Click here for Adobe Acrobat version
Click here for Microsoft Word version
********************************************************
NOTICE
********************************************************
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
*****************************************************************
DA 12-170
February 16, 2012
Enforcement Advisory No. 2012-01
TELECOMMUNICATIONS CARRIERS AND INTERCONNECTED VOIP PROVIDERS REMINDED OF
REQUIREMENT TO FILE ANNUAL REPORTS CERTIFYING COMPLIANCE WITH COMMISSION
RULES PROTECTING
CUSTOMER PROPRIERTARY NETWORK INFORMATION
ANNUAL CPNI CERTIFICATIONS DUE MARCH 1, 2012
Filing of 2011 Annual Customer Proprietary Network Information (CPNI)
Certifications
EB Docket No. 06-36
As it has in the past several years, the FCC's Enforcement Bureau is
issuing an Enforcement Advisory at the beginning of the calendar year to
remind telecommunications carriers and interconnected VoIP providers of
their obligation to file, by March 1, their annual reports certifying
compliance with the Commission's rules protecting Customer Proprietary
Network Information (CPNI). CPNI includes some of the most sensitive
personal information that carriers have about their customers as a result
of their business relationship (e.g., phone numbers called; the frequency,
duration, and timing of such calls; and any services purchased by the
consumer, such as call waiting). In prior years, many companies have
failed to file, or have filed certificates that failed to comply with our
rules in material respects. Failure to file a timely and complete
certification calls into question whether a company has properly complied
with the rules requiring it to protect its customers' sensitive
information. Telecommunications carriers and interconnected VoIP providers
may satisfy their certification filing obligation in several ways, each of
which is described in Attachment 1.
Because the CPNI rules provide important consumer protections, the
Commission has initiated enforcement action against telecommunications
carriers and interconnected VoIP providers that are not in compliance with
the requirements, and we intend to continue to strictly enforce the rules.
Companies are reminded that failure to comply with the CPNI rules,
including the annual certification requirement, may subject them to
enforcement action, including monetary forfeitures of up to $150,000 for
each violation or each day of a continuing violation, up to a maximum of
$1,500,000. False statements or misrepresentations to the Commission may
be punishable by fine or imprisonment under Title 18 of the U.S. Code.
Attachments: (1) Frequently Asked Questions; (2) CPNI Certification
Template; (3) Text of the CPNI rules.
Issued by: Chief, Enforcement Bureau
ATTACHMENT 1
FREQUENTLY ASKED QUESTIONS
The following frequently asked questions are addressed in this Enforcement
Advisory:
* What are the CPNI rules, and where can I find them?
* Who is required to file?
* Is there an exemption for small companies?
* What must be included in the filing?
* When are companies required to file the annual certification?
* Is this the same as my form 499 filing or my USF filing?
* What format should I use for my CPNI certification?
* How do I file the CPNI certification?
* What if I have questions?
What are the CPNI rules, and where can I find them?
Protection of CPNI is a fundamental obligation under section 222 of the
Communications Act of 1934, as amended (Act). Consumers are understandably
concerned about the security of the sensitive, personal data they provide
to their service providers. In recognition of these concerns, the
Commission has issued rules requiring carriers and interconnected VoIP
providers to establish and maintain systems designed to ensure that they
adequately protect their subscribers' CPNI. Those rules also require that
all companies subject to the CPNI rules file an annual certification
documenting their compliance with the rules, and documenting any
complaints or problems. Companies must file these certifications with the
Commission on or before March 1 each year.
The CPNI rules are found at 47 C.F.R. S: 64.2001 et seq. A copy of the
current version of the certification portion of the rules is attached to
this Enforcement Advisory. The attached version of the rules is current as
of this date. In the future, to ensure that you are aware of any changes
to the rules, you are advised always to check the current version of the
Code of Federal Regulations, which can be found at the Government Printing
Office website, here: http://www.gpoaccess.gov/CFR/.
Who is required to file?
Telecommunications carriers and interconnected VoIP providers must file a
CPNI certification each year.
* A "telecommunications carrier" is "any provider of telecommunications
services," except an aggregator. 47 U.S.C S: 153(44).
