*Pages 1--11 from Microsoft Word - 58200.doc* Federal Communications Commission FCC 06- 100 Before the Federal Communications Commission Washington, D. C. 20554 In the Matter of AT& T Inc. Compliance with the Commission’s Rules and Regulations Governing Customer Proprietary Network Information ) ) ) ) ) ) ) ) ) File No. EB- 05- TC- 047 File No. EB- 06- TC- 059 NAL/ Acct. No. 200632170003 FRN: 0004305124 ORDER Adopted: July 7, 2006 Released: July 7, 2006 By the Commission: Commissioner Adelstein issuing a statement. 1. In this Order, we adopt the attached Consent Decree entered into between the Federal Communications Commission (the “FCC” or “Commission”) and AT& T Inc. (“ AT& T”). The Consent Decree terminates an investigation initiated by the Enforcement Bureau of the FCC regarding SBC Communications, Inc. ’s (“ SBC”) 1 compliance with section 222 of the Communications Act of 1934, as amended (the “Act”), 47 U. S. C. § 222, and sections 64. 2001- 2009 of the Commission’s rules, 47 C. F. R. §§ 64.2001- 2009. The Consent Decree also terminates a Notice of Apparent Liability for Forfeiture (“ NAL”) against AT& T for its apparent violation of section 222 of the Act, 47 U. S. C. § 222, and section 64.2009( e) of the Commission’s rules, 47 C. F. R. § 64. 2009( e). 2. The Commission and AT& T have negotiated the terms of a Consent Decree that would resolve these matters and terminate the investigation and the NAL. A copy of the Consent Decree is attached hereto and incorporated by reference. 3. After reviewing the terms of the Consent Decree, we find that the public interest would be served by adopting the Consent Decree and terminating the investigation and the NAL. We also conclude that, in the absence of material new information not previously disclosed to the Commission, the matters raised in the investigation and the NAL do not raise any substantial and material questions of fact regarding AT& T’s qualifications to be a Commission licensee. 4. Accordingly, IT IS ORDERED, pursuant to Section 4( i) of the Communications Act of 1 Subsequent to the initiation of this investigation, SBC acquired AT& T Corp. and changed its name to AT& T Inc. Accordingly, we will hereafter refer to the Company as SBC for matters concerning the Enforcement Bureau’s investigation and AT& T for any agreements contained herein between the Company and the Commission. 1 Federal Communications Commission FCC 06- 100 2 1934, as amended, 2 that the attached Consent Decree IS ADOPTED. 5. IT IS FURTHER ORDERED that the above- captioned matters ARE TERMINATED. FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 2 47 U. S. C. § 154( i). 2 Federal Communications Commission FCC 06- 100 Before the Federal Communications Commission Washington, D. C. 20554 In the Matter of AT& T Inc. Compliance with the Commission’s Rules and Regulations Governing Customer Proprietary Network Information ) ) ) ) ) ) ) ) ) File No. EB- 05- TC- 047 File No. EB- 06- TC- 059 NAL/ Acct. No. 200632170003 FRN: 0004305124 CONSENT DECREE I. INTRODUCTION 1. The Federal Communications Commission (the “FCC” or “Commission”) and AT& T Inc. (“ AT& T” or “Company”), by their authorized representatives, hereby enter into this Consent Decree for the purpose of terminating: 1) the Enforcement Bureau’s investigation regarding SBC Communications, Inc. ’s (“ SBC”) 1 compliance with section 222 of the Communications Act of 1934, as amended (the “Act”), and sections 64.2001- 2009 of the Commission’s rules (the “CPNI ‘Opt- Out’ Investigation”); 2 and 2) a Notice of Apparent Liability for Forfeiture (“ NAL”) against AT& T for its apparent violation of section 222 of the Act, 47 U. S. C. § 222, and section 64. 2009( e) of the Commission’s rules, 47 C. F. R. § 64. 2009( e). II. BACKGROUND A. CPNI “Opt- Out” Investigation 2. The Enforcement Bureau of the FCC (“ Bureau”) sent a Letter of Inquiry (“ LOI”) to SBC on July 26, 2005, concerning the company’s self- reported failures in its customer proprietary network information (“ CPNI”) opt- out mechanisms, which may have resulted in the unauthorized use of CPNI in violation of section 222 of the Act of 1934 and sections 64.2001- 2009 of the Commission’s rules. 3 The LOI directed SBC, among other things, to describe in detail the failures in its CPNI opt- out mechanisms, to state whether the failures had been 1 Subsequent to the initiation of this investigation, SBC acquired AT& T Corp. and changed its name to AT& T Inc. Accordingly, we will hereafter refer to the Company as SBC for matters concerning the Enforcement Bureau’s investigation and AT& T for any agreements contained herein between the Company and the Commission. 2 47 U. S. C. § 222; 47 C. F. R. §§ 64. 2001- 2009. 3 See Letter of Inquiry from Colleen Heitkamp, Chief, Telecommunications Consumers Division, Enforcement Bureau, to Jackie Flemming, Executive Director, Federal Regulatory, SBC Communications, Inc. (July 26, 2005). 