The FCC’s Order applying CPNI and other privacy requirements to broadband Internet Service Providers (ISPs) became effective January 3, 2017. The Order eliminated several existing rules, but added additional key requirements for ISPs to meet.
JSI, in partnership with NTCA, will hold a webinar, “Data Defense, Part II – Cybersecurity Risk Assessment Preparation,” on January 26, 2017, at 2 p.m. Eastern (1 p.m. Central) to discuss these requirements in more detail and focus on data security obligations which become effective March 2, 2017.
With the effective date of the Order, changes made to existing rules have taken effect. Most notably for JSI clients, this includes eliminating the requirement for telecom and VoIP providers to annually file a CPNI certification and procedures statement with the FCC. Accordingly, no annual CPNI certification must be filed by March 1, 2017.
The Order also eliminated the requirement to train personnel regarding the use of CPNI and to have an express disciplinary process in place. JSI cautions, however, that companies should continue to train their staff and have a disciplinary process in place to ensure that employees’ actions do not subject the company to fines for violating FCC privacy rules.
Additional changes to the existing rules include eliminating all of the requirements pertaining to “opt out” notices, including the requirement to send notices every two years. The Order also eliminated all recordkeeping requirements, including instances where CPNI was disclosed or provided to third parties. According to the Order, eliminating these requirements reduces burdens for small carriers “which often may not need to record approval if they do not use or share customers’ proprietary information for purposes other than the provision of service.”
Major New Rules & Effective Dates
Data Security: Voice and broadband providers must take reasonable measures to protect customer proprietary information (PI), which include adopting practices “appropriately calibrated” to the nature and scope of the providers’ activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility. Effective date: March 2, 2017.
Breach Notification: Voice and broadband providers must notify affected customers, the FCC and the FBI/Secret Service of data breaches unless the carrier is able to “reasonably determine” that a data breach poses no reasonable risk of harm to the affected customers. Effective date: June 2, 2017 or Paperwork Reduction Act (PRA) approval date, if later.
Notice and Customer Approval: Voice and broadband providers must provide privacy notices that “clearly and accurately” inform customers about what confidential information they collect, how they use it, under what circumstances they share it, and the categories of entities with which they will share it (examples of such “categories” include communications-related services, marketing firms or nonprofit organizations). Providers also must inform their customers about customers’ rights to opt in (for sensitive PI) or opt out (for non-sensitive PI) of the use or sharing of their confidential information. Providers must distribute their privacy policies at points of sale and have them posted on their websites and give customers advance notice of any material changes to the policies. Effective date: December 4, 2017 or Paperwork Reduction Act (PRA) approval date, if later; smaller providers have an additional 12 months to comply.
JSI remains committed to assisting interested clients with compliance activities associated with the new rules. JSI is revising its CPNI training materials to incorporate the changes and will provide further information regarding additional ways we can assist you in the coming weeks. In the meantime, our broadband privacy team is available to answer any questions. Please contact a member of our team by clicking the button below.