O FFIC E O F 
T H E C H A I RMAN 
The Honorable Jeff Flake 
United States Senate 
FEDERAL COMMUNICATIONS COMMISSION 
WASHINGTON 
March 18, 2016 
413 Russell Senate Office Building 
Washington, D.C. 20510 
Dear Senator Flake: 
Thank you for your letters of January 29 and March 4, 2016 regarding the Commission' s 
activities to protect consumer privacy in telecommunications sectors. As you know, Congress 
has tasked the FCC with implementing the requirements of Section 222 of the Communications 
Act as well as the other consumer privacy protections contained in the Act, including Sections 
338 and 631 which apply to cable and satellite operators. 
Section 222 establishes a duty on common carriers to protect the confidentiality of 
customers' proprietary information. It also protects the confidentiality of customer proprietary 
network information, also known as CPNI. Nearly two decades ago, the FCC adopted 
implementing regulations that require carriers to appropriately safeguard this information, and 
notify consumers and law enforcement of a breach. It also limits carriers' ability to use such 
information, absent customer consent. Over time, the Commission has modified those rules to 
adjust to changes in industry practices. 
In February of2015, as part of the Open Internet Order the FCC reclassified Broadband 
Internet Access Service (BIAS) as a telecommunications service. As a result, BIAS providers 
are subject to Title II of the Act, including the provisions of Section 222. The Commission 
found in the Open Internet Order that application of the statutory provisions of 222 to BIAS 
providers was necessary to protect consumers and further the public interest. However, the 
Commission was not persuaded that the existing rules implementing Section 222 for voice 
services would be well suited to BIAS providers. 
As referenced in your letter, the Enforcement Bureau released an Enforcement Advisory 
last year to provide guidance to broadband providers about how the Enforcement Bureau intends 
to enforce Section 222 in connection with BIAS during the time between the effective date of the 
Open Internet Order and any subsequent Commission action providing further guidance and/or 
adoption of regulations applying Section 222 more specifically to BIAS. This advisory guidance 
was intended to assist BIAS providers in their compliance with Section 222. 
As you may know, on March 7, 2016, the Enforcement Bureau entered into a consent 
decree with Verizon Wireless resolving a Section 222 and 2010 Open Internet Transparency 
Rule investigation concerning the company' s insertion of unique identifier headers, also called 
"supercookies," into its customers' Internet web traffic. In addition, last week I circulated to the 
full Commission a Notice of Proposed Rulemaking (NPRM) to ensure consumers have the tools 
they need to make informed choices about how and whether their data is used and shared by their 
Page 2 - The Honorable Jeff Flake 
broadband providers. The proposal will be voted on at the March 31 Open Meeting, and, if 
adopted, would be followed by a period of public comment. 
Answers to your specific questions are attached. Please let me know if I can be of further 
assistance. 
Tom Wheeler 
Responses to questions: 
1. The enforcement advisory states that the "Enforcement Bureau intends to focus on 
whether broadband providers are taking reasonable, good faith steps to comply 
with Section 222, rather than focusing on technical details." 
a. What specifically does the FCC consider to be "reasonable, good faith 
steps"? 
Response: The Enforcement Advisory provides that broadband providers must make 
reasonable, good faith efforts to comply with Section 222. It further provides that "By 
examining whether a broadband provider's acts or practices are reasonable and whether 
such a provider is acting in good faith to comply with Section 222, the Enforcement 
Bureau intends that broadband providers should employ effective privacy protections in 
line with their privacy policies and core tenets of basic privacy protections." 1 These 
privacy protections include the use of appropriate security and privacy safeguards to 
protect the confidentiality of customer proprietary information and an expectation that 
broadband providers act in accordance with the representations and commitments that 
they have made to their own customers. A "reasonable, good faith efforts" standard 
means that the broadband provider should make a well-intentioned effort to comply with 
the statutory provisions of Section 222. In this regard, the Enforcement Bureau expects 
that they should also comply with their own privacy policies and other representations 
that they may have made about their privacy practices. Providers should also employ 
reasonable security measures to protect the confidentiality of the proprietary information 
about their customers. Finally, when they fail to meet this duty, they should take 
appropriate remedial corrective action. 
b. What specific legal standard does the FCC apply in determining whether a 
broadband provider's activity to protect consumer privacy is "reasonable"? 
