Click here for Adobe Acrobat version
Click here for Microsoft Word version
********************************************************
NOTICE
********************************************************
This document was converted from Microsoft Word.
Content from the original version of the document such as
headers, footers, footnotes, endnotes, graphics, and page numbers
will not show up in this text version.
All text attributes such as bold, italic, underlining, etc. from the
original document will not show up in this text version.
Features of the original document layout such as
columns, tables, line and letter spacing, pagination, and margins
will not be preserved in the text version.
If you need the complete document, download the
Microsoft Word or Adobe Acrobat version.
*****************************************************************
PUBLIC NOTICE
Federal Communications Commission
445 12
th
St., S.W.
Washington, D.C. 20554
News Media Information 202 / 418-0500
Internet: http://www.fcc.gov
TTY: 1-888-835-5322
DA 16-127
February 5, 2016
Enforcement Advisory No. 2016-01
TELECOMMUNICATIONS CARRIERS AND INTERCONNECTED VOIP PROVIDERS SUBJECT TO THE
COMMISSION’S CPNI RULES MUST FILE ANNUAL REPORTS CERTIFYING COMPLIANCE WITH
COMMISSION RULES PROTECTING CUSTOMER PROPRIETARY NETWORK INFORMATION
ANNUAL CPNI CERTIFICATIONS DUE MARCH 1, 2016
Filing of 2015 Annual Customer Proprietary Network Information (CPNI) Certifications
EB Docket No. 06-36
The FCC’s Enforcement Bureau again reminds those telecommunications carriers and interconnected VoIP providers
currently subject to the FCC’s rules protecting Customer Proprietary Network Information (CPNI) of their obligation to
file, by March 1, their annual reports certifying compliance with the CPNI rules.
1
The protection of CPNI is of
paramount importance, as CPNI includes some of the most sensitive personal information that carriers have about
their customers as a result of their business relationship (e.g., phone numbers of calls made and received; the
frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting and
voicemail). The Commission has issued rules to protect the privacy of CPNI and to ensure that CPNI is adequately
protected from unauthorized access, use, or disclosure.
2
In prior years, many companies have either failed to file certifications entirely or filed certifications that violate our rules
in material respects. Failure to file a timely and complete certification calls into question whether a company has
complied with the rules requiring it to protect the privacy and security of its customers’ sensitive information.
Telecommunications carriers and interconnected VoIP providers may satisfy their certification filing obligation in
several ways, each of which is described in Attachment 1.
Because the CPNI rules provide important consumer protections, the Commission has taken enforcement action
against telecommunications carriers and interconnected VoIP providers that were not in compliance with the
1
This Enforcement Advisory highlights certain obligations under the CPNI rules. Failure to receive this notice does not absolve a
provider of the obligation to meet the requirements of the Communications Act of 1934, as amended, or the Commission’s rules and
orders. Companies should read the full text of the relevant CPNI rules at 47 CFR § 64.2001 et seq.
2
The Commission’s existing rules implementing Section 222 of the Communications Act of 1934, as amended, including the
certification requirement, do not apply with respect to the provision of broadband Internet access service. See Protecting and
Promoting the Open Internet, Report and Order on Remand, Declaratory Ruling, and Order, 30 FCC Rcd. 5601, 5823-24, at para.
467 (2015).
FCC ENFORCEMENT ADVISORY
requirements,
3
and we intend to continue to strictly enforce the rules. Companies are reminded that failure to comply
with the CPNI rules, including the annual certification requirement, may subject them to enforcement action, including
monetary forfeitures of up to $160,000 for each violation or each day of a continuing violation, up to a maximum of
$1,575,000.
4
False statements or misrepresentations to the Commission may be punishable by fine or imprisonment
under Title 18 of the U.S. Code.
Attachments: (1) Frequently Asked Questions; (2) CPNI Certification Template; (3) Text of the CPNI rules.
Issued by: Chief, Enforcement Bureau
3
In April 2015, for example, the Enforcement Bureau and AT&T entered into a Consent Decree for $25 million to resolve the
Bureau’s investigation into unauthorized access to CPNI and other sensitive customer information by AT&T call center employees.
See AT&T Services, Inc., Order & Consent Decree, 30 FCC Rcd. 2808 (Enf. Bur. 2015). In September 2014, the Enforcement
Bureau and Verizon entered into a Consent Decree for $7.4 million to resolve the Bureau’s investigation into Verizon’s use of CPNI
for marketing purpose without customer approval. See Verizon; Compliance with the Commission’s Rules and Regulations
Governing Customer Proprietary Network Information, Order & Consent Decree, 29 FCC Rcd 10303 (Enf. Bur. 2014).
