Webinar: Complying with the FCC’s Annual CPNI Training Requirement, Jan. 27

2022-01-11T14:04:32-05:00January 11, 2022|Webinars|

All telecom carriers providing voice services must certify by March 1 each year that their employees have been trained or refreshed on the basics of the FCC’s Customer Proprietary Network Information (CPNI) rules. To help you quickly and easily satisfy this annual requirement, JSI is offering a 90-minute CPNI training webinar on Thursday, January 27, 2022, at 2 p.m. Eastern. During the webinar, we will review the CPNI rules and how to adapt them to modern communications networks so that sensitive customer information does not end up in the wrong hands. In addition, we will briefly discuss Red Flag rules for identity theft protection.

All employees who have access to customer account information, particularly customer service representatives, and any senior employees who would like a refresher on the CPNI compliance rules should attend this type of training. As these CPNI rules apply to all voice providers, electric cooperatives and fixed wireless providers offering voice services to their customers would also benefit from this training session.

Registration for this webinar is $249 per company, allowing you to invite as many members of your staff as needed. (Can’t make it on the 27th or have staff that will need to watch a replay of the webinar? All registrants will receive a recording of the webinar.) Registered companies also will receive a template certificate for employees to sign affirming that they’ve completed the CPNI training.

Register

Contact Jessica Wick or Brenda Cordwell in the Maryland office at 301-459-7590 for more information about this webinar or questions about registration.

Contact Us

Need More CPNI Assistance?

We offer several options for companies that would like additional help protecting their customers’ sensitive information. We can:

  • Assist with your company’s annual CPNI compliance certification filing due March 1;
  • Provide other materials for CPNI training, including our CPNI manual;
  • Complete an in-depth review of your Red Flag manual and program
  • Conduct one-on-one, customized training webinars with your staff; or
  • Train someone at your company to conduct your own CPNI trainings.

Please contact us about these customizable options for additional CPNI and privacy training.

Contact Us

Webinar: Check Off Your Annual CPNI Training Requirement

2021-12-07T17:12:14-05:00January 12, 2021|Webinar Recordings|

All telecom carriers providing voice services must certify by March 1 each year that their employees have been trained or refreshed on the basics of the FCC’s Customer Proprietary Network Information (CPNI) rules. To help you quickly and easily satisfy this annual requirement, JSI offers a 90-minute CPNI training webinar to fulfill this requirement. All employees who have access to customer account information, particularly customer service representatives, and any senior employees who would like a refresher on the CPNI compliance rules should attend this type of training. As these CPNI rules apply to all voice providers, electric cooperatives and fixed wireless providers offering voice services to their customers would also benefit from this training session.

Our CPNI training reviews the rules and how to adapt them to modern communications networks so that sensitive customer information does not end up in the wrong hands. In addition to the CPNI rules, we discuss the Red Flag rules for identity theft protection and provide an update on what is going on with broadband privacy rules.

A recording of the CPNI training is available for $249. If you’d like to purchase the recorded training, please contact Brenda Cordwell in the Maryland office at 301-459-7590.

Contact Us

Need More CPNI Assistance?

We offer several options for companies that would like additional help protecting their customers’ sensitive information. We can:

  • Assist with your company’s annual CPNI compliance certification filing due March 1, 2021;
  • Provide other materials for CPNI training, including our CPNI manual;
  • Complete an in-depth review of your Red Flag manual and program
  • Conduct one-on-one, customized training webinars with your staff; or
  • Train someone at your company to conduct your own CPNI trainings.

Please contact us about these customizable options for additional CPNI and privacy training.

Contact Us

JSI News & Commentary – October 2017

2020-11-03T12:49:00-05:00October 6, 2017|News|

News and Commentary

Assessment: Risk and Uncertainty

Now that summer is over, it is time to reflect on the state of the rural telecom industry and imagine its future. It is not the time to relax. Instead, JSI has the sense that clients need to assess our economic and regulatory environment and take steps to ensure future successes as vital communications providers in their communities.

