February 4, 2014
Customer Proprietary Network Information (“CPNI”) Certifications must be filed with the FCC by March 1st.
Under the FCC’s rules, all providers of telecommunications and interconnected VoIP services must file a CPNI Certification with the FCC which describes, in detail, the policies and procedures a service provider has instituted to safeguard CPNI and any instance of a CPNI-related breach that occurred over the past year.
Before filing the CPNI Certification, all affected service providers must ensure that they are in full compliance with the FCC’s CPNI rules. This includes adopting stringent internal procedures safeguarding the use of and access to CPNI, among other things.
In anticipation of the March 1st deadline, our firm advises all clients providing telecommunications and interconnected VoIP services to review internal policies regarding the protection of CPNI. Since CPNI Certifications must be signed by an officer of the company, under penalty of perjury, all clients are advised to conduct an internal review to validate compliance with the FCC’s CPNI rules before executing and filing a CPNI Certification with the FCC.
To avoid the hassle of an investigation or enforcement action, even those telecommunications service providers who lacked access to and/or did not use CPNI during the past year are advised to file a CPNI Certification with the FCC. If a service provider is registered with the FCC, i.e., possesses either an FCC Filer ID or FCC Registration Number, remittance of a compliant CPNI Certification is highly recommended. In years past, the FCC’s Enforcement Bureau released an Omnibus CPNI Notice of Apparent Liability finding over 660 service providers apparently liable for fines of up to $20,000; the majority of these investigations remain open.
CLIENT ACTION ITEMS:
Managed Services Subscribers: Clients currently subscribed to our Managed Compliance Service will be contacted shortly to prepare for the upcoming CPNI Certification deadline. Managed Compliance Service clients who have questions about CPNI compliance, or would like to schedule an audit, should contact Chris Canter directly at firstname.lastname@example.org or by telephone: 703-714-1308.
Non-Subscribers: Clients not currently subscribed to C&R Services, but who require assistance with the preparation and filing of the CPNI Certification, may contact either Jonathan Marashlian at email@example.com or Joanna Georgatsos at firstname.lastname@example.org to schedule an audit and make appropriate arrangements to ensure timely filing.
ADDITIONAL BACKGROUND INFORMATION:
Definition of CPNI
Under federal law, CPNI is certain customer information obtained by a telecommunications provider during the course of providing telecommunications services (including interconnected VoIP) to a customer. This includes information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier.
Examples of CPNI include information typically available from call detail records (“CDRs”), such as the types of services purchased by a customer, numbers called, duration of calls, directory assistance charges, and calling patterns. CPNI does not include names, addresses, and telephone numbers, because that information is considered subscriber list information under applicable law.
CPNI Protection Procedures
Under the FCC’s rules governing CPNI, all providers of telecommunications services and interconnected VoIP service providers are required to file a CPNI Certification with the FCC annually. The CPNI Certification must outline all the steps a service provider took during the previous year to prevent unauthorized access to CPNI. Specific CPNI protection procedures include, but are not limited to:
- Enacting strict controls regulating the use of and access to CPNI
- Notifying customers about access to CPNI
- Training employees about safeguarding CPNI
- Protecting CPNI used in sales and marketing campaigns
- Notifying the FCC and law enforcement agencies of unauthorized CPNI access
- Establishing “opt-in/ opt-out” procedures for the use of CPNI by third parties
Affected service providers must also inform the FCC about any instance of unauthorized access to CPNI and formal procedures taken to prosecute “pretexters,” or third parties who attempt to illegally gain access to customer information.
The CPNI Certification must be signed by a corporate officer, attesting that the officer has personal knowledge that the company has established adequate operating procedures to ensure CPNI compliance.
If you are uncertain about the FCC’s CPNI Rules or the specific steps your company must take to ensure compliance, our firm is available to assist. The CommLaw Group routinely conducts audits of our clients’ CPNI protection and use procedures.
A CPNI Compliance Audit will not only confirm your company’s compliance during the prior calendar year or identify areas that require further attention prior to the filing of a CPNI Certification, an Audit will also ensure full compliance with the FCC’s CPNI rules in future years, thereby making future annual reviews easier, faster, and less costly.
Clients who have not authored a CPNI Certification in past years should contact our firm as soon as possible so we can conduct an audit, prepare and file a comprehensive, fully-compliant CPNI Certification. Clients who submitted a CPNI Certification last year should still conduct an internal review to ensure continued compliance with CPNI rules before authorizing the filing of a CPNI Certification, which must be filed under oath and penalty of perjury.
Custom-tailored CPNI Documents Available to Clients
In addition to CPNI compliance audits, our firm can provide custom-tailored compliance documents necessary to manage internal CPNI compliance and to support CPNI certification before the FCC. These documents include a custom-tailored Policies & Procedures Manual which outlines the steps your company has adopted to ensure full compliance with CPNI regulations. Clients can also purchase customizable CPNI compliance document templates for a reduced price.
The FCC’s CPNI regulations must be taken seriously. Over the past several years, the FCC issued several forfeitures in excess of $100,000 against carriers for allegedly failing to comply with existing CPNI requirements. In recent years, over 660 service providers were fined $20,000 each, and several dozen more were fined between $2,000 and $6,000 for a variety of minor deficiencies.
On January 28, 2011, the FCC issued the following Enforcement Alert regarding CPNI compliance:http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-11-159A1.pdfThis notification indicates that, consistent with past years, the FCC intends to aggressively police CPNI compliance. It is likely that the FCC’s Enforcement Bureau will issue significant fines for both non-filing of CPNI Certifications and non-compliance with the FCC’s rules. Therefore we urge all clients to ensure full compliance with CPNI regulations and file a Certification in a timely manner.