*Pages 1--6 from Microsoft Word - 56581.doc* Federal Communications Commission DA 06- 916 Before the Federal Communications Commission Washington, D. C. 20554 In the Matter of Cbeyond Communications, LLC Apparent Liability for Forfeiture ) ) ) ) ) ) File No. EB- 06- IH- 0840 NAL/ Acct. No. 200632080153 FRN: 0003- 7596- 02 NOTICE OF APPARENT LIABILITY FOR FORFEITURE Adopted: April 21, 2006 Released: April 21, 2006 By the Chief, Enforcement Bureau: I. INTRODUCTION 1. In this Notice of Apparent Liability for Forfeiture (“ NAL”), we find that Cbeyond Communications, LLC (“ Cbeyond”) apparently violated the Commission’s rules and orders by failing to have a corporate officer with personal knowledge execute an annual certificate stating that the company has established operating procedures adequate to ensure compliance with the Commission’s rules governing protection and use of Customer Proprietary Network Information (“ CPNI”), and by failing to make the compliance certificate publicly available. 1 Protection of CPNI is a fundamental obligation of all telecommunications carriers as provided by section 222 of the Communications Act of 1934, as amended (“ Communications Act” or “Act”). Based upon our review of the facts and circumstances surrounding this apparent violation, and in particular the serious consequences that may flow from inadequate concern for and protection of CPNI, we propose a monetary forfeiture of $100,000 against Cbeyond for its apparent failure to comply with section 64.2009( e) of the Commission’s rules and the CPNI Order. II. BACKGROUND 2. Based on concerns regarding the apparent availability to third parties of sensitive, personal subscriber information the Enforcement Bureau (the “Bureau”) has been investigating the adequacy of procedures implemented by telecommunications carriers to ensure confidentiality of their subscribers’ CPNI. For example, companies known as “data brokers” have advertised the availability of records of wireless subscribers’ incoming and outgoing telephone calls for a fee. 2 Data brokers have also advertised the availability of data regarding certain landline toll calls. 3 As part of the Bureau’s inquiry into CPNI issues, on January 30, 2006, the Bureau released a public notice directing all 1 See 47 C. F. R. § 64. 2009( e); Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non- Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061 (1998) (“ CPNI Order”). 2 See, e. g. http:// www. epic. org/ privacy/ iei/ (last accessed March 22, 2006). 3 See id. 1 Federal Communications Commission DA 06- 916 2 telecommunications carriers to submit their most recent CPNI compliance certifications to the Commission as required by section 64.2009( e) of the Commissions rules. 4 3. During the same timeframe, the Bureau also initiated an investigation of Cbeyond in particular based on allegations received by the Commission concerning Cbeyond’s use of CPNI. On February 1, 2006, the Bureau sent a letter of inquiry (“ LOI”) to Cbeyond to determine whether it has received or obtained proprietary information from another carrier and used that information in violation of section 222( b) of the Communications Act of 1934, as amended (“ the Act”), and section 64.2001 et seq. of the Commission’s rules, which protects the confidentiality of CPNI. 5 The LOI directed Cbeyond, among other things, to “[ p] rovide Cbeyond’s 47 C. F. R. § 64.2009( e) compliance certificate for the previous five years.” 6 4. On February 6, 2006, Cbeyond responded to the Public Notice, 7 and on February 13, 2006, it responded to the LOI. 8 In its response to the Public Notice, Cbeyond stated that the company “is aware of these rules and has established procedures that were designed to ensure full compliance with them.” 9 In addition, the company stated that “Cbeyond has commenced a comprehensive internal review of its operating procedures for CPNI compliance,” and “will report to the Commission the conclusions reached in this inquiry upon the inquiry’s completion, and Cbeyond will make any and all changes needed to ensure its future compliance with Section 222 and the Commission’s regulations.” 