Federal Communications Commission DA 09-338 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of Network Innovations, Inc. Apparent Liability for Forfeiture ) ) ) ) ) ) ) ) ) File No. EB-09-TC-133 NAL/Acct. No. 200932170092 FRN: 0010737641 NOTICE OF APPARENT LIABILITY FOR FORFEITURE Adopted: February 25, 2009 Released: February 25, 2009 By the Chief, Enforcement Bureau: I. INTRODUCTION 1. In this Notice of Apparent Liability for Forfeiture (“NAL”), we find that Network Innovations, Inc. (“Network Innovations” or “Company”) apparently willfully or repeatedly violated section 222 of the Communications Act of 1934, as amended (the “Act”),1 section 64.2009(e) of the Commission’s rules2 and the Commission’s EPIC CPNI Order.3 Protection of CPNI is a fundamental obligation of all telecommunications carriers as provided by section 222 of the Act.4 Based upon our review of the facts and circumstances surrounding this apparent violation, we find that Network Innovations is apparently liable for a monetary forfeiture in the amount of two thousand dollars ($2,000).5 Network Innovations will have the opportunity to submit further evidence and arguments in response to 1 47 U.S.C. § 222. 2 47 C.F.R. § 64.2009(e). 3 Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services, CC Docket No. 96-115; WC Docket No. 04-36, Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 6927, 6953 (2007) (“EPIC CPNI Order”); aff’d sub nom. Nat’l Cable & Telecom. Assoc. v. FCC, No. 07-132, (D.C. Cir. Decided Feb. 13, 2009). 4 CPNI is defined as information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the customer-carrier relationship. See 47 U.S.C. § 222(h)(1)(A); 47 C.F.R. § 64.2003(d) 5 See 47 U.S.C. § 503(b)(4)(A). The Commission has authority under this section of the Act to assess a forfeiture penalty against a common carrier if the Commission determines that the carrier has “willfully or repeatedly” failed to comply with the provisions of the Act or with any rule, regulation, or order issued by the Commission under the Act. The section provides that the Commission must assess such penalties through the use of a written notice of apparent liability or notice of opportunity for hearing. Federal Communications Commission DA 09-338 2 this NAL to show that no forfeiture should be imposed or that some lesser amount should be assessed.6 II. BACKGROUND 2. Section 222 imposes the general duty on all telecommunications carriers to protect the confidentiality of their subscribers’ proprietary information.7 The Commission has issued rules implementing section 222 of the Act.8 The Commission required carriers to establish and maintain a system designed to ensure that carriers adequately protected their subscribers’ CPNI. Section 64.2009(e) is one such requirement. 3. In 2006, some companies, known as “data brokers,” advertised the availability of records of wireless subscribers’ incoming and outgoing telephone calls for a fee.9 Data brokers also advertised the availability of records of certain landline toll calls.10 On April 2, 2007, the Commission strengthened its privacy rules with the release of the EPIC CPNI Order,11 which adopts additional safeguards to protect CPNI against unauthorized access and disclosure. The EPIC CPNI Order was directly responsive to the actions of databrokers, or pretexters, to obtain unauthorized access to CPNI.12 The EPIC CPNI Order and amended rule 47 C.F.R. § 64.2009(e) require that all companies subject to the CPNI rules file annually, on or before March 1, a certification with the Commission that certifies to the company’s compliance with the Commission’s CPNI rules and provides an accompanying statement explaining how the company’s procedures ensure that the company is or is not in compliance with the CPNI rules.13 6 47 U.S.C. § 503(b)(4)(C); 47 C.F.R. § 1.80(f)(3). 7 Section 222 of the Communications Act, 47 U.S.C § 222, provides that: “Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.” Prior to the 1996 Act, the Commission had established CPNI requirements applicable to the enhanced services operations of AT&T, the Bell Operating Companies (“BOCs”), and GTE, and the customer premises equipment (“CPE”) operations of AT&T and the BOCs, in the Computer II, Computer III, GTE Open Network Architecture (“ONA”), and BOC CPE Relief proceedings. See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information and Implementation of Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, CC Docket Nos. 96-115 and 96-149, Second Report and Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061, 8068-70, para. 7 (1998) (“CPNI Order”) (describing the Commission’s privacy protections for confidential customer information in place prior to the 1996 Act). 