CPNI

By Hannah Lepow

Yesterday the FCC announced that it has entered into a $595,000 settlement agreement with Cox Communications to resolve an investigation into whether the company failed to protect its customers’ personal information when it suffered a data breach in 2014.  This is the first privacy  and data security enforcement action the FCC Enforcement

In a consent decree adopted yesterday by the Federal Communications Commission, two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — agreed to pay a $3.5 million civil penalty and adhere to a three-year compliance program to settle allegations that the carriers violated the federal Communications Act by failing to adequately protect “proprietary information” the carriers collected from consumers applying for federally subsidized phone service under the Lifeline program.  The consent decree reiterates the FCC’s interpretation of Sections 201 and 222 of the federal Communications Act — first articulated in a October 2014 decision proposing to fine TerraCom and YourTel $10 million — broadening telecommunications carriers’ privacy and data security obligations.  The consent decree also settles allegations that YourTel failed to de-enroll certain subscribers after being instructed to do so by the Universal Service Administrative Company, which administers Lifeline.
Continue Reading Carriers Agree to $3.5 Million FCC Fine For Alleged Privacy Violations

Earlier this week, the FTC notified Verizon by letter that it has closed its investigation into whether Verizon violated Section 5 of the FTC Act by failing to secure certain routers supplied to the company’s broadband subscribers.  The FTC’s investigation centered on Verizon’s practice of supplying routers that incorporated an outdated default security setting, an encryption standard known as Wired Equivalent Privacy (“WEP”).  According to the FTC, flaws in WEP were identified by researchers in 2004, but Verizon continued until recently to ship some WEP router models.  According to the FTC, this left some Verizon subscribers vulnerable to hackers.

In its letter, the FTC explained that the following factors led it to close its investigation:

  • Verizon’s overall data-security practices related to its routers.
  • Verizon’s efforts to mitigate the risk that subscribers using WEP-model routers would be vulnerable to hackers, including:
  1. by removing the WEP model routers from distribution centers and setting them to Wi-Fi Protected Access 2 (“WPA2”), ensuring that future distributed routers would be set by default to WPA2;
  2. by implementing an outreach campaign to subscribers currently using WEP or no encryption, and requesting that those subscribers change their security settings to WPA2; and
  3. offering upgrades to WPA2-compatible units for subscribers in possession of older, incompatible routers.
    Continue Reading FTC Closes Investigation After Verizon Fixes Encryption Problems With FiOS and DSL Routers

By Caleb Skeath

Last Friday, the FCC announced that it intends to fine two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — a total of $10 million for failing to protect certain customer data.  According to the FCC, the two carriers, which provide discount phone services to low-income individuals, posted customer “proprietary information” on unprotected Internet servers that were accessible by the public.  The fine, approved by a 3-2 vote, represents the largest privacy action in FCC history, eclipsing a $7.4 million fine handed down to Verizon in early September for failing to provide customers with required notices about Verizon’s use of Customer Proprietary Network Information (“CPNI”).Continue Reading FCC Expands Application of Customer Privacy Provisions with $10 Million Fine Against Carriers

A Consent Decree adopted by the FCC’s Enforcement Bureau on September 2 settles the FCC’s inquiry into allegations that Verizon failed to provide some customers with required notices about Verizon’s use of Customer Proprietary Network Information (CPNI) and took too long to notify the FCC after discovering the error. Under the Consent Decree, Verizon will

Yesterday, the Federal Communications Commission’s (FCC’s) Enforcement Bureau issued a reminder that annual CPNI certifications for calendar year 2013 must be filed with the FCC by March 1, 2014.

The FCC requires telecommunications service providers (including paging providers, commercial mobile radio services providers, and calling card providers) and interconnected VoIP service providers to file an

Telecommunications carriers and providers of interconnected VoIP service with access to certain kinds of customer information collected through mobile devices are subject to existing privacy rules governing their use and disclosure of that information, the Federal Communications Commission announced in a declaratory ruling adopted at its June 27 meeting.  Significantly, the decision makes clear that third-party applications, device manufacturers and operating system developers are not covered. 

The ruling addresses the scope of the FCC’s rules governing Customer Proprietary Network Information (CPNI). A federal statute — Section 222 of the Communications Act — requires carriers “to protect the confidentiality of proprietary information” relating to customers, which is defined as information in customers’ bills and other information “that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.” This includes information about numbers dialed and received, the length and frequency of calls, and the locations where calls are made.Continue Reading FCC: Customer Data Carriers Obtain Through Mobile Devices Subject to Existing Privacy Rules

The Federal Communications Commission is scheduled to vote this month on a declaratory ruling stating that existing rules governing telephone carriers’ use of subscribers’ personal information also apply to data collected on mobile devices.

Existing regulations restrict telecommunications carriers’ ability to use or disclose Customer Proprietary Network Information (CPNI) that a carrier obtains in the course of providing service to the customer. CPNI includes information such as the locations where calls are made, the numbers called, the length of calls, and other information contained in a customer’s bill.Continue Reading FCC to Consider Ruling on Carriers’ Use of Data Collected on Mobile Devices

As a reminder, telecommunications carriers must submit their annual certifications regarding customer proprietary network information (CPNI) by March 1.  CPNI is private customer information concerning telecommunications. Telecommunications carriers and providers of interconnected Voice over Internet Protocol (VoIP) must certify annually to the FCC that they comply with their obligations to protect and limit disclosure of CPNI.Continue Reading CPNI Certifications Due on March 1

As we reported, the Federal Communications Commission (“FCC”) recently announced that it is seeking comments on the protection of data stored on mobile devices by wireless phone carriers. The FCC has noted that the comments it previously received on the issue five years ago are already “badly out of date.”  The Federal Register published