Two very important concepts are forefront in our minds this fall: risk and uncertainty. The seminal work of economist Frank Knight comes to mind when we think about these concepts. The year was 1921 and Frank Knight was exploring a new era after World War I where business opportunities were abundant. In the ebb and flow of business, Knight wrote a book entitled “Risk, Uncertainty, and Profit.” In it, Knight explained, “There is a fundamental distinction between the reward for taking a known risk and that for assuming a risk whose value itself is unknown.” In the former case Knight calls “risk,” one can account for the likelihood of success, assess value, and make a smart decision. For example, while it is risky to place fiber infrastructure in a new, competitive community outside a study area, with analysis and study, a manager can gauge the likelihood of an investment return given current and expected economic and demographic conditions. Information can be used to assess risk. However, when nothing is known, such as when regulations continually change or funding levels haven’t been set, analysis doesn’t help. In this case, decision makers are faced with “uncertainty.” A certain level of uncertainty can delay or freeze projects and leave needed infrastructure wanting.

In this edition of JSI News & Commentary, we explore the relationship of risk and uncertainty in a number of settings—ultimately concluding that regulatory uncertainty continues to be a strategy disrupter and that our current level of uncertainty is not abating. Even with the ever-present level of regulatory uncertainty that our rural providers are accustomed to, it is as paramount as ever to continue providing quality and affordable state-of-the-art services to customers, and to continue investing in next-generation networks. No matter how much risk and uncertainty the industry endures, customers won’t sympathize, because they just want quality and affordable communications solutions.

Federal High-Cost Support

Despite the possible objection that the interplay of risk and uncertainty is a distinction without a difference, we believe separating these terms are helpful when looking at the future. Specifically, risk and uncertainty come to mind when thinking about recent FCC actions.

Our first example of risk and uncertainty within the industry is federal high-cost universal service policy. The FCC’s attempted reform of high-cost support has created both risk and uncertainty for rural carriers. Last year’s election for A-CAM support and regulation was an example where carriers needed to assess as best they could both risks and uncertainties about their future and the viability of both A-CAM support and Legacy support programs. Since the A-CAM election, the rural industry has been working on obtaining additional funding for A-CAM and Legacy providers. Currently, JSI remains hopeful that some additional funds will be secured; regardless, unless there is sufficient and full funding of high-cost programs, Legacy providers will face more uncertainty about critical federal support for their networks. JSI supports the effort to fully fund all federal rural carrier programs designed to deliver modern networks capable of providing voice and broadband services to end users in rural areas of the nation. The FCC is primed to review the federal high-cost budget this year. We encourage all parties to push for full funding of the federal high-cost programs.

Without fully funding the current federal programs, JSI expects some end users will be unable to subscribe to communications networks of their choice. The inability of end users to connect to the incumbent carriers’ networks for modern network services is a failure of our nearly century-old federal universal service policy. Rural rate-of-return carriers have been submerged in uncertainty over federal funding for the better part of a decade now; but consumer demands for high-capacity, high-speed networks are constantly increasing. There is no doubt that the uncertainty surrounding the full funding needs of the federal Universal Service Fund will curtail sufficient broadband service in much of the rural rate-of-return service areas.

Network Neutrality

Now let’s consider, for example, the 20-year debate over how to ensure a prosperous Internet ecosystem where many businesses and individuals can thrive and add billions of dollars of value to the economy. Recently, FCC Chairman Pai concluded the comment round of a Notice of Proposed Rulemaking (NPRM) to return to the 1990 era of regulation hoping to ensure more investment in broadband networks. He stated, “Today we propose to reinstate the information service classification of broadband Internet access service and return to the light-touch regulatory framework first established on a bipartisan basis during the Clinton Administration” (NPRM at 24). JSI expects the FCC will remove the Title II treatment of Broadband Internet Access Service (BIAS) that was adopted in its 2015 Open Internet Order.

Readers of earlier JSI News & Commentary editions may recall that the Bush Administration established four freedoms in 2004 and a robust Internet Policy Statement in 2005. The Bush Administration attempted to enforce the principles in its Internet Policy Statement when it found Comcast had “contravened federal policy” by “significantly impeding consumers’ ability to access the content and use the applications of their choice.” Comcast appealed and a federal appellate court held that the FCC had not justified its actions. After another attempt to enforce basic principles of no-throttling, no-blocking, and non-discrimination through a new FCC Order, Verizon appealed. The Obama Administration was told by the same federal appellate court its new attempt at the no-blocking and no-unreasonable discrimination rules “impermissibly regulated providers as common carriers.” In response to the Verizon decision, the FCC ultimately adopted its 2015 Open Internet Order.