4
47 U.S.C. § 503(b)(2)(B); see also 47 CFR § 1.80(b)(2); Amendment of Section 1.80(b) of the Commission’s Rules, Adjustment of
Civil Monetary Penalties to Reflect Inflation, Order, 28 FCC Rcd 10785 (Enf. Bur. 2013).
ATTACHMENT 1
FREQUENTLY ASKED QUESTIONS
The following frequently asked questions are addressed in this Enforcement Advisory:
? What are the CPNI rules, and where can I find them?
? Who is required to file?
? Is there an exemption for small companies?
? What must be included in the filing?
? When are companies required to file the annual certification?
? Is this the same as my form 499 filing or my USF filing?
? What format should I use for my CPNI certification?
? How do I file the CPNI certification?
? What if I have questions?
What are the CPNI rules, and where can I find them?
Protection of CPNI is a fundamental obligation under Section 222 of the Communications Act of 1934, as amended
(Act). Consumers are understandably concerned about the privacy and security of the sensitive, personal data they
provide to their service providers. In recognition of these concerns, the Commission has issued rules requiring carriers
and interconnected VoIP providers to establish and maintain systems designed to ensure that they adequately protect
their subscribers’ CPNI. Those rules also require carriers and interconnected VoIP providers to, among other things:
(1) obtain customers’ approval to use, disclose, or permit access to their CPNI for marketing purposes;
1
(2) notify
customers of their right to restrict the use of their CPNI;
2
(3) take reasonable measures to protect against attempts to
gain unauthorized access to CPNI;
3
(4) notify law enforcement and affected customers of a breach of CPNI. In
addition, all companies subject to the CPNI rules must file an annual certification documenting their compliance with
the rules, and documenting any complaints or problems.
4
Companies must file these certifications with the
Commission on or before March 1 each year.
The CPNI rules are found at 47 CFR § 64.2001 et seq. A copy of the current version of the certification portion of the
rules is attached to this Enforcement Advisory. To ensure that you are aware of any changes to the rules, you are
advised always to check the current version of the Code of Federal Regulations, which can be found at the
Government Printing Office website, here: http://www.gpoaccess.gov/CFR/.
Who is required to file?
Telecommunications carriers and interconnected VoIP providers subject to the CPNI rules must file a CPNI
certification each year.
5
1
47 CFR § 64.2007.
2
47 CFR § 64.2008.
3
47 CFR § 64.2010(a).
4
47 CFR § 64.2011.
5
The Commission’s existing CPNI rules do not apply to the provision of broadband Internet access service. Accordingly, the annual
? A “telecommunications carrier” is “any provider of telecommunications services,” except an aggregator.6
47 U.S.C. § 153(51). The Communications Act defines telecommunications service as “the offering of
telecommunications for a fee directly to the public, or to such classes of users as to be effectively available
directly to the public, regardless of the facilities used.” 47 U.S.C. § 153(53).
? Some examples of “telecommunications carriers” that must file an annual certification are: local exchange
carriers (LECs) (including incumbent LECs, rural LECs, and competitive LECs), interexchange carriers,
paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications
providers, and calling card providers. This list is not exhaustive.
? “Interconnected VoIP providers” are companies that provide a service that: “(1) enables real-time, two-way
voice communications; (2) requires a broadband connection from the user’s location; (3) requires Internet
protocol-compatible customer premises equipment (CPE); and (4) permits users generally to receive calls
that originate on the public switched telephone network and terminate calls to the public switched
network.” 47 CFR § 9.3.
Is there an exemption for small companies?
No, there is no exemption for small companies. Section 64.2009(e) of the rules – the annual certification filing
requirement – applies regardless of the size of the company.
What must be included in the filing?
The certification must include all of the elements listed below:
? an officer of the company must sign the compliance certificate;
? the officer must state in the certification that he or she has personal knowledge that the company has
established operating procedures that are adequate to ensure compliance with the CPNI rules;
? the company must provide a written statement accompanying the certification explaining how its operating
procedures ensure that it is or is not in compliance with the CPNI rules;
? the company must include an explanation of any actions taken against data brokers; and
? the company must include a summary of all consumer complaints received in the prior year concerning
unauthorized release of CPNI.
In reviewing prior years’ filings, we have found a number of recurring deficiencies. In particular, many companies:
(1) fail to have the officer signing the certification affirmatively state that he or she has personal knowledge that the
company has established operating procedures that are adequate to ensure compliance;
(2) fail to provide a statement accompanying the certification explaining how their operating procedures ensure
that they are or are not in compliance with the rules. Simply stating that the company has adopted operating
procedures without explaining how compliance is being achieved does not satisfy this requirement;
CPNI certification requirement does not currently apply to “telecommunications carriers” that fall within that definition solely by virtue
of providing broadband Internet access services. See Protecting and Promoting the Open Internet, 30 FCC Rcd. at 5823-24, para.
