. In
determining the proper forfeiture amount in this case, however,
we are guided by the principle that there may be no more
important obligation on a carrier's part than protection of its
subscribers' proprietary information. Consumers are increasingly
concerned about the security of their sensitive, personal data
that they must entrust to their various service providers,
whether they are financial institutions or telephone companies.
Given the increasing concern about the security of this data, and
evidence that the data appears to be widely available to third
parties, we must take aggressive, substantial steps to ensure
that carriers implement necessary and adequate measures to
protect their subscribers' CPNI as required by the Commission's
existing CPNI rules. In this case, AT&T has apparently not
complied with the Commission's rules, as evidenced by the
apparent absence of the required compliance certification. Based
on all the facts and circumstances present in this case, we
believe a proposed forfeiture of $100,000 is warranted.13
9. AT&T will have the opportunity to submit further
evidence and arguments in response to this NAL to show that no
forfeiture should be imposed or that some lesser amount should be
V. CONCLUSION AND ORDERING CLAUSES
10. We have determined that AT&T has apparently violated
Section 64.2009(e) of the Commission's rules by failing to
prepare and maintain a certification in compliance with the rule.
We find AT&T apparently liable for $100,000.
11. ACCORDINGLY, IT IS ORDERED THAT, pursuant to Section
503(b) of the Communications Act of 1934, as amended,15 Section
1.80(f)(4) of the Commission's rules,16 and authority delegated
by Sections 0.111 and 0.311 of the Commission's rules,17 AT&T IS
LIABLE FOR A MONETARY FORFEITURE in the amount of one hundred
thousand dollars ($100,000) for willfully or repeatedly violating
Section 64.2009 of the Commission's rules, by failing to prepare
and maintain a certificate that complies with 64.2009(e).
12. IT IS FURTHER ORDERED THAT, pursuant to section 1.80 of
the Commission's Rules, within thirty days of the release date of
this NOTICE OF APPARENT LIABILITY, AT&T SHALL PAY the full amount
of the proposed forfeiture or SHALL FILE a written statement
seeking reduction or cancellation of the proposed forfeiture.
13. Payment of the forfeiture must be made by check or
similar instrument, payable to the order of the Federal
Communications Commission. The payment must include the
NAL/Acct. No. and FRN No. referenced above. Payment by check or
money order may be mailed to Federal Communications Commission,
P.O. Box 358340, Pittsburgh, PA 15251-8340. Payment by overnight
mail may be sent to Mellon Bank/LB 358340, 500 Ross Street, Room
1540670, Pittsburgh, PA 15251. Payment by wire transfer may be
made to ABA Number 043000261, receiving bank Mellon Bank, and
account number 911-6106. Requests for payment of the full amount
of this NAL under an installment plan should be sent to Chief,
Credit and Management Center, 445 12th Street, S.W., Washington,
14. IT IS FURTHER ORDERED that a copy of this Order shall
be sent by Certified Mail, Return Receipt Requested to AT&T
FEDERAL COMMUNICATIONS COMMISSION
Kris A. Monteith
Chief, Enforcement Bureau
1 See 47 C.F.R. § 64.2009(e).
2 See, e.g. http://www.epic.org/privacy/iei/.
3 See id.
4 Section 222 of the Communications Act, 47 U.S.C § 222, provides
that: ``Every telecommunications carrier has a duty to protect
the confidentiality of proprietary information of, and relating
to, other telecommunications carriers, equipment manufacturers,
and customers, including telecommunication carriers reselling
telecommunications services provided by a telecommunications
5 In the Matter of Implementation of the Telecommunications Act
of 1996: Telecommunications Carriers' Use of Customer Proprietary
Network Information and Other Customer Information and
Implementation of the Non-Accounting Safeguards of Sections 271
and 272 of the Communications Act of 1934, as amended, CC Docket
Nos. 96-115 and 96-149, FCC 98-27, Order and Further Notice of
Proposed Rulemaking, 13 FCC Rcd 8061 (1998) (``CPNI Order'').
See also, In the Matter of Implementation of The
Telecommunications Act Of 1996 Telecommunications Carriers' Use
Of Customer Proprietary Network Information And Other Customer
Information; CC Docket No. 96-115, Implementation Of The Non-
Accounting Safeguards Of Sections 271 And 272 Of The
Communications Act Of 1934, As Amended CC Docket No. 96-149, FCC
99-223, Order on Reconsideration and Petitions for Forbearance 14
FCC Rcd 14409 (1999), Released September 3, 1999; see also In
The Matter Of Implementation Of The Telecommunications Act Of
1996:Telecommunications Carriers' Use Of Customer Proprietary
Network Information And Other Customer Information; CC Docket No.
96-115 Implementation Of The Non-Accounting Safeguards Of
Sections 271 And 272 Of The Communications Act Of 1934, As
Amended CC Docket No. 96-149, 2000 Biennial Regulatory Review --
Review Of Policies And Rules Concerning Unauthorized Changes Of
Consumers' Long Distance Carriers CC Docket No. 00-257 FCC 02-214
Third Report and Order and Third Further Notice of Proposed
Rulemaking, 17 FCC Rcd 14860 (2002).
6 47 C.F.R.§ 64.2009(e).
7 47 C.F.R. § 64.2009.
8 Section 503(b)(2)(B) provides for forfeitures against common
carriers of up to $130,000 for each violation or each day of a
continuing violation up to a maximum of $1,325,000 for each
continuing violation. 47 U.S.C. § 503(b)(2)(B). See Amendment
of Section 1.80 of the Commission's Rules and Adjustment of
Forfeiture Maxima to Reflect Inflation, 15 FCC Rcd 18221 (2000);
Amendment of Section 1.80 of the Commission's Rules and
Adjustment of Forfeiture Maxima to Reflect Inflation, 19 FCC Rcd
10945 (2004) (increasing maximum forfeiture amounts to account
9 47 U.S.C. § 503(b)(1)(B). The Commission has authority under
this section of the Act to assess a forfeiture penalty against a
common carrier if the Commission determines that the carrier has
``willfully or repeatedly'' failed to comply with the provisions
of the Act or with any rule, regulation, or order issued by the
Commission under the Act. The section provides that the
Commission must assess such penalties through the use of a
written notice of apparent liability or notice of opportunity for
hearing. See 47 U.S.C. § 503(b)(4)(A). Here, as described
above, AT&T's actions were willful as it apparently failed to
prepare the required compliance certification.
10 Southern California Broadcasting Co., 6 FCC Rcd 4387 (1991).
11 See 47 U.S.C. § 503(b)(2)(D); see also The Commission's
Forfeiture Policy Statement and Amendment of Section 1.80 of the
Commission's Rules, 12 FCC Rcd 17087 (1997) (``Forfeiture Policy
Statement''); recon. denied, 15 FCC Rcd 303 (1999).
12 Forfeiture Policy Statement, 12 FCC Rcd 17098-99, ¶ 22.
13 47 U.S.C. § 503(b)(4)(A).
14 47 U.S.C. § 503(b)(4)(C); 47 C.F.R. § 1.80(f)(3).
15 47 U.S.C. § 503(b).
16 47 U.S.C. § 1.80(f)(4).
17 47 C.F.R. §§ 0.111, 0.311.