Telecommunications service is defined in the Communications Act as
"the offering of telecommunications for a fee directly to the public,
or to such classes of users as to be effectively available directly to
the public, regardless of the facilities used." 47 U.S.C. S: 153(46).
* Some examples of "telecommunications carriers" that must file an
annual certification are: local exchange carriers (LECs) (including
incumbent LECs, rural LECs and competitive LECs), interexchange
carriers, paging providers, commercial mobile radio services
providers, resellers, prepaid telecommunications providers, and
calling card providers. This list is not exhaustive.
* "Interconnected VoIP providers" are companies that provide a service
that: "(1) enables real-time, two-way voice communications; (2)
requires a broadband connection from the user's location; (3) requires
Internet protocol-compatible customer premises equipment (CPE); and
(4) permits users generally to receive calls that originate on the
public switched telephone network and terminate calls to the public
switched network." 47 C.F.R. S: 9.3.
Is there an exemption for small companies?
No, there is no exemption for small companies. Section 64.2009(e) - the
annual certification filing requirement - applies regardless of the size
of the company.
What must be included in the filing?
The certification must include all of the elements listed below:
* an officer of the company must sign the compliance certificate;
* the officer must state in the certification that he or she has
personal knowledge that the company has established operating
procedures that are adequate to ensure compliance with the CPNI rules;
* the company must provide a written statement accompanying the
certification explaining how its operating procedures ensure that it
is or is not in compliance with the CPNI rules;
* the company must include an explanation of any actions taken against
data brokers; and
* the company must include a summary of all consumer complaints received
in the prior year concerning unauthorized release of CPNI.
In reviewing prior years' filings, we have found a number of recurring
deficiencies. In particular, many companies:
(1) fail to have the officer signing the certification affirmatively state
that he or she has personal knowledge that the company has established
operating procedures that are adequate to ensure compliance;
(2) fail to provide a statement accompanying the certification explaining
how their operating procedures ensure that they are or are not in
compliance with the rules. Simply stating that the company has adopted
operating procedures without explaining how compliance is being achieved
does not satisfy this requirement;
(3) fail to state clearly whether any actions were taken against data
brokers in the prior year (if there were no such actions, the company
should include an affirmative statement of that fact, in order to make
clear that it has provided the required information); and
(4) fail to state clearly whether any customer complaints were received in
the prior year concerning the unauthorized release of CPNI (if there were
no such complaints, the company should include an affirmative statement
of that fact, in order to make clear that it has provided the required
information).
In order to help companies ensure that their certifications contain all of
the required information, we are providing a suggested template, attached
to this Enforcement Advisory.
When must my company file the annual certification?
The 2012 annual certification filing (for calendar year 2011) is due no
sooner than January 1, 2012, but no later than, March 1, 2012. You may not
file before January 1, 2012, because your certification must contain data
pertaining to the entire previous calendar year. Certifications filed
before January 1, 2012 do not comply with the rules. If you filed too
soon, you must re-file by March 1 with a new certification that covers the
entire calendar year 2011. If you filed after January 1, 2012, we
recommend that you review your certification to ensure that it complies
with all the necessary information (including the required attachments and
explanations) and refile if needed.
Is this the same as my form 499 filing or my USF filing?
No, the annual CPNI certification filing is different from form 499
filings or USF filings.
What format should I use for my CPNI certification?
A suggested template is attached to this Enforcement Advisory. See
Attachment 2. This template was designed to ensure that companies will be
in compliance with the annual certification filing requirement of 47
C.F.R. S: 64.2009(e) if they complete it fully and accurately. Use of this
template is not mandatory, and companies may use any format that fulfills
the requirements of the rule. If you elect to use the suggested template,
we encourage you to review the template carefully and to ensure that all
fields are fully completed before submission.
How do I file the CPNI certification?