3 Federal Communications Commission FCC 06- 100 2 corrected, to provide a detailed description of any measures taken to address the failures, and to state any measures taken to ensure future compliance. SBC was directed to support its responses with pertinent documentation and affidavits. 3. SBC provided its written responses on August 16, 2005 and August 26, 2005. 4 SBC has been forthcoming with its responses, and cooperative with the Bureau’s investigation. B. CPNI Certification NAL 4. Based on concerns regarding the apparent availability to third parties of sensitive, personal subscriber information, 5 the Bureau, as part of an inquiry to ascertain the adequacy of procedures implemented by telecommunications carriers to ensure the confidentiality of their subscribers’ CPNI, directed several carriers, including AT& T, to submit their most recent certification prepared in compliance with section 64.2009( e) of the Commission’s rules. 5. On January 27, 2006, AT& T submitted documents constituting certifications by SBC. AT& T, however, did not provide any annual certification prepared by the former AT& T Corp. 6. On January 30, 2006, the Bureau issued an NAL proposing a forfeiture of $100,000 for AT& T’s apparent violation of section 64.2009( e) of the Commission’s rules by failing to prepare and maintain a certification in compliance with the rule. III. DEFINITIONS 7. For purposes of this Consent Decree, the following definitions shall apply: a. “Act” means the Communications Act of 1934, as amended. b. “AT& T” means AT& T Inc. and any affiliate, d/ b/ a, predecessor- in- interest, parent companies and any direct or indirect subsidiaries of such parent companies, or other affiliated companies or businesses and their successors and assigns. For purposes of the CPNI “Opt- Out” Investigation and corresponding Compliance Plan, as described within this document, AT& T includes only Southwestern Bell Telephone, LP, Pacific Bell Telephone Company, Nevada Bell Telephone Company, Illinois Bell Telephone Company, Indiana Bell Telephone Company, Incorporated, Michigan Bell Telephone Company, The Ohio Bell Telephone Company, Wisconsin Bell, Inc., Woodbury Telephone Company and The Southern New England Telephone Company. 4 See Letter from Davida Grant, Senior Counsel, SBC Services, Inc. to Colleen Heitkamp, Chief, Telecommunications Consumers Division, Enforcement Bureau (August 16, 2005); Letter from Davida Grant, Senior Counsel, SBC Services, Inc. to Colleen Heitkamp, Chief, Telecommunications Consumers Division, Enforcement Bureau (August 26, 2005). 5 Some companies, known as “data brokers,” have advertised the availability of records of wireless subscribers’ incoming and outgoing telephone calls and certain landline telephone calls for a fee. See, e. g. http:// www. epic. org/ privacy/ iei/. 4 Federal Communications Commission FCC 06- 100 3 c. “Bureau” means the Enforcement Bureau of the Federal Communications Commission. d. “Commission” or “FCC” means the Federal Communications Commission. e. “CPNI ‘Opt- Out’ Investigation” means the investigation commenced by the Bureau’s Letter of Inquiry, dated July 26, 2005, to former SBC regarding its possible noncompliance with section 222 of the Act, 47 U. S. C. § 222, and sections 64.2001- 2009 of the Commission’s rules, 47 C. F. R §§ 64. 2001- 2009. f. “Effective Date” means the date on which the Commission releases the Adopting Order. g. “Order” or “Adopting Order” means an Order of the Commission adopting the terms and conditions of this Consent Decree without change, addition, or modification, and formally terminating the above- captioned Investigation. h. “Parties” means AT& T and the Commission. IV. AGREEMENT 8. AT& T agrees that the Commission has jurisdiction over it and the subject matters contained in this Consent Decree and the authority to enter into and adopt this Consent Decree. 9. The Parties agree and acknowledge that this Consent Decree shall constitute a final settlement of the CPNI “Opt- Out” Investigation and the NAL. In express reliance on the covenants and representations contained herein, and to avoid the potential expenditure of additional public resources, the Commission agrees to terminate the CPNI “Opt- Out” Investigation and the NAL. In consideration for the termination of these matters and in accordance with the terms of this Consent Decree, AT& T agrees to the terms, conditions, and procedures contained herein. 10. The Parties agree that this Consent Decree does not constitute either an adjudication on the merits or a factual or legal finding or determination regarding any compliance or noncompliance by AT& T with the requirements of the Act or the Commission’s rules or orders. The Parties agree that this Consent Decree is for settlement purposes only, and that by agreeing to this Consent Decree, AT& T does not admit or deny any noncompliance, violation, or liability associated with or arising from its actions or omissions involving the Act or the Commission’s rules that are the subject of this Consent Decree. 