10 In Cbeyond’s response to the Bureau’s LOI directing Cbeyond to produce its compliance certifications pursuant to section 64.2009( e), the company stated that “Cbeyond does not presently have documents responsive to this request.” 11 This response was accompanied by a declaration under penalty of perjury from Cbeyond’s Vice President for Regulatory and Legislative Affairs. III. DISCUSSION 5. Under section 503( b)( 1) of the Act, any person who is determined by the Commission to have willfully or repeatedly failed to comply with any provision of the Act or any rule, regulation, or order issued by the Commission shall be liable to the United States for a forfeiture penalty. 12 Section 312( f)( 1) of the Act defines “willful” as “the conscious and deliberate commission or omission of [any] act, irrespective of any intent to violate” the law. 13 The legislative history to section 312( f)( 1) of the Act 4 Enforcement Bureau Directs All Telecommunications Carriers to Submit CPNI Compliance Certifications, Public Notice, DA 06- 223 (Enf. Bur. rel. Jan. 30, 2006). 5 Letter from Hillary S. DeNigro, Deputy Chief, Investigations and Hearings Division, Enforcement Bureau, to James Geiger, Chief Executive Officer, and Julia Strow, Vice President, Regulatory and Legislative Affairs, Cbeyond Communications, LLC, dated February 1, 2006 (“ LOI”). 6 Id. 7 See Letter from Julia Strow, Vice President, Regulatory and Legislative Affairs, Cbeyond Communications, LLC to Marlene H. Dortch, Office of the Secretary, FCC, dated February 6, 2006 (“ Public Notice Response”). 8 Letter from Thomas Jones and Theodore Case Whitehouse, Willkie Farr & Gallagher, LLP, Counsel for Cbeyond, to Hillary S. DeNigro, Eric Bash, and Christopher Shields, Investigations and Hearings Division, Enforcement Bureau, dated February 13, 2006 (“ LOI Response”). 9 Public Notice Response at 1. 10 Id. 11 LOI Response at 10. 12 47 U. S. C. § 503( b)( 1)( B); 47 C. F. R. § 1. 80( a)( 1); see also 47 U. S. C. § 503( b)( 1)( D) (forfeitures for violation of 14 U. S. C. § 1464). 13 47 U. S. C. § 312( f)( 1). 2 Federal Communications Commission DA 06- 916 3 clarifies that this definition of willful applies to both sections 312 and 503( b) of the Act, 14 and the Commission has so interpreted the term in the section 503( b) context. 15 The Commission may also assess a forfeiture for violations that are merely repeated, and not willful. 16 “Repeated” means that the act was committed or omitted more than once, or lasts more than one day. 17 To impose such a forfeiture penalty, the Commission must issue a notice of apparent liability, and the person against whom the notice has been issued must have an opportunity to show, in writing, why no such forfeiture penalty should be imposed. 18 The Commission will then issue a forfeiture if it finds by a preponderance of the evidence that the person has violated the Act or a Commission rule. 19 6. The fundamental issues in this case are whether Cbeyond apparently violated the Act and the Commission’s rules and orders by failing to have an officer with personal knowledge annually certify that the company has established procedures that comply with the Commission’s CPNI rules and failing to make its compliance certificate available upon request. Based on a preponderance of the evidence discussed below, we answer these questions affirmatively and conclude that Cbeyond is apparently liable for a forfeiture of $100,000 for apparently willfully or repeatedly violating section 222 of the Act, section 64.2009( e) of the Commission’s rules, and the CPNI Order. 20 7. Section 222 of the Act imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information. 21 The Commission has issued rules implementing section 222 of the Act, requiring carriers to establish and maintain a system designed to ensure that carriers adequately protected their subscribers’ CPNI. 22 Specifically, section 64.2009( e) requires that: 14 H. R. Rep. No. 97- 765, 97 th Cong. 2d Sess. 51 (1982). 