FCC Reminds Companies to Comply with CPNI Rules by Imposing a $20 Million Penalty for Violating Authentication Requirements
The FCC recently issued a Notice of Apparent Liability for Forfeiture (NAL) proposing to impose a $20 million penalty on two companies for failing to comply with Customer Propriety Network Information (CPNI) authentication rules. In the NAL and related News Release, the FCC warned that “protecting customers’ data should be their highest priority” and that they “will use our authorities to ensure that they comply with their obligations to do so.”
Under the CPNI authentication requirements, providers of voice services must ensure they do not disclose sensitive customer data to unauthorized third parties by “authenticating” that the individual is indeed the customer before disclosing call detail information. When customer data is accessible online, providers must establish authentication processes that require the customer to enter a password. Also, any “backup” questions that can be used in case the customer forgets or loses the password cannot use account or biographical information.
In imposing the hefty fine, the FCC explained that the agency began investigating whether the companies violated CPNI rules when it was reported that confidential customer information may have been made public due to a security flaw the companies’ app that customers use to access their account information. As a result of this investigation, the FCC found that the companies violated CPNI rules by failing to take “reasonable measures” to discover and protect against attempts to gain unauthorized access to CPNI.” The FCC noted that this responsibility to protect customer data is “an overarching responsibility that applies to each carrier and that is separate and independent from the more specific requirements in the CPNI rules regarding customer authentication.”
The FCC then used the fine to remind all voice providers of the consequences of failing to protect customer data by issuing a News Release in which FCC Chairwoman Jessica Rosenworcel announced the creation of a newly established Privacy and Data Protection Task Force. In the release, Chairwoman Rosenworcel emphasized the importance of the task force as an “important step in our commitment to protect the privacy and security of consumer information” and highlighted that “consumers rely on their carriers to keep their personal information secure, and the Commission must effectively use our tools for enforcing privacy protections.”
Accordingly, we remind clients of their obligation to ensure that they secure customer data, including data available online, maintain regularly updated Privacy and CPNI policies and procedures, and train staff who strictly adhere to CPNI and other policies and rules protecting confidential customer information.
JSI’s team is here to help including assistance in crafting CPNI and Privacy policies and procedures, conducting CPNI and Red Flag Rule training session, and consult on authentication requirements and breach notifications. JSI also offers assistance in filing your annual CPNI certification.
If you have any questions or would like assistance, please contact Leslie Ellis or by calling 301-459-7590.