FCC’s Privacy Protections for Telecommunications Carriers

Posted by Mark Greisiger

A Q&A with Sara Hutchins Jodka of McDonald Hopkins

The Federal Communications Commission alerted telecommunications and interconnected VolP service providers that the annual privacy certification for Customer Proprietary Network Information (CPNI) was due on March 1, 2016, and also warned that similar obligations would soon be required of broadband providers. I spoke with Sara Hutchins Jodka, senior counsel at McDonald Hopkins, about the implications for the telecommunications industry, and what companies can do to shore up their privacy protections.

Can you offer a summary of the latest FCC CPNI Privacy Certification efforts?
The FCC has had regulations in place for internet providers. Now they are working on expanding them and developing new regulations and enforcement mechanisms for the broadband space. In fact, FCC Chairman Tom Wheeler announced that a proposed rulemaking is being circulated among the FCC Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS). While the Notice of Proposed Rulemaking (NPRM) will not be released to the public until the end of March when it is scheduled for vote a summary of it has been released.

In the meantime, as it concerns the telecommunications industry, specifically VolP service providers, we have already started to see massive enforcement—one example was the $25 million AT&T fines levied in April of 2015. That was very significant and a major wakeup call to this community that the FCC is taking this seriously and leveling fines for noncompliance and lazy compliance.

[Call centers] have access to too much data in the scope of their obligations that isn’t properly encrypted, and subscriber information is getting out.

Who should be concerned about this, and why?
Telecommunications companies that are relying on call centers should definitely be concerned. Call centers have fewer procedures around security. They’re gathering and have access to too much data in the scope of their obligations that isn’t properly encrypted, and subscriber information is getting out. The FCC is now taking steps to protect it. Not to mention, the FCC has more flexibility to enforce these rules, as compared with an agency like the FTC, which is much more limited in its enforcement capabilities. The FCC recently issued a press release with respect to the certification requirements and it basically stated that if you don’t get certified you’ll hit our radar. Broadband providers should also be on alert because even if they are not yet subject to these statutes, there will be regulations coming.

What steps can a client take to comply?
It’s a two-level approach. The first thing they need to comply is to complete the certification, which is actually not that difficult. It basically requires following the bulleted points outlined in the press release and having an officer sign off. However, some companies are falling down on this requirement because they have officers without personal knowledge of the security measures signing the certification. If there isn’t already a privacy officer at the company it may be time to consider hiring someone who really understands and can attest to compliance.

The next step is a written statement that explains how operating procedures are in compliance with the FCC’s CPNI rules. This is another area where a lot of companies are falling down—some simply miss the deadline. It’s not just a form you fill out in an hour the day it’s due. A major problem occurs when companies state they’re compliant but don’t actually explain how. The statement should be robust, open and candid. Another problem we see is when companies don’t state what they have done to address data broker complaints. If they’ve had any complaints about unauthorized release of information, they’re required to include that in their statement. Telling the truth is the best measure to protect the company and subscriber information.

Companies worry that the agency will come after them if there’s any perceived wrongdoing or weakness in the statement, but the FCC will find out anyway when the company’s system is hacked and information is released. The FCC wants companies take measures on the front end, to audit their own processes and look for ways to improve. There’s a perception that the FCC is out to get companies, but it’s really just trying to protect information from breaches and ultimate the private information of covered subscribers.

By the way, this isn’t a once-a-year type thing. Privacy is year-round. In general, broadband providers should follow the model of internet providers.

What ramifications loom for failure to comply?
If a covered company misses the certification-filing deadline, the FCC will know, and no company wants to be targeted by a federal agency. When fines are levied they’re not in the thousands—they’re in the millions. Failure to comply with CPNI is $160,000 per violation with a maximum of up to $1.6 million and that’s just on the certification side. Fines that large can take a company down. Individually, if an officers signs off on a false statement of certification, the officer can go to jail. That puts company officers in a precarious position if they don’t understand what they’re signing. The bottom line is that companies need to take data privacy seriously.

Data privacy isn’t just the FCC’s responsibility, or the FTC’s responsibility, or whatever governmental agency is charged with enforcing a particular segment of it. It is everyone’s responsibility because the information that is being breached is sensitive. It is personal. It takes down companies and, worse, it harms people. While the information stolen may seem like just names and numbers in a database, it is important for companies to remember that this information is the identities of your customers, your subscribers, your clients. They trust you with that information, and with trust comes great responsibility. Be responsible. Be vigilant. At the end of the day, every single person is a combination of rows and columns in a database that may be subject to a breach. We are proper privacy to our customers, our subscribers, our clients, and ourselves.

In summary…
We want to thank Sara for her insights into this emerging FCC privacy certification requirement, part of a growing list of security/privacy issues for telecommunications corporate risk managers whose organizations are governed by this regulation and face significant penalties for noncompliance.