Last week, the Federal Communication Commission’s (FCC) issued a Notice of Apparent Liability for Forfeiture proposing a $20 million forfeiture, essentially a fine, against two telecommunications service providers for failing to properly authenticate customers’ identity before providing online access to Customer Proprietary Network Information (CPNI). CPNI includes sensitive data, such as called phone numbers, the length and time of calls, and service features. FCC rules mandate that companies handling such information use “reasonable measures” to guard access to CPNI.

Because it would be easy for third parties to impersonate customers and gain access to their CPNI, FCC rules prohibit the use of readily available biographical information or account information. “Readily available biographical information” includes “information drawn from the customer’s life history and includes such things as the customer’s social security number . . . mother’s maiden name; home address; or date of birth.” Account information is “information that is specifically connected to the customer’s service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill’s amount.” FCC rules thus requires service providers to authenticate customer identity without the use of the above information and then require a password.

Here, the FCC finds violations because the companies’ respective websites and mobile applications defaulted customers’ passwords to biographical data, and the password would remain so unless a customer changed it themselves. Compounding the issue, the companies’ method of resetting customer account passwords accepted a combination of certain readily available biographical information.

In the Order, the FCC “conservatively” finds that there were at least 500 violations. Since the FCC forfeiture guidelines do not explicitly establish an amount for violations of FCC CPNI rules, the agency looked to analogous cases and precedent and determined it had authority to collect $40,000 as a base forfeiture per violation, that when compounded, results in the proposed $20 million forfeiture. Since the two companies are wholly owned by the same parent company, they will also be held jointly and severally liable.

The Notice does not mean the forfeitures are final, as the parties will now have an opportunity to respond in their defense. The FCC will consider the parties’ submission of evidence and legal arguments before resolving the matter.

As we have previously written, the FCC has increased its scrutiny of CPNI violations, including strengthening its rules governing breaches of consumer data and personal information, as evidenced by FCC Chairwoman Jessica Rosenworcel’s appointment of the agency’s first-ever Privacy and Data Protection Task Force. Thus, companies handling CPNI data need to ensure that they are fully compliant with applicable FCC rules, as forfeiture risk can quickly escalate.

For more insights into advertising law, bookmark our All About Advertising Law blog and subscribe to our monthly newsletter.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Laura Stefani

Laura Stefani works at the intersection of law, policy, and technology, providing clients with a wide range of services in the telecommunications arena. She develops creative regulatory solutions to bring new technologies to market and guides clients on U.S. communications policy initiatives, with…

Laura Stefani works at the intersection of law, policy, and technology, providing clients with a wide range of services in the telecommunications arena. She develops creative regulatory solutions to bring new technologies to market and guides clients on U.S. communications policy initiatives, with a focus on wireless and satellite technologies. She advocates for regulated communications entities regarding licensing, market entry, spectrum use, and other regulatory issues before the Federal Communications Commission (FCC), the National Telecommunications and Information Administration (NTIA), and other federal agencies.

Craig A. Gilley

Craig Gilley provides a broad range of services for regulated communications entities, as well as information technology, education technology, investment, and private equity companies. Craig’s primary practice involves counseling cable operators, broadband providers, internet service providers, video programmers, satellite providers, and wireless/wireline telecommunications…

Craig Gilley provides a broad range of services for regulated communications entities, as well as information technology, education technology, investment, and private equity companies. Craig’s primary practice involves counseling cable operators, broadband providers, internet service providers, video programmers, satellite providers, and wireless/wireline telecommunications providers on a broad range of legal, regulatory, operational, and transactional issues. He also regularly provides transactional, operational, compliance, and strategic advice to information and educational technology firms. Craig also represents investment and private equity companies, providing transactional and compliance support to ensure that both their acquisitions and ongoing investments fully comply with regulatory requirements.