The 2015 Open Internet Order reclassified providers as common carriers under Title II of the Communications Act. This was done to ensure that no-blocking, no-throttling, and non-discrimination polices would have sufficient legal support to withstand the inevitable legal challenge—and a three-judge panel at the federal appellate court upheld the FCC’s 2015 reclassification.

The Trump Administration now proposes to revert to the policies of the 1990s when the nascent Internet was not a force in social and economic interaction in every modern society. Most commenters to the FCC’s NPRM suggest that no-blocking, no-throttling, and non-discrimination policies are vital to content and app suppliers, as well as to users. Exactly how the FCC will ensure adherence to these policies while undermining its Title II authority to require such behavior remains uncertain.

This Internet policy example provides a history of risk and uncertainty since 2005. Most providers abhor uncertainty. The knowledge that no-blocking, no-throttling, and non-discrimination polices were established and were enforceable by the FCC allowed providers to assess the risk of investments. However, the inability to quantify repeated uncertainty due to multiple carrier challenges in court has led to an environment where too much uncertainty affects investment in the industry. The degree to which investment is affected is subject to heated debate. Despite the outcome of this debate, it is clear that uncertainty on what will be the ultimate Washington, D.C., regulatory policy dampens investment.

When looking at the current state of the FCC’s NPRM, we are reminded of Shakespeare’s tragic play King Lear where upon seeing seeming chaos and confusion, the Duke of Albany says “Striving to better, oft we mar what’s well.” This guidance would benefit the FCC when it begins to address the issues outlined in its NPRM. This NPRM has generated considerable attention in the national press with millions of comments being filed in response to the FCC’s proposal.

Comcast and Verizon would have been much better off in 2017 if they had accepted the 2005 Internet Policy Statement and voluntarily abided by its principles instead of forcing the FCC to ratchet up its authority and enforcement of well-established Internet principles. Moreover, the trinity of consumer protections (no-blocking, no-throttling, and non-discrimination) now includes an ambiguous general conduct rule that has many interpretations and has increased uncertainty in the industry. JSI expects more uncertainty for Internet policy until Congress enacts legislation that establishes a rational framework for the policy trinity of no-blocking, no-throttling, and non-discrimination.

The FCC now proposes to adopt a three-part “light-touch regulatory framework” which (1) classifies BIAS as an information service inseparable from the retail Internet service purchased in the marketplace; (2) determines that mobile BIAS is not a “commercial mobile service”; and (3) tasks the Federal Trade Commission (FTC) with policing the privacy practices of ISPs. In addition, the FCC is exploring how to retain the four Internet Freedoms first expressed in 2004, which include the freedom to access lawful content, use applications, use devices, and obtain service plan information.

Many parties commenting in this proceeding have expressed doubt that the FCC can adopt a light-touch framework while at the same time ensuring that there is (1) no blocking of lawful content, (2) no throttling of network speeds accessing lawful content, and (3) no discrimination of providers’ content. Hence, the most straightforward and common-sense approach is to have Congress establish “bright-line rules” for ISPs under specifically tailored legislation. Let’s be clear: The proverbial “fitting a square peg in a round hole” approach is not working. Some commenters argue that the Title I light-touch approach fails to provide sufficient legal foundation for the four Internet Freedoms and the no blocking, no throttling, and no discrimination policies embraced at one time by the FCC and that are needed in today’s marketplace.

We believe that absent congressional action, the industry will experience continued uncertainty on how the FCC, the court, and the states wrestle these issues. Meanwhile, consumers are wary of ISPs because of all the press in recent years about “bad actors” violating net neutrality principles, even though much of the hype is hypothetical. Consumers have an expectation that their ISP will not block, throttle, or discriminate. So, uncertainty at the highest policy level will not keep consumers from demanding quality and affordable services that adhere to net neutrality rules.