Response: A broadband provider is expected to take reasonable and good faith steps to 
protect the personal information of its customers. Whether a broadband provider's 
activity to protect consumer privacy is "reasonable" in a given situation will depend on 
the particular facts and circumstances involved, including whether the provider has 
polices or procedures in place to protect personal information, the provider' s adherence 
to its posted privacy policy and other privacy representations, the nature and sensitivity of 
the personal information at issue, the risk of harm arising from the practice. 
1 FCC Enforcement Advisory; Open Internet Privacy Standard; Enforcement Bureau Guidance: 
Broadband Providers Should Take Reasonable, Good Faith Steps to Protect Consumer Privacy, 
Public Notice, 30 FCC Red 4849, 4850 (EB 2015) 
c. What specific actions by a broadband provider would the FCC consider 
mere "technical details" 
Response: The focus of the Enforcement Bureau's examination is on the reasonableness 
of the privacy practices deployed by broadband providers, rather than technical details 
such as the particular software or equipment used by the provider. The Advisory does 
not prescribe specific technical requirements that broadband providers have to meet. 
Instead, it focuses on evaluating the overall compliance efforts and adherence to the 
commitments made by the broadband provider to its customers. 
d. How does the FCC define CPNI as used in Section 222? Is it coterminous 
with personal identifiable information (PII)? If not, how does CPNI under 
Section 222 differ from PII in the eyes of the FCC? What does the FCC 
believe is its legal authority with respect to the protection of PII? 
Response: CPNI is defined in 47 U.S.C. § 222(h). Section 222(a) also imposes a duty on 
telecommunications carriers "to protect the confidentiality of proprietary information of, 
and relating to, [their] customers."2 Section 222 ' s duty to protect customer proprietary 
information includes the protection of CPNI. The Commission has found that the duty to 
protect proprietary information includes the protection of customers' PII.3 The scope of 
information covered by Section 222 in the BIAS context is among the issues raised in the 
recently circulated NPRM. 
2. How many investigations or inquiries regarding the privacy practices of broadband 
providers were commenced after release of the Title II Order? 
a. How many remain open? 
i. Please provide me with: 
1. A list of providers currently under investigation 
2. For each such provider, a description of the alleged conduct 
that led the agency to initiate an investigation 
3. For each such provider, a description of the conduct under 
investigation and the resolution. 
Response: The Commission' s enforcement investigations are confidential to ensure the 
fair and impartial execution of the law. Responding to this request would involve 
disclosing sensitive information about Commission enforcement activities that have not 
been publicly disclosed through a Notice of Apparent Liability for Forfeiture (NAL) or 
other announcement. The untimely disclosure of such nonpublic law enforcement 
2See TerraCom, Inc. and YourTel America, Inc. Apparent Liability for Forfeiture, File No.: EB-TCD-13-
00009175, Notice of Apparent Liability, 29 FCC Red 13325, paras. 13-30 (2014). 
3 See id. at 13335-40, paras. 31-41 (2014), settled by TerraCom, Inc. and YourTel America, Inc. , Order 
and Consent Decree, 30 FCC Red 7075 (Enf. Bur. 2015). 
