PUBLIC NOTICE Federal Communications Commission 445 12 th St., S.W. Washington, D.C. 20554 News Media Information 202 / 418-0500 Internet: http://www.fcc.gov TTY: 1-888-835-5322 DA 18-114 Released: February 7, 2018 WIRELINE COMPETITION BUREAU REMINDS TELECOMMUNICATIONS CARRIERS AND INTERCONNECTED VOIP PROVIDERS THAT ANNUAL CPNI CERTIFICATIONS ARE DUE MARCH 1, 2018 WC Docket Nos. 96-115, 16-106 EB Docket No. 06-36 On January 31, 2018, the Office of Management and Budget extended its approval of the information collection contained in the Commission’s customer proprietary network information (CPNI) rules, including the requirements that carriers and interconnected Voice over Internet Protocol (VoIP) providers file annual reports certifying compliance with Commission rules protecting CPNI. 1 As a result, the Wireline Competition Bureau (Bureau) reminds carriers and interconnected VoIP providers of their obligation to file, by March 1, 2018, their annual certification documenting compliance with the Commission’s CPNI rules. 2 CPNI includes sensitive personal information that carriers collect about their customers during the course of their business relationship (e.g., telephone numbers of calls made and received; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting and voicemail). The Commission’s rules seek to ensure that CPNI is adequately protected from unauthorized access, use, or disclosure. 3 Attachment 1 explains how telecommunications carriers and interconnected VoIP providers can satisfy their certification filing obligations. In prior years, many companies subject to the CPNI rules have failed to file certifications or filed certifications that violate our rules in material respects. Failure to file a timely and complete certification calls into question whether a company has complied with the rules requiring it to protect the privacy and security of its customers’ sensitive information. Because the CPNI rules provide important consumer protections, the Commission has taken enforcement action against telecommunications carriers and interconnected VoIP providers that failed to comply with 1 See OMB Control No. 3060-0715, Approval Without Change (Jan. 31, 2018), https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201709-3060-013 (extending approval for three years and providing as Terms of Clearance that “[b]efore the next three-year renewal FCC should reevaluate its current use of the information collections associated with 47 CFR 64.2009 section (c) and (e) and consider revising or removing them if they no longer provide practical utility”). 2 See 47 CFR § 64.2009(e). 3 See 47 CFR § 64.2001 et seq. 2the requirements, and we intend to continue to enforce the rules. Companies are reminded that failure to comply with the CPNI rules, including the annual certification requirement, may subject them to enforcement action, including monetary forfeitures of up to $196,387 for each violation or each day of a continuing violation, up to a maximum of $1,963,870. 4 False statements or misrepresentations to the Commission may be punishable by fine or imprisonment under Title 18 of the U.S. Code. Attachments: (1) Frequently Asked Questions; (2) CPNI Certification Template; (3) Text of the CPNI recordkeeping and certification rules. 4 47 U.S.C. § 503(b)(2)(B); see also 47 CFR § 1.80(b)(2); Amendment of Section 1.80(b) of the Commission’s Rules, Adjustment of Civil Monetary Penalties to Reflect Inflation, Order, DA 18-12 (EB Jan. 5, 2018). 3ATTACHMENT 1 FREQUENTLY ASKED QUESTIONS The following frequently asked questions are addressed in this Public Notice: ? What are the CPNI rules, and where can I find them? ? Who is required to file? ? Is there an exemption for small companies? ? What must be included in the annual certification filing? ? When are companies required to file the annual certification? ? Is this the same as my form 499 filing or my USF filing? ? What format should I use for my CPNI certification? ? How do I file the CPNI certification? ? What if I have questions? What are the CPNI rules, and where can I find them? Protection of CPNI is required by Section 222 of the Communications Act of 1934, as amended (Communications Act or Act). Consumers are understandably concerned about the privacy and security of the sensitive, personal data their telecommunication carrier collects in the provision of service. In recognition of these concerns, the Commission issued rules requiring carriers and interconnected VoIP providers to establish and maintain systems designed to ensure that they adequately protect their subscribers’ CPNI. Those rules also require carriers and interconnected VoIP providers to, among other things: (1) obtain customers’ approval to use, disclose, or permit access to their CPNI for marketing purposes; 1 (2) notify customers of their right to restrict the use of their CPNI; 2 (3) take reasonable measures to protect against attempts to gain unauthorized access to CPNI; 3 (4) notify law enforcement and affected customers of a breach of CPNI. 4 In addition, all companies subject to the CPNI rules must file an annual certification documenting their compliance with the rules, and documenting any complaints or problems. 5 Companies must file these certifications with the Commission annually on or before March 1. The CPNI rules are found at 47 CFR § 64.2001 et seq. A copy of the current version of the certification portion of the rules is attached to this Public Notice. To ensure that you are aware of any changes to the rules, you are advised always to check the current version of the Code of Federal Regulations, which can be found at the Government Printing Office website, here: https://www.ecfr.gov. Who is required to file? Telecommunications carriers and interconnected VoIP providers must file a CPNI certification each year. ? A “telecommunications carrier” is “any provider of telecommunications services,” except an aggregator. 