11. In consideration for the termination of the CPNI “Opt- Out” Investigation and the NAL in accordance with the terms of this Consent Decree, AT& T agrees to make a voluntary contribution to the United States Treasury, without further protest or recourse to a trial de novo, in the amount of five hundred fifty thousand dollars ($ 550, 000) within thirty (30) days after the Effective Date. This voluntary payment does not constitute a fine or penalty for, or admission of, the violation of any law. The payment must be made by check or similar instrument, payable to the order of the Federal Communications Commission. The payment must include the Acct. No. and FRN No. referenced above. Payment by check or money order may be mailed to Forfeiture Collection Section, Finance Branch, Federal Communications Commission, P. O. Box 358340, Pittsburgh, Pennsylvania 15251. Payment by overnight mail may be sent to Mellon Client 5 Federal Communications Commission FCC 06- 100 4 Service Center, 500 Ross Street, Room 670, Pittsburgh, Pennsylvania 15262- 0001, Attn: FCC Module Supervisor. Payment by wire transfer may be made to: ABA Number 043000261, receiving bank Mellon Bank, and account number 911- 6229. Please include your NAL/ Acct. No. with your wire transfer remittance. 12. To resolve and terminate the CPNI “Opt- Out” Investigation, and to ensure compliance with the Commission’s CPNI opt- out rules, AT& T agrees to implement the following Compliance Plan. The Compliance Plan measures set forth in this paragraph shall be applicable to Southwestern Bell Telephone, LP, Pacific Bell Telephone Company, Nevada Bell Telephone Company, Illinois Bell Telephone Company, Indiana Bell Telephone Company, Incorporated, Michigan Bell Telephone Company, The Ohio Bell Telephone Company, Wisconsin Bell, Inc., Woodbury Telephone Company and The Southern New England Telephone Company: a. Managerial Oversight of CPNI Opt- Out Notification Process i. AT& T will designate an employee( s) 6 with responsibility for managing and overseeing implementation of AT& T’s CPNI opt- out processes, and for approving in writing both the form and content of CPNI opt- out notices prior to distribution to customers. ii. The relevant responsible employee( s) will notify AT& T organizations involved in the distribution of CPNI opt- out notices, at least once annually, that both the form and content of any CPNI opt- out notices must be approved in writing before such notices are distributed to any customers. b. Distribution of CPNI Opt- Out Notices by AT& T i. AT& T will provide written instructions to the AT& T organization or external contractor responsible for distributing CPNI opt-out notices (" distribution channels") regarding (a) the content of, or any changes to the content of, such CPNI opt- out notices and/ or (b) the distribution of AT& T materials containing such CPNI opt- out notices. AT& T shall retain these written instructions for a period of at least one year. ii. AT& T will require supervisory review (at least by the individual specified in 12( a)( i) above) of all such written instructions identified in subparagraph (i) prior to providing these written instructions to the distribution channels. iii. AT& T will review a sample, on a per state basis, of any material containing a CPNI opt- out notice prior to the dissemination of such materials to customers by its distribution channels, to verify that the content of such CPNI opt- out notices complies with the written instructions provided to the distribution channels. A separate sample shall be reviewed for each state for which such notice is being sent. 6 In this section, the term “employee” may include personnel of any wholly- owned subsidiary of AT& T Inc. 6 Federal Communications Commission FCC 06- 100 5 AT& T will instruct its distribution channels that they may not disseminate the CPNI opt- out notices to customers until AT& T has given its written approval of the sample notification. iv. AT& T will review a sample, on a per state basis, of any material containing a CPNI opt- out notice after the dissemination of such materials to customers by its distribution channels to verify that the CPNI opt- out notices disseminated to customers contain the content approved in accordance with subparagraph (iii) above. A separate sample shall be reviewed for each state for which such notice is being sent. c. Changes to CPNI Opt- Out Notice Distribution Method i. Prior to changing the delivery mechanism for CPNI opt- out notices sent to new customers (e. g., moving a new customer’s opt- out notice from his or her first bill to his or her order confirmation package), AT& T shall: a) identify applicable AT& T work groups involved in the current and planned distribution method; b) verify