FCC Strengthens Privacy Rules to Prevent Pretexting

The Federal Communications Commission has strengthened its privacy rules by requiring telephone and wireless carriers to adopt additional safeguards to protect the personal telephone records of consumers from unauthorized disclosure. These new safeguards will help prevent unauthorized access to customer proprietary network information, or CPNI.

The new safeguards include:

• Carrier Authentication Requirements.Carriers are prohibited from releasing a customer's phone call records when a customer calls the carrier except when the customer provides a password. If a customer does not provide a password, carriers may not release the customer's phone call records except by sending it to an address of record or by the carrier calling the customer at the telephone of record. Carriers are required to provide mandatory password protection for online account access. Carriers are permitted to provide all CPNI, including customer phone call records, to customers based on in-store contact with a valid photo ID.
• Notice to Customer of Account Changes. Carriers are required to notify the customer immediately when the following are created or changed: (1) a password; (2) a back-up for forgotten passwords; (3) an online account; or (4) the address of record.
• Notice of Unauthorized Disclosure of CPNI. A notification process is established for both law enforcement and customers in the event of a CPNI breach.
• Joint Venture and Independent Contractor Use of CPNI.Consent rules are modified to require carriers to obtain explicit consent from a customer before disclosing a customer's CPNI to a carrier's joint venture partners or independent contractors for the purposes of marketing communications-related services to that customer.
• Annual CPNI Certification.Certification rules are amended to require carriers to file with the Commission an annual certification, including an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the previous year regarding the unauthorized release of CPNI.
• CPNI Regulations Applicable to Providers of Interconnected VoIP Service.All CPNI rules are extended to cover providers of interconnected voice over Internet Protocol (VoIP) service.
• Business Customers.In limited circumstances, carriers may bind themselves contractually to authentication regimes other than those adopted in this Order for services they provide to their business customers that have a dedicated account representative and contracts that specifically address the carrier's protection of CPNI.

The Commission also adopted a Further Notice of Proposed Rulemaking seeking comment on what additional steps, if any, the Commission should take to further protect the privacy of consumers.