FCC Moves to Fine Telcos on Consumer Data Protection

The FCC has proposed fining hundreds of telecommunications companies for failing to file an annual report on how they safeguard sensitive consumer information.

The Federal Communications Commission has proposed fining (PDF) some 600 telecommunications companies for failing to file an annual Customer Proprietary Network Information (CPNI) report with the agency, detailing how they companies safeguard sensitive customer information suck as call logs and the types of services customers use. Acting FCC chairman Michael Copps has proposed fining more than 600 operators who failed to file any CPNI report at all $20,000 apiece; an unspecified number of companies that filed a report that didn’t comply with the FCC’s requirements would face fines of $10,000 each.

“I have long stressed the importance of protecting the sensitive information that telecommunications carriers collect about their customers, Copps wrote in a statement. “Carriers’ obligation to annually certify that they have implemented a CPNI protection plan is essential to ensuring their compliance with the Commission’s rules as well as our ability to monitor their compliance.”

The FCC’s CPNI reporting requirements date back to 2006 and a practice called “pretexting” whereby scammers and others would use social engineering to get telcos to disclose callers billing, log, and service information. The issue got a very public face when investigators working for the the Hewlett-Packard board or directors were found to have used pretexting to obtain private phone records of both board members and industry journalists. The practice of pretexting also created a hazy market of “data brokers” who specialized in obtaining consumer calling records. The FCC instituted an annual CPNI reporting requirement in April 2007, and mandated that phone companies cannot release customer call records without a customer password or other confirmation that the information is only being disclosed to the customer.

The companies have 30 days to appeal the decision or pay the $20,000 fine. The amount of the fine seems comparatively small compared to the stated importance of the CPNI filing requirement; the FCC seems aware that many of the companies that have not complied are smaller operators who may not be fully aware of their obligations.