15 See, e. g., Application for Review of Southern California Broadcasting Co., Memorandum Opinion and Order, 6 FCC Rcd 4387, 4388, ¶ 5 (1991) (“ Southern California Broadcasting Co.”). 16 See, e. g., Callais Cablevision, Inc., Grand Isle, Louisiana, Notice of Apparent Liability for Monetary Forfeiture, 16 FCC Rcd 1359, 1362, ¶ 10 (2001) (“ Callais Cablevision”) (issuing a Notice of Apparent Liability for, inter alia, a cable television operator’s repeated signal leakage). 17 Southern California Broadcasting Co., 6 FCC Rcd at 4388, ¶ 5; Callais Cablevision, Inc., 16 FCC Rcd at 1362, ¶ 9. 18 47 U. S. C. § 503( b); 47 C. F. R. § 1.80( f). 19 See, e. g., SBC Communications, Inc., Apparent Liability for Forfeiture, Forfeiture Order, 17 FCC Rcd 7589, 7591, ¶ 4 (2002) (forfeiture paid). 20 Id.; see also Implementation of The Telecommunications Act of 1996, Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409, 14468, n. 331 (1999) (“ CPNI Reconsideration and Forbearance Order”). 21 Section 222 of the Communications Act provides that: “Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.” 47 U. S. C § 222. 22 See generally, CPNI Order; CPNI Reconsideration and Forbearance Order; Implementation of the Telecommunications Act of 1996, Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Implementation of the Non- Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, and 2000 Biennial Regulatory Review -- Review of Policies and Rules Concerning Unauthorized Changes of Consumers’ Long Distance Carriers, Third Report and Order and Third Further Notice of Proposed Rulemaking, 17 FCC Rcd 14860 (2002). 3 Federal Communications Commission DA 06- 916 4 A telecommunications carrier must have an officer, as an agent of the carrier, sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. 23 In the CPNI Order, the Commission also explicitly required that the “[ section 64.2009( e)] certification must be publicly available, and be accompanied by a statement explaining how the carrier is implementing our CPNI rules and safeguards.” 24 8. The January 30, 2006 Public Notice requested all telecommunications carriers to produce their most recent compliance certificates prepared in compliance with section 64.2009( e) of the Commission’s rules. 25 The Bureau’s LOI directed Cbeyond to submit such compliance certificates for the previous five years. 26 Notwithstanding this directive, Cbeyond has failed to produce any certification. Instead, Cbeyond filed only a letter in response to the Public Notice, in which it acknowledged its awareness of the Commission’s rules, and indicated its intent to conduct a review of its operating procedures and to submit a future report. 27 This letter is insufficient to demonstrate compliance with section 64.2009( e). In fact, Cbeyond has conceded the inadequacy of its Public Notice Response, as it stated in its subsequent response to the Bureau’s LOI that it did not have any of the section 64. 2009( e) certifications for the past five years. 28 9. Based on the facts above, we conclude that Cbeyond has apparently willfully or repeatedly failed to comply with our CPNI requirement that an officer annually execute a compliance certificate as set forth in section 64.2009( e), and that such certificate be made publicly available. For this apparent violation, we propose a forfeiture. IV. FORFEITURE AMOUNT 10. Section 503( b) of the Act authorizes the Commission to assess a forfeiture of up to $130,000 for each violation of the Act or of any rule, regulation, or order issued by the Commission under the Act. 29 The Commission may assess this penalty if it determines that the carrier’s noncompliance is “willful or repeated.” 30 For a violation to be willful, it need not be intentional. 31 To assess a forfeiture, 23 47 C. F. R.§ 64. 2009( e). 24 CPNI Order, 13 FCC Rcd at 8199, 8216, ¶¶ 201, 243. 25 47 C. F. R. § 64.2009. 26 LOI at 6, ¶ 11. 