Yesterday, the Federal Communications Commission’s (FCC’s) Enforcement Bureau issued a reminder that annual CPNI certifications for calendar year 2013 must be filed with the FCC by March 1, 2014.
The FCC requires telecommunications service providers (including paging providers, commercial mobile radio services providers, and calling card providers) and interconnected VoIP service providers to file an annual report certifying compliance with the FCC’s rules protecting Customer Proprietary Network Information (CPNI). CPNI includes the sensitive information that a customer makes available to the carrier solely by virtue of the carrier-customer relationship, such as the phone numbers of calls made and received by the customer, the frequency, duration, and timing of such calls, and the services purchased by the customer.
The FCC’s CPNI rules impose limitations on the use and disclosure of a customer’s CPNI. Among other things, carriers must take reasonable measures to safeguard CPNI, are restricted in their use or disclosure of such information to third parties, and must notify customers of security breaches involving CPNI. Failure to comply with the CPI rules, including the annual certification requirement, may subject a company to an enforcement action, including monetary forfeitures of up to $160,000 for each violation or each day of a continuing violation, up to a maximum of $1,575,000.
The following is an overview of the elements that must be included in the FCC’s CPNI annual certification. Note that all of this information must pertain to the entire previous calendar year (2013):
- an officer of the company must sign the compliance certificate;
- the officer must affirmatively state in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the CPNI rules;
- the company must provide a written statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the CPNI rules (simply stating that the company has adopted operating procedures without explaining how compliance is being achieved does not satisfy this requirement);
- the company must include an explanation of any actions taken against data brokers, or an affirmative statement that there were no such actions; and
- the company must include a summary of all consumer complaints received in the prior year concerning unauthorized release of CPNI, or an affirmative statement that there were no such complaints.
The FCC has provided a suggested CPNI Certification Template to help companies ensure that their certifications contain all of the required information. Use of the template is not mandatory.