USTelecom, CTIA Ask FCC to Change CPNI Order
The FCC should revise an April order on telecom carrier use of customer proprietary network information (CPNI) and other customer information (CD April 3 p10), The United States Telecom Association (USTelecom) and CTIA said in separate petitions for reconsideration. USTelecom said the order seems to assume, in violation of the Administrative Procedure Act (APA), that carriers are at fault when a pretexter obtains protected information. CTIA took exception to a finding in the order that carriers inadequately protect CPNI.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
USTelecom said parts of the April order require a carrier to show that its safeguards sufficed when a pretexter obtained protected information. “This language could be read to place the burden of proof on carriers to prove their adherence to the CPNI rules in an enforcement proceeding,” the wireline association said. “However, under the APA and Commission precedent, the Commission has the burden of proof in enforcement proceedings.” USTelecom said the FCC must make clear that “the Commission, and not a telecommunications carrier, has the burden of proof in enforcement proceedings, including forfeiture actions, alleging violations of the CPNI rules.”
Congress, which outlawed pretexting while the FCC order was in the works, properly focused attention not on carriers but on the problem’s source, “the illegal activities of the pretexters themselves,” the wireline group said. “It would be patently unfair to presume that a telecommunications carrier victimized by the perpetrator of a federal crime could have prevented the pretexting by employing different processes and procedures, absent the Commission proving that they were required under the Commission’s rules and reasonably could be achieved,” USTelecom said.
CTIA raised similar objections, saying the order wrongly shifts the burden to carriers to defend their policies. CTIA noted that the FCC has long required carriers to protect CPNI, relying on “normal rules in enforcement matters” when a carrier falls short.
“The Commission’s establishment of a presumption that carriers have failed to take ‘reasonable measures’ in all instances of unauthorized access to CPNI would run contrary to applicable legal standards and the Commission’s enforcement regime,” CTIA said, invoking instances in which “…there are other explanations for security breaches that may well not have been reasonably foreseeable (in the case of the increasingly sophisticated scams of data brokers) or preventable (in the case of passwords a customer may have shared with a spouse or other family members).”
CTIA asked the FCC to modify the order by including more guidance on reasonable measures carriers are required to take to protect CPNI. The wireless group said the FCC specifically rejected requests it adopt guidelines similar to those the FTC imposed on the financial services industry. “To further clarify carriers’ legal obligations… the Commission should reconsider its apparent rejection of the value of such a programmatic approach,” CTIA said. “This approach has the benefit of requiring each carrier to adopt a comprehensive program designed to avoid unauthorized disclosure of CPNI in a way that is appropriate to its circumstances.”
CTIA cited other alleged problems with the order. The group said the order would require carriers to file two annual certifications for 2007, one for Jan. 1 through Dec. 8, when the rule goes into effect, to be prepared under the old guidelines, and a separate report for the rest of December under the new rules. CTIA asked the agency to declare the second report unnecessary.
Besides petitions for reconsideration, parties offered comments on a further notice of proposed rulemaking asking whether the FCC should further tighten its CPNI rules. Not surprisingly, wireline and wireless carriers argued against adding rules.
T-Mobile said carriers still are adjusting to the April order and the Telephone Records and Privacy Protection Act of 2006, which took effect in January. T-Mobile “is concerned about the prospect of additional new CPNI requirements in light of the dramatic changes that already have occurred in the legal and regulatory environment with respect to CPNI in the past several months,” the carrier said. “Such an expansion of the rules should not even be considered before sufficient time has passed to assess fully the impact of these important recent CPNI developments.”
USTelecom agreed that further changes make little sense, since the April order has not taken effect. “Additional rules could be burdensome for consumers by making it more difficult to access account information than consumers would prefer and costly for carriers,” USTelecom said. “Since there is no current evidence that further regulation would provide a consumer benefit, the Commission should refrain from imposing more regulation.”
More rules under review by the FCC would burden small carriers, said the Rural Cellular Association. “The carrier/customer relationship involving the use of passwords is best managed on the local level,” the group said. “New mandates for audit trails, physical safeguards and data destruction would add to the cost of provision of services in rural areas and reduce the competitiveness of smaller carriers.”