6 The Communications Act defines telecommunications service as “the offering of 1 47 CFR § 64.2007. 2 47 CFR § 64.2008. 3 47 CFR § 64.2010(a). 4 47 CFR § 64.2011. 5 47 CFR § 64.2009(e). 6 47 U.S.C. § 153(51). Section 226 of the Act defines an aggregator as “any person that, in the ordinary course of its 4telecommunications for a fee directly to the public, or to such classes of users as to be effectively available directly to the public, regardless of the facilities used.” 7 ? Some examples of “telecommunications carriers” that must file an annual certification are: local exchange carriers (LECs) (including incumbent LECs, rural LECs, and competitive LECs), interexchange carriers, commercial mobile radio services (CMRS) providers, resellers, prepaid telecommunications providers, and calling card providers. This list is not exhaustive. ? “Interconnected VoIP providers” are companies that provide a service that: “(1) enables real- time, two-way voice communications; (2) requires a broadband connection from the user’s location; (3) requires Internet protocol-compatible customer premises equipment (CPE); and (4) permits users generally to receive calls that originate on the public switched telephone network and terminate calls to the public switched network.” 8 Is there an exemption for small companies? No, there is no exemption for small companies. The annual certification filing requirement applies regardless of the size of the company. What must be included in the annual certification filing? The annual certification filing must include all of the elements listed below: ? A compliance certificate signed by an officer of the company. ? A statement by the officer in the compliance certificate that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules. ? A written statement accompanying the certification explaining how the company’s operating procedures ensure that it is or is not in compliance with the CPNI rules. ? An explanation of any actions taken against data brokers. ? A summary of all consumer complaints received in the prior year concerning unauthorized release of CPNI. See Attachment 2 for a suggested template that can be used to prepare the certification filing. In reviewing prior years’ filings, the Commission has found the following recurring deficiencies: ? Companies fail to have the officer signing the certification affirmatively state that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance. An officer of the company must sign the compliance certificate. ? Companies fail to provide a statement accompanying the certification explaining how their operating procedures ensure that they are or are not in compliance with the rules. Stating that operations, makes telephones available to the public or to transient users of its premises, for interstate telephone calls using a provider of operator services.” 47 U.S.C. § 226(a)(2). 7 47 U.S.C. § 153(53). 8 47 CFR § 9.3 5the company has adopted operating procedures without explaining how compliance is being achieved does not satisfy this requirement. ? Companies fail to state clearly whether any actions were taken against data brokers in the prior year. If there were no such actions, the company must include an affirmative statement of that fact to make clear that it has provided the required information. ? Companies fail to state clearly whether any customer complaints were received in the prior year concerning the unauthorized release of CPNI. If there were no such complaints, the company must include an affirmative statement of that fact to make clear that it has provided the required information. To help companies ensure that their certifications contain all of the required information, we are providing a suggested template, attached to this Public Notice. When are companies required to file the annual certification? The 2018 annual certification filing (for calendar year 2017) is due no later than March 1, 2018. Is this the same as my Form 499 filing or my USF filing? No. The annual CPNI certification filing is different from Form 499 filings and USF filings. What format should I use for my CPNI certification? A suggested template is attached to this Public Notice. See Attachment 2. This template was designed to ensure that companies will comply with the annual certification filing requirement of 47 CFR § 64.2009(e) if they complete it fully and accurately. Use of this template is not mandatory, and companies may use any format that fulfills the requirements of the rule. If you elect to use the suggested template, we encourage you to review the template carefully and to ensure that all fields are fully and accurately completed before submission. How do I file the CPNI certification? Certifications may be filed using the Commission’s Electronic Comment Filing System (ECFS). To file a certification using ECFS, visit https://www.fcc.gov/ecfs/filings. Filings submitted through ECFS must reference EB Docket No. 06-36 in the “proceeding” field. Companies must file a separate certification for each affiliate in possession of a unique 499 filer ID number. Do not send copies of certifications to the Wireline Competition Bureau, the Enforcement Bureau, or to any individuals within the Federal Communications Commission unless such filing is a requirement of a consent decree with the Enforcement Bureau. People with Disabilities: To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (tty). What if I have questions? For further information regarding the Commission’s CPNI rules, contact Sherwin Siy, Competition Policy Division, Wireline Competition Bureau, (202) 418-2783. For further information regarding the annual certification filing, contact any of the following individuals in the Telecommunications Consumers Division, Enforcement Bureau: Rosemary Cabral, (202) 418-0662; Ann Morgan, (202) 418-1929; Mika Savir, (202) 418-0384; or Michael Epshteyn, (202) 418-1139. 