Click here for Adobe Acrobat version
Click here for Microsoft Word version
********************************************************
NOTICE
********************************************************
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
*****************************************************************
Before the
Federal Communications Commission
Washington, D.C. 20554
)
)
)
In the Matter of File No. EB-09-TC-119
)
Leflore Communications, Inc. NAL/Acct. No. 200932170078
)
Apparent Liability for Forfeiture FRN: 0005413042
)
)
)
NOTICE OF APPARENT LIABILITY FOR FORFEITURE
Adopted: February 24, 2009 Released: February 24, 2009
By the Chief, Enforcement Bureau:
I. INTRODUCTION
1. In this Notice of Apparent Liability for Forfeiture ("NAL"), we find
that Leflore Communications, Inc. ("Leflore" or "Company") apparently
willfully or repeatedly violated section 222 of the Communications Act
of 1934, as amended (the "Act"), section 64.2009(e) of the
Commission's rules and the Commission's EPIC CPNI Order. Protection
of CPNI is a fundamental obligation of all telecommunications carriers
as provided by section 222 of the Act. Based upon our review of the
facts and circumstances surrounding this apparent violation, we find
that Leflore is apparently liable for a monetary forfeiture in the
amount of four thousand dollars ($4,000). Leflore will have the
opportunity to submit further evidence and arguments in response to
this NAL to show that no forfeiture should be imposed or that some
lesser amount should be assessed.
II. BACKGROUND
2. Section 222 imposes the general duty on all telecommunications
carriers to protect the confidentiality of their subscribers'
proprietary information. The Commission has issued rules implementing
section 222 of the Act. The Commission required carriers to establish
and maintain a system designed to ensure that carriers adequately
protected their subscribers' CPNI. Section 64.2009(e) is one such
requirement.
3. In 2006, some companies, known as "data brokers," advertised the
availability of records of wireless subscribers' incoming and outgoing
telephone calls for a fee. Data brokers also advertised the
availability of records of certain landline toll calls. On April 2,
2007, the Commission strengthened its privacy rules with the release
of the EPIC CPNI Order, which adopts additional safeguards to protect
CPNI against unauthorized access and disclosure. The EPIC CPNI Order
was directly responsive to the actions of databrokers, or pretexters,
to obtain unauthorized access to CPNI. The EPIC CPNI Order and
amended rule 47 C.F.R. S: 64.2009(e) require that all companies
subject to the CPNI rules file annually, on or before March 1, a
certification with the Commission that certifies to the company's
compliance with the Commission's CPNI rules and provides an
accompanying statement explaining how the company's procedures ensure
that the company is or is not in compliance with the CPNI rules.
Additionally, companies must now provide "an explanation of any
actions taken against data brokers and a summary of all customer
complaints received in the past year concerning the unauthorized
release of CPNI."
III. DISCUSSION
4. On February 25, 2008, Leflore filed its annual CPNI compliance
certificate with the Commission. The Bureau has determined that the
CPNI compliance certificate filed by Leflore does not meet the
requirements of section 64.2009(e) of the Commission's rules. The
Commission's rules require that telecommunications carriers file their
annual compliance certification with the Bureau on or before March 1.
Thus, on March 1, Leflore had a non-compliant CPNI certification on
file with the Commission. In particular, Leflore has failed to submit
an annual CPNI compliance certificate that provides an accompanying
statement explaining how the company's operating procedures ensure
that it is or is not in compliance with the rules. Accordingly,
Leflore's submission, on its face, does not comply with section
64.2009(e) of the Commission's rules. We conclude that Leflore is in
apparent violation of section 222 of the Act, section 64.2009(e) of
the Commission's rules and the Commission's EPIC CPNI Order. For these
apparent violations, we propose a forfeiture.
