Federal Communications Commission DA 07-1412 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of CTC Communications Corporation Apparent Liability for Forfeiture ) ) ) ) ) ) ) ) ) File No. EB-06-TC-4483 NAL/Acct. No. 20073217 0037 FRN: 0005013669 NOTICE OF APPARENT LIABILITY FOR FORFEITURE Adopted: March 26, 2007 Released: March 26, 2007 By the Chief, Enforcement Bureau: I. INTRODUCTION 1. In this Notice of Apparent Liability for Forfeiture (“NAL”), we find that CTC Communications Corporation (“CTC”) apparently violated section 64.2009(e) of the Commission’s rules1 by failing to have a corporate officer execute an annual certificate stating that he has personal knowledge that the company has established operating procedures adequate to ensure compliance with the Commission’s rules governing protection and use of customer proprietary network information (“CPNI”).2 Protection of CPNI is a fundamental obligation of all telecommunications carriers as provided by section 222 of the Communications Act of 1934, as amended (“Communications Act” or “Act”). Based upon our review of the facts and circumstances surrounding this apparent violation, and in particular, the serious consequences that may flow from inadequate concern for and protection of CPNI, we propose a monetary forfeiture of $100,000 against CTC for its apparent failure to comply with section 64.2009(e) of the Commission’s rules. II. BACKGROUND 2. The Enforcement Bureau (“Bureau”) has been investigating the adequacy of procedures implemented by telecommunications carriers to ensure confidentiality of their subscribers’ CPNI, based on concerns regarding the apparent availability to third parties of sensitive, personal subscriber information. For example, some companies, known as “data brokers,” have advertised the availability of 1 See 47 C.F.R. §64.2009(e). 2 CPNI is defined as information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the customer-carrier relationship. See 47 U.S.C. § 222(h)(1)(A); 47 C.F.R. § 64.2003(d). Federal Communications Commission DA 07-1412 2 records of wireless subscribers’ incoming and outgoing telephone calls for a fee.3 Data brokers have also advertised the availability of call information that relates to certain landline toll calls.4 3. As part of our inquiry into these issues, the Bureau sent a Letter of Inquiry (“LOI”) to CTC on January 5, 2007, directing it to produce the compliance certificates for the previous five (5) years that it had prepared pursuant to section 64.2009(e) of the Commission’s rules.5 On January 12, 2007, CTC submitted a document in response to the Bureau’s LOI.6 The document submitted by CTC does not satisfy the requirements set forth in the rule. Accordingly, we issue this proposed forfeiture. III. DISCUSSION 4. Section 222 imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information.7 The Commission has issued rules implementing section 222 of the Act.8 The Commission required carriers to establish and maintain a system designed to ensure that carriers adequately protected their subscribers’ CPNI. Section 64.2009(e) is one such requirement. Pursuant to section 64.2009(e): A telecommunications carrier must have an officer, as an agent of the carrier, sign a compliance certificate on an annual basis stating that the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart.9 3 See, e.g. http://www.epic.org/privacy/iei/. 4 See id. 5 Letter from Marcy Greene, Deputy Division Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission, to Mr. Ray Allieri, CEO, CTC Communications Corp., (January 5, 2007) (“January 5 LOI”). 6 Letter from James P. Prenetta, Jr., Executive Vice President and General Counsel, CTC Communications Corp., to Marcy Greene, Deputy Division Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission (January 12, 2007) (“January 12 response”). 7 Section 222 of the Communications Act provides that: “Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.” 47 U.S.C § 222. 8 In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non- Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061 (1998) (“CPNI Order”); see also In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409 (1999); In the Matter of Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended; 2000 Biennial Regulatory Review -- Review of Policies and Rules Concerning Unauthorized Changes of Consumers’ Long Distance Carriers, Third Report and Order and Third Further Notice of Proposed Rulemaking, 17 FCC Rcd 14860 (2002). 