467 (forbearing from applying the existing CPNI rules in the context of broadband Internet access services, but clarifying that such
forbearance does not limit the applicability of the rules to services previously found to be within their scope).
6
Section 226 defines an aggregator as “any person that, in the ordinary course of its operations, makes telephones available to the
public or to transient users of its premises, for interstate telephone calls using a provider of operator services.” 47 U.S.C. §
226(a)(2).
(3) fail to state clearly whether any actions were taken against data brokers in the prior year (if there were no such
actions, the company should include an affirmative statement of that fact to make clear that it has provided the
required information); and
(4) fail to state clearly whether any customer complaints were received in the prior year concerning the
unauthorized release of CPNI (if there were no such complaints, the company should include an affirmative
statement of that fact to make clear that it has provided the required information).
To help companies ensure that their certifications contain all of the required information, we are providing a suggested
template, attached to this Enforcement Advisory.
When are companies required to file the annual certification?
The 2016 annual certification filing (for calendar year 2015) is due no sooner than January 1, 2016, but no later
than, March 1, 2016. You may not file before January 1, 2016, because your certification must contain data pertaining
to the entire previous calendar year. Certifications filed before January 1, 2016 do not comply with the rules. If you
filed too soon, you must re-file by March 1 with a new certification that covers the entire calendar year 2015. If you
filed after January 1, 2016, we recommend that you review your certification to ensure that it includes all the necessary
information (including the required attachments and explanations) and refile if needed.
Is this the same as my Form 499 filing or my USF filing?
No, the annual CPNI certification filing is different from Form 499 filings and USF filings.
What format should I use for my CPNI certification?
A suggested template is attached to this Enforcement Advisory. See Attachment 2. This template was designed to
ensure that companies will comply with the annual certification filing requirement of 47 CFR § 64.2009(e) if they
complete it fully and accurately. Use of this template is not mandatory, and companies may use any format that fulfills
the requirements of the rule. If you elect to use the suggested template, we encourage you to review the template
carefully and to ensure that all fields are fully completed before submission.
How do I file the CPNI certification?
Certifications may be filed: (1) using the Commission’s web-based application; (2) using the Commission’s Electronic
Comment Filing System (ECFS); or (3) by filing paper copies. Paper filings and filings submitted through ECFS must
reference EB Docket No. 06-36 and must be addressed to the Commission’s Secretary, Marlene H. Dortch, Office of
the Secretary, Federal Communications Commission, 445 12th Street, SW, Suite TW-A325, Washington, DC 20554.
Companies must file a separate certification for each affiliate with a unique 499 filer ID number. Under no
circumstances should copies of certifications be sent to the Enforcement Bureau or to any individuals within
the Enforcement Bureau unless such filing is a requirement of a consent decree with the Enforcement
Bureau.
7
? Web-Based Electronic Filers: To file a certification using the Commission’s web-based application
specifically designed for this purpose, visit http://apps.fcc.gov/eb/CPNI. Instructions are provided at the
website.
7
Include the relevant case number on the certification if filing pursuant to a consent decree.
? ECFS Electronic Filers: To file a certification using ECFS, visit http://www.fcc.gov/cgb/ecfs/. In completing
the transmittal screen, filers should include the full name of the company, U.S. Postal Service mailing address,
and the applicable docket or rulemaking number. The website provides instructions.
? Paper Filers: Parties who choose to file by paper must file an original and four copies of each filing. All filings
must reference EB Docket No. 06-36 and be addressed to Marlene H. Dortch, Secretary, Federal
Communications Commission, 445 12
th
Street SW, Suite TW-A325, Washington, DC 20554. Filings may be
transmitted by hand or messenger delivery, by commercial overnight courier, or by first-class or overnight U.S.
Postal Service mail as follows:
? Hand or messenger-delivered paper filings should be directed to the Commission’s headquarters building,
at 445 12
th
Street SW, Washington, DC 20554. The filing hours at this location are 8:00 a.m. to 7:00 p.m.
All hand deliveries must be held together with rubber bands or fasteners. Any envelopes must be
disposed of before entering the building.
? Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) should be
directed to 9300 East Hampton Drive, Capitol Heights, MD 20743.
? U.S. Postal Service first-class, Express, and Priority mail should be directed to the Commission’s
Secretary at her address, provided above.
People with Disabilities: To request materials in accessible formats for people with disabilities (braille, large print,
electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau
at 202-418-0530 (voice), 202-418-0432 (tty).