8 See CPNI Order. See also Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, CC Docket Nos. 96-115 and 96-149, FCC 99-223, Order on Reconsideration and Petitions for Forbearance 14 FCC Rcd 14409 (1999); 2000 Biennial Regulatory Review -- Review of Policies and Rules Concerning Unauthorized Changes of Consumers’ Long Distance Carriers, CC Docket No. 00-257, Third Report and Order and Third Further Notice of Proposed Rulemaking, 17 FCC Rcd 14860 (2002); EPIC CPNI Order, supra. n.3. 9 See, e.g., http://www.epic.org/privacy/iei/. 10 See id. 11 EPIC CPNI Order, 22 FCC Rcd 6927. 12 Id. at 6928. 13 Id. at 6953; 47 C.F.R. § 64.2009(e). Prior to the issuance of the EPIC CPNI Order, carriers were required to maintain in their files an annual CPNI Certification that certified to the company’s compliance with the Commission’s CPNI rules and provided an accompanying statement explaining how the company’s procedures (continued….) Federal Communications Commission DA 09-338 3 Additionally, companies must now provide “an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.”14 III. DISCUSSION 4. On February 29, 2008, Network Innovations filed its annual CPNI compliance certificate with the Commission. The Bureau has determined that the CPNI compliance certificate filed by Network Innovations does not meet the requirements of section 64.2009(e) of the Commission’s rules. The Commission’s rules require that telecommunications carriers file their annual compliance certification with the Bureau on or before March 1. Thus, on March 1, Network Innovations had a non-compliant CPNI certification on file with the Commission. In particular, Network Innovations has failed to submit an annual CPNI compliance certificate that provides an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. Accordingly, Network Innovations’ submission, on its face, does not comply with section 64.2009(e) of the Commission’s rules. We conclude that Network Innovations is in apparent violation of section 222 of the Act, section 64.2009(e) of the Commission’s rules and the Commission’s EPIC CPNI Order. For these apparent violations, we propose a forfeiture. IV. FORFEITURE AMOUNT 5. Section 503(b) of the Communications Act authorizes the Commission to assess a forfeiture of up to $130,000 for each violation of the Act or of any rule, regulation, or order issued by the Commission under the Act.15 The Commission may assess this penalty if it determines that the carrier’s noncompliance is “willful or repeated.”16 For a violation to be willful, it need not be intentional.17 In exercising our forfeiture authority, we are required to take into account “the nature, circumstances, extent, and gravity of the violation and, with respect to the violator, the degree of culpability, any history of prior (Continued from previous page) ensure that the company is or is not in compliance with the CPNI rules. The rule also required carriers to make the certification available upon request. 14 22 FCC Rcd at 6953. Specifically, pursuant to section 64.2009(e): A telecommunications carrier must have an officer, as an agent of the carrier, sign and file with the Commission a compliance certificate on an annual basis. The officer must state in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. In addition, the carrier must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year. 47 C.F.R. § 64.2009(e). 15 Section 503(b)(2)(B) provides for forfeitures against common carriers of up to $130,000 for each violation or each day of a continuing violation up to a maximum of $1,325,000 for each continuing violation. 47 U.S.C. § 503(b)(2)(B). See Amendment of Section 1.80 of the Commission’s Rules and Adjustment of Forfeiture Maxima to Reflect Inflation, 15 FCC Rcd 18221 (2000); Amendment of Section 1.80 of the Commission’s Rules and Adjustment of Forfeiture Maxima to Reflect Inflation, 19 FCC Rcd 10945 (2004) (increasing maximum forfeiture amounts to account for inflation). 16 47 U.S.C. § 503(b)(1)(B) (the Commission has authority under this section of the Act to assess a forfeiture penalty against a common carrier if the Commission determines that the carrier has “willfully or repeatedly” failed to comply with the provisions of the Act or with any rule, regulation, or order issued by the Commission under the Act); see also 47 U.S.C. § 503(b)(4)(A) (providing that the Commission must assess such penalties through the use of a written notice of apparent liability or notice of opportunity for hearing). 