9 47 C.F.R. § 64.2009(e). Federal Communications Commission DA 07-1412 3 5. CTC’s January 12 response to the Bureau’s January 5 LOI consists of a three page document signed by CTC’s Executive Vice President. Attached to the document are a copy of a February 6, 2006, CTC filing with the Commission, and declarations dated January 12, 2006, from CTC’s Vice- President of Regulatory Compliance and Executive Vice President. The three page document describes generally how CTC uses CPNI. Additionally, the three page document notes its acquisition of Lightship Telecom, LLC, Connecticut Telephone and Communications Systems, Inc., and Connecticut Broadband, LLC, (collectively, the “Affiliates”) in 2005. Neither the three page document, nor the attachment to it, however, contains a statement by an officer “that the officer has personal knowledge that [CTC, including the Affiliates] has established operating procedures that are adequate to ensure compliance with the [CPNI] rules. . . .” On the contrary, CTC specifically admits that it has not made such a statement with respect to the Affiliates.10 Accordingly, CTC’s submission, on its face, does not comply with section 64.2009(e) of the Commission’s rules. 6. We conclude that CTC has apparently failed to comply with the requirement that it have an officer certify on an annual basis that the officer has personal knowledge that CTC has established operating procedures adequate to ensure compliance with the Commission’s CPNI rules. For this apparent violation, we propose a forfeiture. IV. FORFEITURE AMOUNT 7. Section 503(b) of the Communications Act authorizes the Commission to assess a forfeiture of up to $130,000 for each violation of the Act or of any rule, regulation, or order issued by the Commission under the Act.11 The Commission may assess this penalty if it determines that the carrier’s noncompliance is “willful or repeated.”12 For a violation to be willful, it need not be intentional.13 In exercising our forfeiture authority, we are required to take into account “the nature, circumstances, extent, and gravity of the violation and, with respect to the violator, the degree of culpability, any history of prior offenses, ability to pay, and such other matters as justice may require.”14 In addition, the Commission has 10 See January 12 Response, p. 1: “[CTC] has not located any 47 C.F.R. § 64.2009(e) internal compliance certificates for [the Affiliates] for the period of time prior to [CTC]’s acquisition of those companies. In connection with [CTC]’s annual CPNI review process, a CPNI compliance certificate will be prepared and maintained …” (emphasis added). 11 Section 503(b)(2)(B) provides for forfeitures against common carriers of up to $130,000 for each violation or each day of a continuing violation up to a maximum of $1,325,000 for each continuing violation. 47 U.S.C. § 503(b)(2)(B). See Amendment of Section 1.80 of the Commission’s Rules and Adjustment of Forfeiture Maxima to Reflect Inflation, 15 FCC Rcd 18221 (2000); Amendment of Section 1.80 of the Commission’s Rules and Adjustment of Forfeiture Maxima to Reflect Inflation, 19 FCC Rcd 10945 (2004) (increasing maximum forfeiture amounts to account for inflation). 12 47 U.S.C. § 503(b)(1)(B) (the Commission has authority under this section of the Act to assess a forfeiture penalty against a common carrier if the Commission determines that the carrier has “willfully or repeatedly” failed to comply with the provisions of the Act or with any rule, regulation, or order issued by the Commission under the Act); see also 47 U.S.C. § 503(b)(4)(A) (providing that the Commission must assess such penalties through the use of a written notice of apparent liability or notice of opportunity for hearing). Here, as described above, CTC’s actions were willful as it apparently failed to prepare the required compliance certification. 13 Southern California Broadcasting Co., 6 FCC Rcd 4387 (1991). 14 See 47 U.S.C. § 503(b)(2)(D); see also The Commission’s Forfeiture Policy Statement and Amendment of Section 1.80 of the Commission’s Rules, 12 FCC Rcd 17087 (1997) (“Forfeiture Policy Statement”); recon. denied, 15 FCC Rcd 303 (1999). Federal Communications Commission DA 07-1412 4 established guidelines for forfeiture amounts and, where there is no specific base amount for a violation, retained discretion to set an amount on a case-by-case basis.15 8. The Commission’s forfeiture guidelines do not address the specific violation at issue in this proceeding. In determining the proper forfeiture amount in this case, however, we are guided by the principle that there may be no more important obligation on a carrier’s part than protection of its subscribers’ proprietary information. Consumers are increasingly concerned about the security of their sensitive, personal data that they must entrust to their various service providers, whether they are financial institutions or telephone companies. Given the increasing concern about the security of this data, and evidence that the data appears to be widely available to third parties, we