that the mechanism would ensure that each new customer that would receive notice under the current distribution method will receive such notice under the new distribution method; c) develop a transition plan to ensure that each new customer will receive notice under either the current distribution method or the new distribution method; d) require applicable organizations to review and approve the transition plan in writing; and e) analyze sample data after the transition to verify that the plan achieved the desired results. ii. Where AT& T elects to send customers electronic CPNI opt- out notices, AT& T will ensure that such customers have the ability to reply directly to the electronic notice to opt out. iii. Where CPNI notice is delivered via electronic confirmation to a new customer, AT& T will require that the notice, or a direct link to the notice, be contained in the body of the electronic confirmation. d. Training AT& T will provide annual CPNI training to employees responsible for managing the development of CPNI opt- out notices, the overall implementation of CPNI process changes, and the electronic distribution of materials that contain CPNI opt- out notices. The training will focus on the federal CPNI opt- out requirements. 7 Federal Communications Commission FCC 06- 100 6 e. Enforcement i. AT& T's designated internal complaint group( s) will monitor written customer complaints (forwarded from regulatory agencies or received from customers) to identify potential violations of the Commission's CPNI opt- out rules. ii. AT& T will take appropriate disciplinary action, up to and including dismissal, if AT& T concludes that an employee has engaged in misconduct resulting in a failure of AT& T’s CPNI opt- out mechanisms. iii. Upon notification to the FCC of a CPNI opt- out failure in accordance with section 64.2009( f) of the Commission's rules, AT& T will act to restrict the unauthorized use of the affected customers’ CPNI unless and until it obtains CPNI approval from the customer. f. Compliance Review AT& T will file a report summarizing compliance with this Plan within thirty (30) days after the one- year anniversary of the Effective Date of this Consent Decree. AT& T will file a final report on compliance with this Plan thirty (30) days prior to the termination date of this Consent Decree. The reports shall address in detail AT& T’s compliance with each separate provision of the Compliance Plan as described in paragraph 12 of this Consent Decree, along with the requirements of paragraph 13 of this Consent Decree. AT& T must mail its reports to the Chief, Telecommunications Consumers Division, Enforcement Bureau, Federal Communications Commission, 445 12th Street, S. W., Washington, D. C. 20554, and must include the file number listed above. AT& T will also send an electronic copy of its reports to other Telecommunications Consumers Division staff as directed by the Division Chief. g. Term of the Plan AT& T will implement this Compliance Plan within sixty (60) days of the Effective Date of this Consent Decree. The terms of this Compliance Plan will expire two (2) years after the Effective Date of this Consent Decree or upon the termination of the opt- out requirements set forth in sections 64.2001- 2009 of the Commission’s rules, 47 C. F. R. §§ 64. 2001- 2009, whichever is earlier. 13. To resolve and terminate the NAL, AT& T commits to full compliance with section 64.2009( e) of the Commission’s rules and to include the details of its CPNI certification compliance in its reports on compliance as set forth in 12( f) above. 14. The Commission agrees that, in the absence of new material evidence related to these matters, it will not use the facts developed in these matters through the Effective Date or the existence of this Consent Decree to initiate, on its own motion, any new proceeding, formal or informal, or take any action on its own motion against AT& T, including any other enforcement action, nor will the Commission seek on its own motion any administrative or other penalties from AT& T, concerning the matters that were the subject of the CPNI “Opt- Out” Investigation or 8 Federal Communications Commission FCC 06- 100 7 the NAL. The Commission also agrees that it will not use the facts developed in these matters through the Effective Date or the existence of this Consent Decree to initiate, on its own motion, any proceeding, formal or informal, or take any action on its own motion against AT& T with respect to AT& T’s basic qualifications, including its character qualifications, to be a Commission licensee or authorized common carrier. Consistent with the foregoing, nothing in this Consent Decree limits the Commission’s authority to consider and adjudicate any complaint that may be filed pursuant to section 208 of the Act, 47 U. S. C. § 208, and to take any action in response to such complaint. The Commission’s adjudication of any such complaint will be based solely on the record developed in that proceeding. 