27 Public Notice Response at 1. 28 See LOI Response at 10. The LOI imposes a continuing obligation on Cbeyond “to produce in the future any and all documents and information that are responsive to the inquiries made herein but not initially produced at the time, date and place specified” in the LOI. To date, Cbeyond still has not filed any certificate pursuant to section 64. 2009( e), and thus still has not fulfilled its responsibility under that section. See LOI at 2. 29 Section 503( b)( 2)( B) provides for forfeitures against common carriers of up to $130,000 for each violation or each day of a continuing violation up to a maximum of $1,325,000 for each continuing violation. 47 U. S. C. § 503( b)( 2)( B). See Amendment of Section 1.80 of the Commission’s Rules and Adjustment of Forfeiture Maxima to Reflect Inflation, Order, 15 FCC Rcd 18221 (2000); Amendment of Section 1. 80 of the Commission’s Rules and Adjustment of Forfeiture Maxima to Reflect Inflation, Order, 19 FCC Rcd 10945 (2004) (increasing maximum forfeiture amounts to account for inflation). 30 47 U. S. C. § 503( b)( 1)( B). The Commission has authority under this section of the Act to assess a forfeiture penalty against a common carrier if the Commission determines that the carrier has “willfully or repeatedly” failed (continued....) 4 Federal Communications Commission DA 06- 916 5 the violation may also be merely repeated, and not willful. 32 “Repeated” means that the act was committed or omitted more than once, or lasts more than one day. 33 In exercising our forfeiture authority, we are required to take into account “the nature, circumstances, extent, and gravity of the violation and, with respect to the violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require.” 34 In addition, the Commission has established guidelines for forfeiture amounts and, where there is no specific base amount for a violation, retained discretion to set an amount on a case- by- case basis. 35 11. The Commission’s forfeiture guidelines do not address the specific violation at issue in this proceeding. In determining the proper forfeiture amount in this case, however, we are guided by the principle that there may be no more important obligation on a carrier’s part than protection of its subscribers’ proprietary information. Consumers are increasingly concerned about the security of their sensitive, personal data that they must entrust to their various service providers, whether they are financial institutions or telephone companies. Given the increasing concern about the security of this data, and evidence that the data appears to be widely available to third parties, we must take aggressive, substantial steps to ensure that carriers implement necessary and adequate measures to protect their subscribers’ CPNI as required by the Commission’s existing CPNI rules. For these reasons, we recently held that a substantial forfeiture of $100,000 is warranted for a carrier’s apparent failure to comply with section 64.2009( e) of the Commission’s rules. 36 In this case, Cbeyond has not produced any current certificate that satisfies the requirements of section 64.2009( e), and stated that it does not have any such certificates for the past five years. Therefore, we find that Cbeyond has apparently willfully and repeatedly violated section 64.2009( e) and the CPNI Order by failing to have an officer with personal knowledge annually certify that the company has established procedures that comply with the Commission’s CPNI rules and by failing to make the compliance certificate publicly available. Based on all the facts and circumstances present in this case, we believe a proposed forfeiture of $100,000 is warranted. 