In the meantime, reply comments filed by NTCA–The Rural Broadband Association and Home Telephone Company highlight an issue affecting rural carriers that is important to note and keep an eye on. That issue is rural carrier interconnection with larger ISPs and the Internet backbone providers. Under Title II regulation, the FCC expressed its intent to watch interconnection between networks and showed a willingness to resolve issues that arise. This authority is valuable for rural carriers that have or may have Internet interconnection issues with larger carriers. In the NPRM, the FCC warned that under Title I regulation it will not have the authority to intervene if a rural carrier has interconnection issues with larger providers. JSI agrees with NTCA and Home that preserving this backstop for interconnection is important. Given that the FCC admits that it won’t have authority if it moves to Title I light-touch regulation, JSI is concerned that this clear benefit will be lost as the FCC adopts its proposal. Again, the solution to this common-sense problem is for Congress to intervene and give the FCC clear and defined authority to address this issue if BIAS doesn’t remain under Title II regulation.

The FCC is reviewing comments and reply comments in this proceeding. We expect to see an Order from the FCC sometime in 2018. ISPs, carriers, and the nation await the FCC’s decision.

Broadband Privacy

Turning to an overlay of the network neutrality issue, we address the chaos related to broadband privacy. Here, like with our other examples, uncertainty abounds. Since the FCC issued a stay on some of its 2016 rules shortly after Republican Chairman Ajit Pai replaced Democrat Tom Wheeler, the debate over who should be the “cop on the beat” for data privacy and security has reached a fever pitch over the course of 2017. Fuel has been added to the fire with an important 9th U.S. Circuit Court of Appeals case over the FTC’s rightful jurisdiction to regulate common carriers providing non-common carrier services.

The following is the simplest description of a complicated subject. Republican FCC commissioners believed that the FCC’s 2016 Broadband Privacy Order veered too far from the FTC’s long-established data privacy and security policies that apply to edge providers like Google and Facebook and did apply to Title I broadband providers prior to the implementation of the 2015 Open Internet Order. Chairman Pai and Commissioner O’Rielly believed that the FCC’s rules should more closely match the FTC’s rules, so that ISPs are not unfairly burdened with different and more stringent rules for data privacy and security in comparison to edge providers. At this same time, the Republican-controlled Congress enacted the “nuclear option,” or the Congressional Review Act, to completely undo the FCC’s Broadband Privacy Order. As a result, there are no specific CPNI data privacy and security rules that apply to broadband providers until the FCC drafts new privacy rules in this area (possibly in closer coordination with the FTC), or the “common carrier exemption” of FTC rules is lifted. Who knew that classifying broadband providers as common carriers could have such complicated implications to data privacy and security?

We will review the roles of the FCC, the FTC and Congress, and will describe how this ongoing uncertainty is impacting rural broadband providers.

Federal Communications Commission
Before 2015, the FTC oversaw data privacy and security for both ISPs and edge providers. But the FCC’s 2015 Open Internet Order which classified BIAS as a “Title II” common carrier service was the nexus of the FCC’s control over data privacy and security. This classification change limited the FTC’s authority because it cannot regulate common carrier services offered by common carriers. Once BIAS became a Title II service, it became the FCC’s issue, and former FCC Chairman Wheeler wasted no time in drafting and passing an Order to regulate data privacy and security. The rulemaking process for the Broadband Privacy Order stretched throughout 2016 and forced small rural BIAS providers to consider tough questions, such as:

  • Do you have the technical ability to gather and store sensitive data about your consumers?
  • Do you have an incentive to use or sell that data for any reason?
  • Are your customers voicing concerns about how you protect their private online transactions, searches, and stored data?
  • Have you considered how you would handle a breach and misuse of consumer data by an employee?
  • What safeguards do you already have in place to protect your customers’ private data that transmits on your network?
  • Have you conducted a thorough risk assessment to identify all the possible cybersecurity threats, and how to mitigate them?

The questions surrounding the broadband consumer privacy rules have the effect of Medusa for a small ISP, for the likely reaction is to turn to stone once you start thinking through the implications of costly, complicated and burdensome new regulations or consumer dissatisfaction and potential security risks related to privacy breaches.