17 Southern California Broadcasting Co., 6 FCC Rcd 4387 (1991). Federal Communications Commission DA 09-338 4 offenses, ability to pay, and such other matters as justice may require.”18 In addition, the Commission has established guidelines for forfeiture amounts and, where there is no specific base amount for a violation, retained discretion to set an amount on a case-by-case basis.19 6. The Commission’s forfeiture guidelines do not address the specific violation at issue in this proceeding. In determining the proper forfeiture amount in this case, however, we are guided by the principle that protection of subscribers’ proprietary information is an important carrier obligation. Consumers are understandably concerned about the security of their sensitive, personal data that they must entrust to their various service providers, whether they are financial institutions or telephone companies. Given consumers’ continued concern about the security of this data, and evidence that the data appears to be available to third parties, we must take serious steps to ensure that carriers implement necessary and adequate measures to protect their subscribers’ CPNI, as required by the Commission’s existing CPNI rules. 7. In prior actions in 2006, the Commission issued Notices of Apparent Liability for Forfeiture proposing forfeitures in the amount of $100,000 against carriers for violations of the Commission’s CPNI rules.20 Under the rules operative at that time, carriers were not required to file the annual certification with the Commission but instead were required to make the certificate available to the Commission upon request. The Commission’s investigations demonstrated that some companies appeared to pay little heed to rules which placed a duty upon them to maintain certifications and make the representations therein that processes were in place to protect CPNI without the further scrutiny of the Commission. Accordingly, a substantial forfeiture was proposed. 8. As explained above, the Commission strengthened the CPNI rules in 2007, in part, as a response to earlier investigations, and imposed, among other things, the requirement that carriers submit the annual certifications to the Commission rather than rely solely on non-filed carrier certifications and representations of compliance with the rules, without further scrutiny. We have conducted an extensive review of the certifications filed with the Commission to satisfy the March 1, 2008, filing deadline, as well as examined failures to satisfy the filing requirement all together. Informed by this analysis and our earlier investigations, we revise our forfeiture approach and adopt a maximum proposed forfeiture of $10,000 for the submission of an annual CPNI certification that fails to meet the requirements of section 64.2009(e).21 This revised proposed forfeiture is based on a number of factors. Specifically, we have considered compliance overall based on our review of the annual submissions; the expanded scope of the new rule to require additional types of information to be produced;22 and, the amount of forfeiture necessary to have the intended deterrent effect. With respect to this latter factor, we note that the vast majority of the companies affected are smaller companies. Given this fact, and that this is the first year of the filing requirement, we believe that the goal of deterring future non-compliance with respect to the required elements of section 64.2009(e) will be met by issuing proposed forfeitures consistent with the maximum amount proposed herein. We take noncompliance with our CPNI rules very seriously. To the extent that we determine that the forfeiture approach adopted herein does not have the intended deterrent 18 See 47 U.S.C. § 503(b)(2)(D); see also The Commission’s Forfeiture Policy Statement and Amendment of Section 1.80 of the Commission’s Rules, 12 FCC Rcd 17087 (1997) (“Forfeiture Policy Statement”); recon. denied, 15 FCC Rcd 303 (1999). 19 Forfeiture Policy Statement, 12 FCC Rcd 17098-99, ¶ 22. 20 See, e.g., AT&T, Inc., Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 751 (Enf. Bur. 2006); Alltel Corp., Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 746 (Enf. Bur. 2006); Cbeyond Communications LLC, Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 4316 (Enf. Bur. 2006). 21 See n.14. 22 Because the EPIC CPNI Order took effect on December 8, 2007, the new reporting requirements were only in effect from that date until the end of the calendar year. Federal Communications Commission DA 09-338 5 effect, future noncompliance will face more severe penalties.23 9. In determining the appropriate proposed forfeiture, we are cognizant that certain violations are more technical in nature and do not greatly inhibit the Commission’s ability to judge the effectiveness of a company’s CPNI policies while others are more substantive in nature and limit the usefulness of the certification in determining overall compliance with the rules. In this case, Network Innovations has apparently failed to submit an annual CPNI compliance certificate that provides an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. Based on the nature of this noncompliance and all the facts and circumstances present in this case, we believe the proposed forfeiture of two thousand dollars ($2,000) is warranted.24 10. Network Innovations will have the opportunity to submit further evidence and arguments in response to this NAL to show that no