IV. FORFEITURE AMOUNT
5. Section 503(b) of the Communications Act authorizes the Commission to
assess a forfeiture of up to $130,000 for each violation of the Act or
of any rule, regulation, or order issued by the Commission under the
Act. The Commission may assess this penalty if it determines that the
carrier's noncompliance is "willful or repeated." For a violation to
be willful, it need not be intentional. In exercising our forfeiture
authority, we are required to take into account "the nature,
circumstances, extent, and gravity of the violation and, with respect
to the violator, the degree of culpability, any history of prior
offenses, ability to pay, and such other matters as justice may
require." In addition, the Commission has established guidelines for
forfeiture amounts and, where there is no specific base amount for a
violation, retained discretion to set an amount on a case-by-case
basis.
6. The Commission's forfeiture guidelines do not address the specific
violation at issue in this proceeding. In determining the proper
forfeiture amount in this case; however, we are guided by the
principle that protection of subscribers' proprietary information is
an important carrier obligation. Consumers are understandably
concerned about the security of their sensitive, personal data that
they must entrust to their various service providers, whether they are
financial institutions or telephone companies. Given consumers'
continued concern about the security of this data, and evidence that
the data appears to be available to third parties, we must take
serious steps to ensure that carriers implement necessary and adequate
measures to protect their subscribers' CPNI, as required by the
Commission's existing CPNI rules.
7. In prior actions in 2006, the Commission issued Notices of Apparent
Liability for Forfeiture proposing forfeitures in the amount of
$100,000 against carriers for violations of the Commission's CPNI
rules. Under the rules operative at that time, carriers were not
required to file the annual certification with the Commission but
instead were required to make the certificate available to the
Commission upon request. The Commission's investigations demonstrated
that some companies appeared to pay little heed to rules which placed
a duty upon them to maintain certifications and make the
representations therein that processes were in place to protect CPNI
without the further scrutiny of the Commission. Accordingly, a
substantial forfeiture was proposed.
8. As explained above, the Commission strengthened the CPNI rules in
2007, in part, as a response to earlier investigations, and imposed,
among other things, the requirement that carriers submit the annual
certifications to the Commission rather than rely solely on non-filed
carrier certifications and representations of compliance with the
rules, without further scrutiny. We have conducted an extensive review
of the certifications filed with the Commission to satisfy the March
1, 2008, filing deadline, as well as examined failures to satisfy the
filing requirement all together. Informed by this analysis and our
earlier investigations, we revise our forfeiture approach and adopt a
maximum proposed forfeiture of $10,000 for the submission of an annual
CPNI certification that fails to meet the requirements of section
64.2009(e). This revised proposed forfeiture is based on a number of
factors. Specifically, we have considered compliance overall based on
our review of the annual submissions; the expanded scope of the new
rule to require additional types of information to be produced; and,
the amount of forfeiture necessary to have the intended deterrent
effect. With respect to this latter factor, we note that the vast
majority of the companies affected are smaller companies. Given this
fact, and that this is the first year of the filing requirement, we
believe that the goal of deterring future non-compliance with respect
to the required elements of section 64.2009(e) will be met by issuing
proposed forfeitures consistent with the maximum amount proposed
herein. We take noncompliance with our CPNI rules very seriously. To
the extent that we determine that the forfeiture approach adopted
herein does not have the intended deterrent effect, future
noncompliance will face more severe penalties.
9. In determining the appropriate proposed forfeiture, we are cognizant
that certain violations are more technical in nature and do not
greatly inhibit the Commission's ability to judge the effectiveness of
a company's CPNI policies while others are more substantive in nature
and limit the usefulness of the certification in determining overall
compliance with the rules. In this case, Leflore apparently failed to
submit an annual CPNI compliance certificate that provides an
accompanying statement explaining how the company's operating
procedures ensure that it is or is not in compliance with the rules.
Based on the nature of this noncompliance and all the facts and
circumstances present in this case, we believe the proposed forfeiture
of four thousand dollars ($4,000) is warranted.