What if I have questions?
For further information regarding the annual certification filing, contact any of the following individuals in the
Telecommunications Consumers Division, Enforcement Bureau: Edward Hayes (202) 418-7994, Donna Cyrus (202)
418-7325, Mika Savir (202) 418-0384, or Michael Epshteyn (202) 418-1139.
ATTACHMENT 2
Annual 47 C.F.R. § 64.2009(e) CPNI Certification Template
EB Docket 06-36
Annual 64.2009(e) CPNI Certification for [Insert year] covering the prior calendar year [Insert year]
1. Date filed: [Insert date]
2. Name of company(s) covered by this certification: [Insert company name]
3. Form 499 Filer ID: [Provide relevant ID number(s)]
4. Name of signatory: [Insert name]
5. Title of signatory: [Insert title of corporate officer]
6. Certification:
I, [Insert name of officer signing certification], certify that I am an officer of the company named
above, and acting as an agent of the company, that I have personal knowledge that the company has
established operating procedures that are adequate to ensure compliance with the Commission’s CPNI rules.
See 47 C.F.R. § 64.2001 et seq.
Attached to this certification is an accompanying statement explaining how the company’s procedures
ensure that the company is in compliance with the requirements (including those mandating the adoption of
CPNI procedures, training, safeguards, recordkeeping, and supervisory review) set forth in section 64.2001 et
seq. of the Commission’s rules.
The company [has/has not] taken actions (i.e., proceedings instituted or petitions filed by a company
at either state commissions, the court system, or at the Commission against data brokers) against data
brokers in the past year. [NOTE: If you reply in the affirmative, provide an explanation of any actions taken
against data brokers.]
The company [has/has not] received customer complaints in the past year concerning the
unauthorized release of CPNI [NOTE: If you reply in the affirmative, provide a summary of such complaints.
This summary must include the number of complaints, broken down by category or complaint, e.g., instances
of improper access by employees, instances of improper disclosure to individuals not authorized to receive
the information, or instances of improper access to online information by individuals not authorized to view the
information.]
The company represents and warrants that the above certification is consistent with 47 C.F.R. § 1.17,
which requires truthful and accurate statements to the Commission. The company also acknowledges that
false statements and misrepresentations to the Commission are punishable under Title 18 of the U.S. Code
and may subject it to enforcement action.
Signed _____________________________ [Signature of an officer, as agent of the carrier]
Attachments: Accompanying Statement explaining CPNI procedures
Explanation of actions taken against data brokers (if applicable)
Summary of customer complaints (if applicable)
ATTACHMENT 3
47 C.F.R. § 64.2009 Safeguards required for use of customer proprietary network
information.
(a) Telecommunications carriers must implement a system by which the status of a customer's CPNI
approval can be clearly established prior to the use of CPNI.
(b) Telecommunications carriers must train their personnel as to when they are and are not authorized to
use CPNI, and carriers must have an express disciplinary process in place.
(c) All carriers shall maintain a record, electronically or in some other manner, of their own and their
affiliates' sales and marketing campaigns that use their customers' CPNI. All carriers shall maintain a
record of all instances where CPNI was disclosed or provided to third parties, or where third parties were
allowed access to CPNI. The record must include a description of each campaign, the specific CPNI that
was used in the campaign, and what products and services were offered as a part of the campaign.
Carriers shall retain the record for a minimum of one year.
(d) Telecommunications carriers must establish a supervisory review process regarding carrier
compliance with the rules in this subpart for outbound marketing situations and maintain records of carrier
compliance for a minimum period of one year. Specifically, sales personnel must obtain supervisory
approval of any proposed outbound marketing request for customer approval.
(e) A telecommunications carrier must have an officer, as an agent of the carrier, sign and file with the
Commission a compliance certificate on an annual basis. The officer must state in the certification that he
or she has personal knowledge that the company has established operating procedures that are
adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement
accompanying the certificate explaining how its operating procedures ensure that it is or is not in
compliance with the rules in this subpart. In addition, the carrier must include an explanation of any
actions taken against data brokers and a summary of all customer complaints received in the past year
concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement
Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year.
(f) Carriers must provide written notice within five business days to the Commission of any instance
where the opt-out mechanisms do not work properly, to such a degree that consumers' inability to opt-out
is more than an anomaly.
(1) The notice shall be in the form of a letter, and shall include the carrier's name, a description of
the opt-out mechanism(s) used, the problem(s) experienced, the remedy proposed and when it will
be/was implemented, whether the relevant state commission(s) has been notified and whether it has
taken any action, a copy of the notice provided to customers, and contact information.
(2) Such notice must be submitted even if the carrier offers other methods by which consumers
may opt-out.