must take aggressive, substantial steps to ensure that carriers implement necessary and adequate measures to protect their subscribers’ CPNI, as required by the Commission’s existing CPNI rules. Additionally, in three recent actions, the Commission has issued Notices of Apparent Liability for Forfeiture in the amount of $100,000 against carriers for failure to maintain certifications in compliance with section 64.2009(e) of the Commission’s rules.16 In this case, CTC has apparently failed to implement necessary and adequate measures, as required, to protect the subscribers’ CPNI data entrusted to it, as evidenced by the apparent insufficiency of the required compliance certification. Based on all the facts and circumstances present in this case, we believe the proposed forfeiture of $100,000 is warranted.17 9. CTC will have the opportunity to submit further evidence and arguments in response to this NAL to show that no forfeiture should be imposed or that some lesser amount should be assessed.18 For example, CTC may present evidence that it has compelling financial arguments to reduce the proposed forfeiture or that it has maintained a history of overall compliance.19 To support a claim of inability to pay, the petitioner must submit: (1) federal tax returns for the most recent three-year period; (2) financial statements prepared according to generally accepted accounting practices (GAAP); or (3) some other reliable and objective documentation that accurately reflects the petitioner’s current financial status. Any claim of inability to pay must specifically identify the basis for the claim by reference to the financial documentation submitted. The Commission will fully consider any such arguments made by CTC in its response to this NAL. V. CONCLUSION AND ORDERING CLAUSES 10. We have determined that CTC has apparently violated Section 64.2009(e) of the Commission’s rules by failing to prepare and maintain a certification in compliance with the rule. We find CTC apparently liable for $100,000. 11. ACCORDINGLY, IT IS ORDERED THAT, pursuant to Section 503(b) of the Communications Act of 1934, as amended,20 Section 1.80(f)(4) of the Commission’s rules,21 and 15 Forfeiture Policy Statement, 12 FCC Rcd 17098-99, ¶ 22. 16 AT&T, Inc., Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 751 (Enf. Bur. rel. Jan. 30, 2006); Alltel Corp., Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 746 (Enf. Bur. rel. Jan 30, 2006); Cbeyond Communications LLC, Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 4316 (Enf. Bur. rel. April 21, 2006). 17 47 U.S.C. § 503(b)(4)(A). 18 47 U.S.C. § 503(b)(4)(C); 47 C.F.R. § 1.80(f)(3). 19 47 C.F.R. § 1.80(b)(4) (discussing factors the Commission or its designee will consider in deciding appropriate forfeiture amount). 20 47 U.S.C. § 503(b). 21 47 C.F.R. § 1.80(f)(4). Federal Communications Commission DA 07-1412 5 authority delegated by Sections 0.111 and 0.311 of the Commission’s rules,22 CTC Communications Corporation IS LIABLE FOR A MONETARY FORFEITURE in the amount of one hundred thousand dollars ($100,000) for willfully or repeatedly violating Section 64.2009 of the Commission’s rules, by failing to prepare and maintain a certificate that complies with 64.2009(e). 12. IT IS FURTHER ORDERED THAT, pursuant to section 1.80 of the Commission’s rules, within thirty days of the release date of this NOTICE OF APPARENT LIABILITY CTC Communications Corporation SHALL PAY the full amount of the proposed forfeiture or SHALL FILE a written statement seeking reduction or cancellation of the proposed forfeiture. 13. Payment of the forfeiture must be made by check or similar instrument, payable to the order of the Federal Communications Commission. The payment must include the NAL/Acct. No. and FRN No. referenced above. Payment by check or money order may be mailed to Forfeiture Collection Section, Finance Branch, Federal Communications Commission, P.O. Box 358340, Pittsburgh, PA 15251. Payment by overnight mail may be sent to Mellon Client Service Center, 500 Ross Street, Room 670, Pittsburgh, PA 15262-0001. Attn: FCC Module Supervisor. Payment by wire transfer may be made to ABA Number 043000261, receiving bank Mellon Bank, and account number 911-6229. Please include your NAL/Acct. No. with your wire transfer remittance. Requests for payment of the full amount of this NAL under an installment plan should be sent to Chief, Credit and Management Center, 445 12th Street, S.W., Washington, D.C. 20554. 14. IT IS FURTHER ORDERED that a copy of this Order shall be sent by Certified Mail, Return Receipt Requested to CTC Communications Corporation, 220 Bear Hill Road, Waltham, Massachusetts 02451. FEDERAL COMMUNICATIONS COMMISSION Kris A. Monteith Chief, Enforcement Bureau 22 47 C.F.R. §§ 0.111, 0.311.