10. Leflore will have the opportunity to submit further evidence and
arguments in response to this NAL to show that no forfeiture should be
imposed or that some lesser amount should be assessed. For example,
Leflore may present evidence that it has compelling, financial
arguments to reduce the proposed forfeiture or that it has maintained
a history of overall compliance. The Commission will fully consider
any such arguments made by Leflore in its response to this NAL.
V. ordering clauses
11. We have determined that Leflore Communications, Inc., by failing to
has failed to submit an annual CPNI compliance certificate that
provides an accompanying statement explaining how the company's
operating procedures ensure that it is or is not in compliance with
the rules, has apparently willfully or repeatedly violated section 222
of the Act, section 64.2009(e) of the Commission's rules and the
Commission's EPIC CPNI Order. We find Leflore apparently liable for a
forfeiture of four thousand dollars ($4,000).
12. ACCORDINGLY, IT IS ORDERED THAT, pursuant to Section 503(b) of the
Communications Act of 1934, as amended, Section 1.80(f)(4) of the
Commission's rules, and authority delegated by Sections 0.111 and
0.311 of the Commission's rules, Leflore Communications, Inc. IS
LIABLE FOR A MONETARY FORFEITURE in the amount of four thousand
dollars ($4,000) for willfully or repeatedly violating Section 222 of
the Act, section 64.2009(e) of the Commission's rules, and the
Commission's EPIC CPNI Order by failing to submit a compliant annual
CPNI certificate.
13. IT IS FURTHER ORDERED THAT, pursuant to section 1.80 of the
Commission's rules, within thirty (30) days of the release date of
this Notice of Apparent Liability for Forfeiture, Leflore
Communications, Inc. SHALL PAY the full amount of the proposed
forfeiture or SHALL FILE a written statement seeking reduction or
cancellation of the proposed forfeiture.
14. Payment of the forfeiture must be made by check or similar instrument,
payable to the order of the Federal Communications Commission. The
payment must include the NAL/Account Number and FRN Number referenced
above. Payment by check or money order may be mailed to Federal
Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000.
Payment by overnight mail may be sent to U.S. Bank - Government
Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO
63101. Payment by wire transfer may be made to ABA Number 021030004,
receiving bank TREAS/NYC, and account number 27000001. For payment by
credit card, an FCC Form 159 (Remittance Advice) must be submitted.
When completing the FCC Form 159, enter the NAL/Account number in
block number 23A (call sign/other ID), and enter the letters "FORF" in
block number 24A (payment type code). Leflore will also send
electronic notification on the date said payment is made to
Johnny.drake@fcc.gov. Requests for full payment under an installment
plan should be sent to: Chief Financial Officer -- Financial
Operations, 445 12th Street, S.W., Room 1-A625, Washington, D.C.
20554. Please contact the Financial Operations Group Help Desk at
1-877-480-3201 or Email: ARINQUIRIES@fcc.gov with any questions
regarding payment procedures.
15. The response, if any, must be mailed both to the Office of the
Secretary, Federal Communications Commission, 445 12th Street, SW,
Washington, DC 20554, ATTN: Enforcement Bureau - Telecommunications
Consumers Division, and to Marcy Greene, Deputy Chief,
Telecommunications Consumers Division, Enforcement Bureau, Federal
Communications Commission, 445 12th Street, SW, Washington, DC 20554,
and must include the NAL/Acct. No. referenced in the caption.
16. The Commission will not consider reducing or canceling a forfeiture in
response to a claim of inability to pay unless the petitioner submits:
(1) federal tax returns for the most recent three-year period; (2)
financial statements prepared according to generally accepted
accounting practices; or (3) some other reliable and objective
documentation that accurately reflects the petitioner's current
financial status. Any claim of inability to pay must specifically
identify the basis for the claim by reference to the financial
documentation submitted.
17. IT IS FURTHER ORDERED that a copy of this Notice of Apparent Liability
for Forfeiture shall be sent by Certified Mail Return Receipt
Requested and First Class Mail to the company at 1604 Chickasaw St.,
Greenwood, MS 38930 and to Allan Tilles, Esq., 11921 Rockville Pike,
3rd Floor, Rockville, MD 20852-2743.