forfeiture should be imposed or that some lesser amount should be assessed.25 For example, Network Innovations may present evidence that it has compelling, financial arguments to reduce the proposed forfeiture or that it has maintained a history of overall compliance.26 The Commission will fully consider any such arguments made by Network Innovations in its response to this NAL. V. ORDERING CLAUSES 11. We have determined that Network Innovations, Inc., by failing to submit an annual CPNI compliance certificate that provides an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI, has apparently willfully or repeatedly violated Section 222 of the Act, section 64.2009(e) of the Commission’s rules and the Commission’s EPIC CPNI Order. We find Network Innovations apparently liable for a forfeiture of two thousand dollars ($2,000). 12. ACCORDINGLY, IT IS ORDERED THAT, pursuant to Section 503(b) of the Communications Act of 1934, as amended,27 Section 1.80(f)(4) of the Commission’s rules,28 and authority delegated by Sections 0.111 and 0.311 of the Commission’s rules,29 Network Innovations, Inc. IS LIABLE FOR A MONETARY FORFEITURE in the amount of two thousand dollars ($2,000) for willfully or repeatedly violating Section 222 of the Act, section 64.2009(e) of the Commission’s rules and the Commission’s EPIC CPNI Order by failing to submit a compliant annual CPNI certificate. 13. IT IS FURTHER ORDERED THAT, pursuant to section 1.80 of the Commission’s rules,30 within thirty (30) days of the release date of this Notice of Apparent Liability for Forfeiture, Network Innovations, Inc. SHALL PAY the full amount of the proposed forfeiture or SHALL FILE a written statement seeking reduction or cancellation of the proposed forfeiture. 23 The Commission retains the discretion to impose a higher forfeiture in cases of future noncompliance. 24 47 U.S.C. § 503(b)(4)(A). 25 47 U.S.C. § 503(b)(4)(C); 47 C.F.R. § 1.80(f)(3). 26 47 C.F.R. § 1.80(b)(4) (discussing factors the Commission or its designee will consider in deciding appropriate forfeiture amount). 27 47 U.S.C. § 503(b). 28 47 U.S.C. § 1.80(f)(4). 29 47 C.F.R. §§ 0.111, 0.311. 30 47 C.F.R. § 1.80. Federal Communications Commission DA 09-338 6 14. Payment of the forfeiture must be made by check or similar instrument, payable to the order of the Federal Communications Commission. The payment must include the NAL/Account Number and FRN Number referenced above. Payment by check or money order may be mailed to Federal Communications Commission, P.O. Box 979088, St. Louis, MO 63197-9000. Payment by overnight mail may be sent to U.S. Bank – Government Lockbox #979088, SL-MO-C2-GL, 1005 Convention Plaza, St. Louis, MO 63101. Payment by wire transfer may be made to ABA Number 021030004, receiving bank TREAS/NYC, and account number 27000001. For payment by credit card, an FCC Form 159 (Remittance Advice) must be submitted. When completing the FCC Form 159, enter the NAL/Account number in block number 23A (call sign/other ID), and enter the letters “FORF” in block number 24A (payment type code). Network Innovations will also send electronic notification on the date said payment is made to Johnny.drake@fcc.gov. Requests for full payment under an installment plan should be sent to: Chief Financial Officer -- Financial Operations, 445 12th Street, S.W., Room 1- A625, Washington, D.C. 20554. Please contact the Financial Operations Group Help Desk at 1-877- 480-3201 or Email: ARINQUIRIES@fcc.gov with any questions regarding payment procedures. 15. The response, if any, must be mailed both to the Office of the Secretary, Federal Communications Commission, 445 12th Street, SW, Washington, DC 20554, ATTN: Enforcement Bureau – Telecommunications Consumers Division, and to Marcy Greene, Deputy Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission, 445 12th Street, SW, Washington, DC 20554, and must include the NAL/Acct. No. referenced in the caption. 16. The Commission will not consider reducing or canceling a forfeiture in response to a claim of inability to pay unless the petitioner submits: (1) federal tax returns for the most recent three- year period; (2) financial statements prepared according to generally accepted accounting practices; or (3) some other reliable and objective documentation that accurately reflects the petitioner’s current financial status. Any claim of inability to pay must specifically identify the basis for the claim by reference to the financial documentation submitted. 17. IT IS FURTHER ORDERED that a copy of this Notice of Apparent Liability for Forfeiture shall be sent by Certified Mail Return Receipt Requested and First Class Mail to the Company at Network Innovations, Inc., 1246 W. George St., Chicago, IL 60657 and to its agent, CT Corporation, 1015 15th St. NW, Suite 1000, Washington, DC 20005. FEDERAL COMMUNICATIONS COMMISSION Kris Anne Monteith Chief, Enforcement Bureau