6ATTACHMENT 2 Annual 47 CFR § 64.2009(e) CPNI Certification Template EB Docket 06-36 Annual 64.2009(e) CPNI Certification for [Insert year] covering the prior calendar year [Insert year] 1. Date filed: [Insert date] 2. Name of company(s) covered by this certification: [Insert company name] 3. Form 499 Filer ID: [Provide filer ID number(s)] 4. Name of signatory: [Insert name] 5. Title of signatory: [Insert title of corporate officer] 6. Certification: I, [insert name of officer signing certification], certify that I am an officer of the company named above, and acting as an agent of the company, that I have personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the Commission’s CPNI rules. See 47 CFR § 64.2001 et seq. Attached to this certification is an accompanying statement explaining how the company’s procedures ensure that the company is in compliance with the requirements (including those mandating the adoption of CPNI procedures, training, safeguards, recordkeeping, and supervisory review) set forth in section 64.2001 et seq. of the Commission’s rules. The company [has/has not] taken actions (i.e., proceedings instituted or petitions filed by a company at either state commissions, the court system, or at the Commission against data brokers) against data brokers in the past year. [NOTE: If you reply in the affirmative, provide an explanation of any actions taken against data brokers.] The company [has/has not] received customer complaints in the past year concerning the unauthorized release of CPNI. [NOTE: If you reply in the affirmative, provide a summary of such complaints. This summary must include the number of complaints, broken down by category or complaint, e.g., instances of improper access by employees, instances of improper disclosure to individuals not authorized to receive the information, or instances of improper access to online information by individuals not authorized to view the information.] The company represents and warrants that the above certification is consistent with 47 CFR § 1.17, which requires truthful and accurate statements to the Commission. The company also acknowledges that false statements and misrepresentations to the Commission are punishable under Title 18 of the U.S. Code and may subject it to enforcement action. Signed _____________________________ [Signature of an officer, as agent of the carrier] Attachments: Accompanying Statement explaining CPNI procedures Explanation of actions taken against data brokers (if applicable) Summary of customer complaints (if applicable) 7ATTACHMENT 3 47 CFR § 64.2009 Safeguards required for use of customer proprietary network information. (a) Telecommunications carriers must implement a system by which the status of a customer's CPNI approval can be clearly established prior to the use of CPNI. (b) Telecommunications carriers must train their personnel as to when they are and are not authorized to use CPNI, and carriers must have an express disciplinary process in place. (c) All carriers shall maintain a record, electronically or in some other manner, of their own and their affiliates' sales and marketing campaigns that use their customers' CPNI. All carriers shall maintain a record of all instances where CPNI was disclosed or provided to third parties, or where third parties were allowed access to CPNI. The record must include a description of each campaign, the specific CPNI that was used in the campaign, and what products and services were offered as a part of the campaign. Carriers shall retain the record for a minimum of one year. (d) Telecommunications carriers must establish a supervisory review process regarding carrier compliance with the rules in this subpart for outbound marketing situations and maintain records of carrier compliance for a minimum period of one year. Specifically, sales personnel must obtain supervisory approval of any proposed outbound marketing request for customer approval. (e) A telecommunications carrier must have an officer, as an agent of the carrier, sign and file with the Commission a compliance certificate on an annual basis. The officer must state in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. In addition, the carrier must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year. (f) Carriers must provide written notice within five business days to the Commission of any instance where the opt-out mechanisms do not work properly, to such a degree that consumers' inability to opt-out is more than an anomaly. (1) The notice shall be in the form of a letter, and shall include the carrier's name, a description of the opt-out mechanism(s) used, the problem(s) experienced, the remedy proposed and when it will be/was implemented, whether the relevant state commission(s) has been notified and whether it has taken any action, a copy of the notice provided to customers, and contact information. (2) Such notice must be submitted even if the carrier offers other methods by which consumers may opt-out.