FEDERAL COMMUNICATIONS COMMISSION
Kris Anne Monteith
Chief, Enforcement Bureau
47 U.S.C. S: 222.
47 C.F.R. S: 64.2009(e).
Implementation of the Telecommunications Act of 1996: Telecommunications
Carriers' Use of Customer Proprietary Network Information and Other
Customer Information; IP-Enabled Services, CC Docket No. 96-115; WC Docket
No. 04-36, Report and Order and Further Notice of Proposed Rulemaking, 22
FCC Rcd 6927, 6953 (2007) ("EPIC CPNI Order"); aff'd sub nom. Nat'l Cable
& Telecom. Assoc. v. FCC, No. 07-132, (D.C. Cir. Decided Feb. 13, 2009).
CPNI is defined as information that relates to the quantity, technical
configuration, type, destination, location, and amount of use of a
telecommunications service subscribed to by any customer of a
telecommunications carrier, and that is made available to the carrier by
the customer solely by virtue of the customer-carrier relationship. See 47
U.S.C. S: 222(h)(1)(A); 47 C.F.R. S: 64.2003(d)
See 47 U.S.C. S: 503(b)(4)(A). The Commission has authority under this
section of the Act to assess a forfeiture penalty against a common carrier
if the Commission determines that the carrier has "willfully or
repeatedly" failed to comply with the provisions of the Act or with any
rule, regulation, or order issued by the Commission under the Act. The
section provides that the Commission must assess such penalties through
the use of a written notice of apparent liability or notice of opportunity
for hearing.
47 U.S.C. S: 503(b)(4)(C); 47 C.F.R. S: 1.80(f)(3).
Section 222 of the Communications Act, 47 U.S.C S: 222, provides that:
"Every telecommunications carrier has a duty to protect the
confidentiality of proprietary information of, and relating to, other
telecommunications carriers, equipment manufacturers, and customers,
including telecommunication carriers reselling telecommunications services
provided by a telecommunications carrier." Prior to the 1996 Act, the
Commission had established CPNI requirements applicable to the enhanced
services operations of AT&T, the Bell Operating Companies ("BOCs"), and
GTE, and the customer premises equipment ("CPE") operations of AT&T and
the BOCs, in the Computer II, Computer III, GTE Open Network Architecture
("ONA"), and BOC CPE Relief proceedings. See Implementation of the
Telecommunications Act of 1996: Telecommunications Carriers' Use of
Customer Proprietary Network Information and Other Customer Information
and Implementation of Non-Accounting Safeguards of Sections 271 and 272 of
the Communications Act of 1934, as amended, CC Docket Nos. 96-115 and
96-149, Second Report and Order and Further Notice of Proposed Rulemaking,
13 FCC Rcd 8061, 8068-70, para. 7 (1998) ("CPNI Order") (describing the
Commission's privacy protections for confidential customer information in
place prior to the 1996 Act).
See CPNI Order. See also Implementation of the Telecommunications Act of
1996: Telecommunications Carriers' Use of Customer Proprietary Network
Information and Other Customer Information and Implementation of the
Non-Accounting Safeguards of Sections 271 and 272 of the Communications
Act of 1934, as amended, CC Docket Nos. 96-115 and 96-149, Order on
Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409 (1999);
2000 Biennial Regulatory Review -- Review of Policies and Rules Concerning
Unauthorized Changes of Consumers' Long Distance Carriers, CC Docket No.
00-257, Third Report and Order and Third Further Notice of Proposed
Rulemaking, 17 FCC Rcd 14860 (2002); EPIC CPNI Order, supra. n.3.
See, e.g., http://www.epic.org/privacy/iei/.
See id.
EPIC CPNI Order, 22 FCC Rcd 6927.
Id. at 6928.