Certifications may be filed: (1) using the Commission's web-based
application; (2) using the Commission's Electronic Comment Filing System
(ECFS); or (3) by filing paper copies. Paper filings and filings submitted
through ECFS must reference EB Docket No. 06-36 and must be addressed to
the Commission's Secretary, Marlene H. Dortch, Office of the Secretary,
Federal Communications Commission, 445 12th Street, SW, Suite TW-A325,
Washington, DC 20554. Under no circumstances should copies of
certifications be sent to the Enforcement Bureau or to any individuals
within the Enforcement Bureau unless such filing is a requirement of a
consent decree with the Enforcement Bureau.
* Web-Based Electronic Filers: To file a certification using the
Commission's web-based application specifically designed for this
purpose, visit http://apps.fcc.gov/eb/CPNI. Instructions are provided
at the website.
* ECFS Electronic Filers: To file a certification using ECFS, visit
http://www.fcc.gov/cgb/ecfs/. In completing the transmittal screen,
filers should include their full name, U.S. Postal Service mailing
address, and the applicable docket or rulemaking number. Instructions
are provided at the website.
* Paper Filers: Parties who choose to file by paper must file an
original and four copies of each filing. All filings must reference EB
Docket No. 06-36 and be addressed to Marlene H. Dortch, Secretary,
Federal Communications Commission, 445 12th Street SW, Suite TW-A325,
Washington, DC 20554. Filings may be transmitted by hand or messenger
delivery, by commercial overnight courier, or by first-class or
overnight U.S. Postal Service mail as follows:
* Hand or messenger-delivered paper filings should be directed
to the Commission's headquarters building, at 445 12th Street
SW, Washington, DC 20554. The filing hours at this location
are 8:00 a.m. to 7:00 p.m. All hand deliveries must be held
together with rubber bands or fasteners. Any envelopes must be
disposed of before entering the building.
* Commercial overnight mail (other than U.S. Postal Service
Express Mail and Priority Mail) should be directed to 9300
East Hampton Drive, Capitol Heights, MD 20743.
* U.S. Postal Service first-class, Express, and Priority mail
should be directed to the Commission's Secretary at her
address, provided above.
People with Disabilities: To request materials in accessible formats for
people with disabilities (braille, large print, electronic files, audio
format), send an e-mail to fcc504@fcc.gov or call the Consumer &
Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (tty).
What if I have questions?
For further information regarding the annual certification filing, contact
any of the following individuals in the Telecommunications Consumers
Division, Enforcement Bureau: Edward Hayes (202) 418-7994, Donna Cyrus
(202) 418-7325, Mika Savir (202) 418-0384, or Kimberly Wild (202)
418-1324.
ATTACHMENT 2
Annual 47 C.F.R. S: 64.2009(e) CPNI Certification Template
EB Docket 06-36
Annual 64.2009(e) CPNI Certification for [Insert year] covering the prior
calendar year [Insert year]
1. Date filed: [Insert date]
2. Name of company(s) covered by this certification: [Insert company name]
3. Form 499 Filer ID: [Provide relevant ID number(s)]
4. Name of signatory: [Insert name]
5. Title of signatory: [Insert title of corporate officer]
6. Certification:
I, [Insert name of officer signing certification], certify that I am an
officer of the company named above, and acting as an agent of the company,
that I have personal knowledge that the company has established operating
procedures that are adequate to ensure compliance with the Commission's
CPNI rules. See 47 C.F.R. S: 64.2001 et seq.
Attached to this certification is an accompanying statement explaining how
the company's procedures ensure that the company is in compliance with the
requirements (including those mandating the adoption of CPNI procedures,
training, recordkeeping, and supervisory review) set forth in section
64.2001 et seq. of the Commission's rules.
The company [has/has not] taken actions (i.e., proceedings instituted or
petitions filed by a company at either state commissions, the court
system, or at the Commission against data brokers) against data brokers in
the past year. [NOTE: If you reply in the affirmative, provide an
explanation of any actions taken against data brokers.]
The company [has/has not] received customer complaints in the past year
concerning the unauthorized release of CPNI [NOTE: If you reply in the
affirmative, provide a summary of such complaints. This summary must
include the number of complaints, broken down by category or complaint,
e.g., instances of improper access by employees, instances of improper
disclosure to individuals not authorized to receive the information, or
instances of improper access to online information by individuals not
authorized to view the information.]