37 (... continued from previous page) to comply with the provisions of the Act or with any rule, regulation, or order issued by the Commission under the Act. The section provides that the Commission must assess such penalties through the use of a written notice of apparent liability or notice of opportunity for hearing. See 47 U. S. C. § 503( b)( 4)( A). Here, as described above, Cbeyond’s actions were willful as it failed to submit any required compliance certification in response to the Bureau’s LOI. 31 Southern California Broadcasting Co., Memorandum Opinion and Order, 6 FCC Rcd 4387 (1991). 32 See, e. g., Callais Cablevision, Inc., Grand Isle, Louisiana, Notice of Apparent Liability for Monetary Forfeiture, 16 FCC Rcd 1359 (2001) (issuing a Notice of Apparent Liability for, inter alia, a cable television operator’s repeated signal leakage). 33 Callais Cablevision, Inc., 16 FCC Rcd at 1362, ¶ 9; Southern California Broadcasting Co., 6 FCC Rcd at 4388, ¶ 5. 34 See 47 U. S. C. § 503( b)( 2)( D); see also The Commission’s Forfeiture Policy Statement and Amendment of Section 1.80 of the Commission’s Rules to Incorporate the Forfeiture Guidelines, Report and Order, 12 FCC Rcd 17087 (1997) (“ Forfeiture Policy Statement”), recon. denied, 15 FCC Rcd 303 (1999). 35 Forfeiture Policy Statement, 12 FCC Rcd at 17098- 99, ¶ 22. 36 Alltel Corporation, Apparent Liability for Forfeiture, DA 06- 220 (Enf. Bur., rel. Jan. 30, 2006); AT& T, Inc., Notice of Apparent Liability for Forfeiture, DA 06- 221 (Enf. Bur., rel. Jan. 30, 2006). 37 47 U. S. C. § 503( b)( 4)( A). 5 Federal Communications Commission DA 06- 916 6 V. CONCLUSION AND ORDERING CLAUSES 12. We have determined that Cbeyond has apparently violated Section 64.2009( e) of the Commission’s rules by failing to prepare and maintain a certification in compliance with the rule. We find Cbeyond apparently liable for $100,000. 13. ACCORDINGLY, IT IS ORDERED THAT, pursuant to Section 503( b) of the Communications Act of 1934, as amended, 38 Section 1.80( f)( 4) of the Commission’s rules, 39 and authority delegated by Sections 0.111 and 0.311 of the Commission’s rules, 40 Cbeyond IS LIABLE FOR A MONETARY FORFEITURE in the amount of one hundred thousand dollars ($ 100,000) for willfully or repeatedly violating section 64. 2009 of the Commission’s rules and the CPNI Order, by failing to prepare and make available upon request a certificate that complies with 64.2009( e). 14. IT IS FURTHER ORDERED THAT, pursuant to section 1.80 of the Commission’s Rules, within thirty days of the release date of this NOTICE OF APPARENT LIABILITY, Cbeyond SHALL PAY the full amount of the proposed forfeiture or SHALL FILE a written statement seeking reduction or cancellation of the proposed forfeiture. 15. Payment of the forfeiture must be made by check or similar instrument, payable to the order of the Federal Communications Commission. The payment must include the NAL/ Acct. No. and FRN No. referenced above. Payment by check or money order may be mailed to Federal Communications Commission, P. O. Box 358340, Pittsburgh, PA 15251- 8340. Payment by overnight mail may be sent to Mellon Bank/ LB 358340, 500 Ross Street, Room 1540670, Pittsburgh, PA 15251. Payment by wire transfer may be made to ABA Number 043000261, receiving bank Mellon Bank, and account number 911- 6106. Requests for payment of the full amount of this NAL under an installment plan should be sent to: Associate Managing Director -- Financial Operations, 445 12th Street, S. W., Room 1- A625, Washington, D. C. 20554. 41 16. The response, if any, to this NOTICE OF APPARENT LIABILITY must be mailed to William H. Davenport, Chief, Investigations and Hearings Division, Enforcement Bureau, Federal Communications Commission, Room 4- A237, 445 12 th Street, S. W., Washington, D. C. 20554 and must include the NAL/ Acct. No. referenced above. 17. IT IS FURTHER ORDERED that a copy of this Order shall be sent by Certified Mail, Return Receipt Requested to Thomas Jones and Theodore Case Whitehouse, Counsel for Cbeyond Communications, LLC, 1875 K Street, NW, Washington, DC 20006. FEDERAL COMMUNICATIONS COMMISSION Kris A. Monteith Chief, Enforcement Bureau 38 47 U. S. C. § 503( b). 39 47 U. S. C. § 1.80( f)( 4). 40 47 C. F. R. §§ 0.111, 0. 311. 41 See 47 C. F. R. § 1.1914. 6