Id. at 6953; 47 C.F.R. S: 64.2009(e). Prior to the issuance of the EPIC
CPNI Order, carriers were required to maintain in their files an annual
CPNI Certification that certified to the company's compliance with the
Commission's CPNI rules and provided an accompanying statement explaining
how the company's procedures ensure that the company is or is not in
compliance with the CPNI rules. The rule also required carriers to make
the certification available upon request.
EPIC CPNI Order, 22 FCC Rcd at 6953. Specifically, pursuant to section
64.2009(e): A telecommunications carrier must have an officer, as an agent
of the carrier, sign and file with the Commission a compliance certificate
on an annual basis. The officer must state in the certification that he or
she has personal knowledge that the company has established operating
procedures that are adequate to ensure compliance with the rules in this
subpart. The carrier must provide a statement accompanying the
certification explaining how its operating procedures ensure that it is or
is not in compliance with the rules in this subpart. In addition, the
carrier must include an explanation of any actions taken against data
brokers and a summary of all customer complaints received in the past year
concerning the unauthorized release of CPNI. This filing must be made
annually with the Enforcement Bureau on or before March 1 in EB Docket No.
06-36, for data pertaining to the previous calendar year. 47 C.F.R. S:
64.2009(e).
Section 503(b)(2)(B) provides for forfeitures against common carriers of
up to $130,000 for each violation or each day of a continuing violation up
to a maximum of $1,325,000 for each continuing violation. 47 U.S.C. S:
503(b)(2)(B). See Amendment of Section 1.80 of the Commission's Rules and
Adjustment of Forfeiture Maxima to Reflect Inflation, 15 FCC Rcd 18221
(2000); Amendment of Section 1.80 of the Commission's Rules and Adjustment
of Forfeiture Maxima to Reflect Inflation, 19 FCC Rcd 10945 (2004)
(increasing maximum forfeiture amounts to account for inflation).
47 U.S.C. S: 503(b)(1)(B) (the Commission has authority under this section
of the Act to assess a forfeiture penalty against a common carrier if the
Commission determines that the carrier has "willfully or repeatedly"
failed to comply with the provisions of the Act or with any rule,
regulation, or order issued by the Commission under the Act); see also 47
U.S.C. S: 503(b)(4)(A) (providing that the Commission must assess such
penalties through the use of a written notice of apparent liability or
notice of opportunity for hearing).
Southern California Broadcasting Co., 6 FCC Rcd 4387 (1991).
See 47 U.S.C. S: 503(b)(2)(D); see also The Commission's Forfeiture Policy
Statement and Amendment of Section 1.80 of the Commission's Rules, 12 FCC
Rcd 17087 (1997) ("Forfeiture Policy Statement"); recon. denied, 15 FCC
Rcd 303 (1999).
Forfeiture Policy Statement, 12 FCC Rcd 17098-99, P: 22.
See, e.g., AT&T, Inc., Notice of Apparent Liability for Forfeiture, 21 FCC
Rcd 751 (Enf. Bur. 2006); Alltel Corp., Notice of Apparent Liability for
Forfeiture, 21 FCC Rcd 746 (Enf. Bur. 2006); Cbeyond Communications LLC,
Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 4316 (Enf. Bur.
2006).
See n.14.
Because the EPIC CPNI Order took effect on December 8, 2007, the new
reporting requirements were only in effect from that date until the end of
the calendar year.
The Commission retains the discretion to impose a higher forfeiture in
cases of future noncompliance.
47 U.S.C. S: 503(b)(4)(A).
47 U.S.C. S: 503(b)(4)(C); 47 C.F.R. S: 1.80(f)(3).
47 C.F.R. S: 1.80(b)(4) (discussing factors the Commission or its designee
will consider in deciding appropriate forfeiture amount).
47 U.S.C. S: 503(b).
47 U.S.C. S: 1.80(f)(4).
47 C.F.R. S:S: 0.111, 0.311.
47 C.F.R. S: 1.80.
(Continued from previous page)
(continued....)
Federal Communications Commission DA 09-299
2
2
Federal Communications Commission DA 09-299