The company represents and warrants that the above certification is
consistent with 47. C.F.R. S: 1.17 which requires truthful and accurate
statements to the Commission. The company also acknowledges that false
statements and misrepresentations to the Commission are punishable under
Title 18 of the U.S. Code and may subject it to enforcement action.
Signed _____________________________ [Signature of an officer, as agent of
the carrier]
Attachments: Accompanying Statement explaining CPNI procedures
Explanation of actions taken against data brokers (if applicable)
Summary of customer complaints (if applicable)
ATTACHMENT 3
47 C.F.R. S: 64.2009 Safeguards required for use of customer proprietary
network information.
(a) Telecommunications carriers must implement a system by which the
status of a customer's CPNI approval can be clearly established prior to
the use of CPNI.
(b) Telecommunications carriers must train their personnel as to when they
are and are not authorized to use CPNI, and carriers must have an express
disciplinary process in place.
(c) All carriers shall maintain a record, electronically or in some other
manner, of their own and their affiliates' sales and marketing campaigns
that use their customers' CPNI. All carriers shall maintain a record of
all instances where CPNI was disclosed or provided to third parties, or
where third parties were allowed access to CPNI. The record must include a
description of each campaign, the specific CPNI that was used in the
campaign, and what products and services were offered as a part of the
campaign. Carriers shall retain the record for a minimum of one year.
(d) Telecommunications carriers must establish a supervisory review
process regarding carrier compliance with the rules in this subpart for
outbound marketing situations and maintain records of carrier compliance
for a minimum period of one year. Specifically, sales personnel must
obtain supervisory approval of any proposed outbound marketing request for
customer approval.
(e) A telecommunications carrier must have an officer, as an agent of the
carrier, sign and file with the Commission a compliance certificate on an
annual basis. The officer must state in the certification that he or she
has personal knowledge that the company has established operating
procedures that are adequate to ensure compliance with the rules in this
subpart. The carrier must provide a statement accompanying the certificate
explaining how its operating procedures ensure that it is or is not in
compliance with the rules in this subpart. In addition, the carrier must
include an explanation of any actions taken against data brokers and a
summary of all customer complaints received in the past year concerning
the unauthorized release of CPNI. This filing must be made annually with
the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for
data pertaining to the previous calendar year.
(f) Carriers must provide written notice within five business days to the
Commission of any instance where the opt-out mechanisms do not work
properly, to such a degree that consumers' inability to opt-out is more
than an anomaly.
(1) The notice shall be in the form of a letter, and shall include the
carrier's name, a description of the opt-out mechanism(s) used, the
problem(s) experienced, the remedy proposed and when it will be/was
implemented, whether the relevant state commission(s) has been notified
and whether it has taken any action, a copy of the notice provided to
customers, and contact information.
(2) Such notice must be submitted even if the carrier offers other methods
by which consumers may opt-out.
By this Enforcement Advisory, the FCC's Enforcement Bureau highlights
certain obligations under the CPNI rules. Failure to receive this notice
does not absolve a provider of the obligation to meet the requirements of
the Communications Act of 1934, as amended, or the Commission's rules and
orders. Companies should read the full text of the relevant CPNI rules at
47 C.F.R. S: 64.2001 et seq.
47 U.S.C. S: 503(b)(2)(B); see also 47 C.F.R. S: 1.80(b)(2); Amendment of
Section 1.80(b) of the Commission's Rules, Adjustment of Forfeiture Maxima
to Reflect Inflation, Order, 15 FCC Rcd 18221 (2000).
Section 226 defines an aggregator as "any person that, in the ordinary
course of its operations, makes telephones available to the public or
transient users of its premises, for interstate telephone calls using a
provider of operator services." 47 U.S.C S: 226(a)(2).
PUBLIC NOTICE
FCC ENFORCEMENT ADVISORY
Federal Communications Commission
445 12th St., S.W.
Washington, D.C. 20554
News Media Information 202 / 418-0500
Internet: http://www.fcc.gov
TTY: 1-888-835-5322