15. AT& T’s decision to enter into this Consent Decree is expressly contingent upon the Commission’s issuance of an Adopting Order. Provided the Commission issues an Adopting Order, AT& T waives any and all rights it may have to seek administrative or judicial reconsideration, review, appeal or stay, or to otherwise challenge or contest the validity of this Consent Decree and the Adopting Order. 16. If either Party (or the United States on behalf of the Commission) brings a judicial action to enforce the terms of the Adopting Order, neither AT& T nor the Commission shall contest the validity of the Consent Decree or the Adopting Order, and AT& T and the Commission will waive any statutory right to a trial de novo with respect to the issuance of the Adopting Order and shall consent to a judgment incorporating the terms of this Consent Decree. 17. In the event that this Consent Decree is rendered invalid by a court of competent jurisdiction, it shall become null and void and may not be used in any manner in any legal proceeding. 18. By this Consent Decree, AT& T neither waives nor alters its right to assert and seek protection from disclosure of any privileged or otherwise confidential and protected documents and information, or to seek appropriate safeguards of confidentiality for any competitively sensitive or proprietary information. 19. AT& T agrees that any violation of the Order or of this Consent Decree shall constitute a separate violation of a Commission order, entitling the Commission to exercise any rights and remedies attendant to the enforcement of a Commission order. 20. The Parties agree that if any provision of this Consent Decree is inconsistent with any subsequent rule or order adopted by the Commission, that provision will be superseded by such Commission rule or order. 21. The Parties agree that the requirements of this Consent Decree shall expire two (2) years after the Effective Date or upon the termination of the opt- out requirements set forth in sections 64.2001- 2009 of the Commission’s rules, 47 C. F. R. §§ 64. 2001- 2009, whichever is earlier. 9 Federal Communications Commission FCC 06- 100 8 22. This Consent Decree may be signed in counterparts. For: AT& T Inc. For: Federal Communications Commission __________ _______________________ __________ ______________________ Date Robert W. Quinn, Jr. Date Marlene H. Dortch Sr. Vice President Federal Regulatory Secretary 10 Federal Communications Commission FCC 06- 100 9 STATEMENT OF COMMISSIONER JONATHAN S. ADELSTEIN Re: AT& T Inc., Compliance with the Commission’s Rules and Regulations Governing Customer Proprietary Network Information, File Nos. EB- 05- TC- 047, EB- 06- TC- 059, Order. A consumer’s telephone call records include some of the most private personal information about an individual. Access to telephone records can show who people are calling and for how long. For all practical purposes, it is like picking someone’s brain about their friends, plans or business dealings. People are extremely guarded about their privacy, and Congress recognized the sensitivity of this information in the Telecommunications Act of 1996 when it prohibited phone companies from using or disclosing CPNI without the customer’s approval. It charged the Commission with enforcing this privacy protection and the Commission previously adopted a set of rules designed to ensure that telephone companies have effective safeguards in place. In this case, AT& T has commendably self- reported some of its failures in its compliance mechanisms and has agreed to adopt a compliance plan so that consumers are appropriately notified about the Commission’s privacy rules. I support this Order because consistent enforcement is essential to promote compliance with our consumer privacy rules. It is also important for the Commission to move ahead with our pending rulemaking on our consumer privacy rules for telephone companies. When we opened that proceeding earlier this year, it was apparent that telephone records were widely available on the Internet, even though telephone companies are required to have firewalls in place to protect consumers’ private information. That proceeding, adopted at the urging of a watchful public interest group, the Electronic Privacy Information Center, provides us an important opportunity to find ways to tighten our rules and provide greater security for these sensitive consumer records. We must not lose sight of that opportunity to ensure that we have sufficiently strong consumer privacy rules in place and that phone companies are employing effective safeguards to shield this data from harm. Every provider should be on notice that this is at the top of our agenda, we are watching closely and will take the action necessary to protect consumers' privacy, and we expect them to do the same. 11