2 
information could cause serious harm to the FCC' s enforcement efforts and to outside 
parties. It could unfairly prejudice and financially damage a target who may not 
ultimately be found culpable; it could disclose the identity of whistle blowers or other 
confidential sources; it could invade individuals ' privacy; it could reveal the 
Commission' s sensitive law enforcement methods (thereby providing a "road map" of 
our investigative process); and it could deprive a person of a right to an impartial 
adjudication. Federal law recognizes the special sensitivity ofrecords and information 
compiled for law enforcement purposes by exempting their public disclosure under both 
the Freedom of Information Act (FOIA)4 and the Government in the Sunshine Act. 5 
Given the sensitive, confidential nature of this information, we are not providing it in this 
response. We would be happy to discuss further how we can provide you more 
information about our investigative activities while protecting our sensitive law 
enforcement information. 
3. On November 5, 2015, the FCC entered into a settlement with Cox 
Communications, Inc., following a data breach suffered by Cox. This was widely 
regarded at the first data-security enforcement action taken by a cable operator. As 
a condition of settlement, the FCC required Cox to pay a penalty of $595,000 and to 
adopt a comprehensive compliance program, including system audits and breach 
notification systems. 
a. Is it the FCC's view that the PII of Cox's broadband customers is currently 
covered by the Title II Order as interpreted by the May enforcement 
advisory? 
Response: The Cox consent decree does not involve Cox ' s provision of broadband 
internet access service. However, in addition to being a telephone and cable provider, 
Cox provides broadband internet access service. Like all common carriers providing 
broadband internet access services, Cox is subject to the 2015 Open Internet Order, 
which applies the statutory provisions of Section 222 to BIAS providers. On November 
5, 2015, the FCC entered into a consent decree with Cox Communications, Inc. , 
following multiple data breaches at the company. As the consent decree provides in 
pertinent part, "Congress and the Commission have made clear that cable operators such 
as Cox must take such actions as are necessary to prevent unauthorized access to such 
information by a person other than the subscriber or cable operator. Furthermore, when 
acting as a telecommunications carriers, providers such as Cox must take every 
reasonable precaution to protect customers' data. 6" 
4 5 U.S.C. § 552(b)(7). 
5 5 U.S.C. § 552b(c)(7). 
6 Cox Commc'ns, Inc., Order and Consent Decree, 30 FCC Red 12302 (EB 2015) 
3 
b. Were the Cox investigation and settlement undertaken solely pursuant to the 
Enforcement Bureau's asserted authority under the Title II order as 
interpreted by the May enforcement advisory? 
Response: No. The Cox investigation was initiated several months prior to the adoption 
of the 2015 Open Internet Order based on events and reports from July to September 
2014. The investigation concerned the unauthorized access to and release of PII and 
CPNI of Cox cable and telephone customers and therefore implicated long-standing 
protections applicable to cable and telephone customers. Cox' s electronic data systems 
were breached in July and August 2014 when third parties used a common social 
engineering ploy known as pretexting. Specifically, the third parties pretended to be 
from Cox ' s information technology department and gained access to data systems 
containing Cox' s customer information by convincing a Cox customer service 
representative and a Cox contractor to enter their respective account IDs and passwords 
into a fake website, which the third parties controlled. With this information, the third 
parties had unauthorized access to the PII of Cox ' s six million customers. Cox's relevant 
data systems did not have well accepted technical safeguards, such as multi-factor 
authentic').tion, to prevent the compromised credentials from being used to access the PI 
and CPNI of Cox' s customers. At least one of the third parties then posted some of the 
personal information of at least eight of the affected customers on social media sites, 
changed the passwords of at least 28 of the affected customers, and shared customer 
personal information with yet another unauthorized third party. Cox also failed to report 
these breaches through the Commission's breach-reporting portal, as is required by 
Commission rules. 
c. If not, what was the specific legal authority for the Cox investigation and 
settlement? 
Response: The Consent Decree with Cox resolved the Enforcement Bureau' s 
investigation into whether Cox violated Sections 201 (b) and 222( a) and ( c ), and 631 of 
the Communications Act of 1934, as amended, and Sections 64.2010(a) and 64.201 l(b) 
of the Commission' s rules. 
4