Federal Communications Commission FCC 07-22 STATEMENT OF COMMISSIONER MICHAEL J. COPPS APPROVING IN PART, DISSENTING IN PART Re: Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services, Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115 and WC Docket No. 04-36 Few rights are as fundamental as the right to privacy in our daily lives, but this cherished right seems under almost constant attack. As recent abuses by unscrupulous data brokers and others illustrate, the Commission’s existing customer proprietary network information (CPNI) rules have not adequately protected individual privacy. Recognizing the seriousness of the threat, Congress recently made pretexting a federal crime. Now it is time for the Commission to step up to the plate and update its rules to protect consumers from the dangers that portend when personal information is turned over to telephone carriers. Today we take action to protect the privacy of American consumers by imposing additional safeguards on how telephone carriers handle the vast amount of customers’ personal information that they collect and hold. We require passwords before call detail information is released over the phone. We require carriers to provide notice to customers when changes occur to their accounts. Very importantly, we require carriers to obtain prior consent from their customers before providing personal information to their joint venture partners and independent contractors. My personal preference remains that a customer’s private information should never be shared by a carrier with any entity for marketing purposes without a customer opting-in to the use of his or her personal information. But today’s order strikes an acceptable balance – a balance that will give consumers more confidence that their personal data will not be shared with certain third parties with whom the carriers have attenuated oversight. In 2002 I disagreed with the Commission’s decision not to implement opt-in requirements for the use of consumers’ personal information. In light of recent and well-documented abuses of consumer privacy, this recalibration of our rules is the least that we should do, and I very much appreciate the Chairman’s willingness to take these important steps. There is one aspect of this order, however, from which I must respectfully dissent. The Commission adopts a process by which customers could be left totally uninformed of unauthorized access to their CPNI for 14 days after a carrier reasonably determines there has been a records breach. Worse, the FBI and the U.S. Secret Service would have the ability to keep victims of these unauthorized disclosures in the dark even longer, perhaps indefinitely. As some have described it, it is akin to not telling victims of a burglary that their home has been broken into because law enforcement needs to continue dusting for fingerprints. While I have always recognized the legitimate interests of law enforcement to be notified when there has been unauthorized access to a customer’s CPNI, I also believe that consumers need to know when their private information has been accessed. There may be circumstances in which a delayed notification regime would be reasonable, for example, when an investigation of a large-scale breach of a database might be compromised because mass notification via the media is required. The Commission, however, adopts a rule that, in my opinion, is needlessly overbroad. It fails to distinguish those exigent circumstances in which delayed notification is necessary from what I believe to be the majority of cases in which immediate notification to a victim is appropriate. I continue to believe that notification to the victim of unauthorized access to their personal information will often actually aid law enforcement because the violator is frequently someone well known to the victim. If an unauthorized individual has gained access to personal telephone records involving victims of stalking or spousal violence, it won’t be the carrier or the law enforcement agency – but the victims – who are in the best position to know when and how harm may be heading toward them. Federal Communications Commission FCC 07-22 2 Given the scope of the procedures adopted here – procedures which pre-empt state consumer privacy protections to the extent that they require immediate notification to consumers when their privacy has been violated – the delayed notification proposal would have benefited from greater scrutiny and analysis, particularly with respect to law enforcement’s apparent unfettered ability to extend the period of non-notification. This seems especially important given the recent and troubling report by the Justice Department’s own Inspector General raising serious questions as to whether the FBI properly followed the law in obtaining access to the telephone records of thousands of consumers. Our approach here requires more balance than the instant item provides. Finally, while we make positive strides today, I look forward to taking prompt action on the proposals in the Further Notice regarding additional passwords, audit trails and data retention limits. When the stakes for misuse of our personal information are so high, the Commission must continue to be extraordinarily vigilant to ensure that the privacy of consumers is protected.