Last week, the Federal Communication Commission’s (FCC) issued a Notice of Apparent Liability for Forfeiture proposing a $20 million forfeiture, essentially a fine, against two telecommunications service providers for failing to properly authenticate customers’ identity before providing online access to Customer Proprietary Network Information (CPNI). CPNI includes sensitive data, such as called phone numbers, the length and time of calls, and service features. FCC rules mandate that companies handling such information use “reasonable measures” to guard access to CPNI.
Because it would be easy for third parties to impersonate customers and gain access to their CPNI, FCC rules prohibit the use of readily available biographical information or account information. “Readily available biographical information” includes “information drawn from the customer’s life history and includes such things as the customer’s social security number . . . mother’s maiden name; home address; or date of birth.” Account information is “information that is specifically connected to the customer’s service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill’s amount.” FCC rules thus requires service providers to authenticate customer identity without the use of the above information and then require a password.
Here, the FCC finds violations because the companies’ respective websites and mobile applications defaulted customers’ passwords to biographical data, and the password would remain so unless a customer changed it themselves. Compounding the issue, the companies’ method of resetting customer account passwords accepted a combination of certain readily available biographical information.
In the Order, the FCC “conservatively” finds that there were at least 500 violations. Since the FCC forfeiture guidelines do not explicitly establish an amount for violations of FCC CPNI rules, the agency looked to analogous cases and precedent and determined it had authority to collect $40,000 as a base forfeiture per violation, that when compounded, results in the proposed $20 million forfeiture. Since the two companies are wholly owned by the same parent company, they will also be held jointly and severally liable.
The Notice does not mean the forfeitures are final, as the parties will now have an opportunity to respond in their defense. The FCC will consider the parties’ submission of evidence and legal arguments before resolving the matter.
As we have previously written, the FCC has increased its scrutiny of CPNI violations, including strengthening its rules governing breaches of consumer data and personal information, as evidenced by FCC Chairwoman Jessica Rosenworcel’s appointment of the agency’s first-ever Privacy and Data Protection Task Force. Thus, companies handling CPNI data need to ensure that they are fully compliant with applicable FCC rules, as forfeiture risk can quickly escalate.