The FCC’s data privacy and security rules arguably went too far and created unreasonably expensive and time-consuming compliance obligations and technical requirements that posed a problem for small ISPs, and a risk of higher-priced compliance. As such, small ISPs argued throughout the rulemaking process that they lack the incentive to use or sell consumer data and that they simply do not engage in the types of behaviors that would necessitate many of the rules, including that rule that consumers have to opt in to have ISPs use their data for targeted marketing purposes. The result of the now-stayed rules was uncertainty about how to comply and how much further the FCC would go to impose rules that were meant to protect consumers but inevitably created financial and technical burdens for ISPs.

Federal Trade Commission
With no way for the FCC to apply its regulatory touch to broadband privacy, the fate now rests with the FTC, except for the problem that the FTC is barred from regulating common carriers. The intersection of agency discretion and legislation may come to a head in the near future, because the FCC’s net neutrality repeal might undo the classification of broadband providers as common carriers, thereby allowing the FTC to take the reins again with uniform broadband privacy and data security rules (or not, if it chooses to maintain the status quo).

Congress
Congress is lurking on the sidelines with periodic murmurs about broadband privacy legislation. Its action on broadband privacy is linked inevitably to what happens with the FCC’s net neutrality rules, as well as if Congress decides to enact common-sense net neutrality legislation. Legislation has been proposed to pass broadband privacy laws that more closely align with the FTC’s rules, but it hasn’t gotten much traction. As you can see, this is all a tangled web of uncertainty at the moment.

The 9th Circuit Court
Meanwhile, eyes are on the 9th U.S. Circuit Court of Appeals which will rehear the pivotal case of FTC v. AT&T. In this case, the FTC alleged that AT&T illegally throttled mobile Internet speeds of unlimited data customers without warning. This case was dismissed last year because AT&T was deemed to be exempted from FTC jurisdiction as a common carrier. The FTC and consumer advocates are hoping to achieve a more favorable outcome in a rehearing. No one in the rural broadband industry argues that consumers don’t deserve the certainty of knowing that their data is private and secure, but the providers also do not want the risk of increased regulatory costs and burdens. The FTC and consumer activists do not believe that AT&T and other broadband providers should be able to escape culpability for violating rules that other companies would be held accountable to, just because they are considered common carriers.

Chairman Pai is pleased that the 9th Circuit is rehearing the case. He hopes that the FTC ends up with jurisdiction over broadband privacy and security practices, so that the entire Internet ecosystem is held to the same set of rules and oversight. Chairman Pai also believes that if the FTC’s jurisdiction over broadband providers is restored, it will strengthen the FCC’s case to reverse the 2015 net neutrality rules because broadband privacy and security will be handled by a different agency.

Conclusion

In assessing these current and pressing examples of risk and uncertainty, we restate the obvious: the rural carrier industry faces risk and uncertainty in the future. But the question isn’t whether we will face risk and uncertainty, instead, the question is how we will respond to the risks and uncertainties presented to us. JSI believes we need to fight to eliminate regulatory uncertainty plaguing BIAS and continue to press the FCC to adequately fund federal universal service support programs to allow rural providers to deploy 21st Century networks, because rural customers won’t accept anything less than quality, affordable, state-of-the-art services that enable them to partake in the broadband economy and ecosystem. JSI has long advocated these positions and will continue to work with the industry to support these efforts in order to make the future a bit more certain.

FCC Clarifies Current Privacy Rules

2017-12-14T10:23:15-05:00June 30, 2017|e-Lerts|

On June 29, 2017, the FCC released an Order effectively reinstating voice-centric privacy rules, and reminding Internet Service Providers (ISPs) that they remain subject to Section 222 of the Communications Act of 1934, as amended (the Act). Through this order, the FCC clarified that annual CPNI compliance certification and recordkeeping requirements are again in effect, and carriers subject to these requirements must file an annual certification by March 1, 2018. Therefore, no annual certification will be required in 2017. The Order also dismisses 11 Petitions for Reconsideration of the 2016 Privacy Order, deeming the petitions moot since the 2016 Privacy Order and the rules adopted therein are no longer in effect.

The rules that will been reinstated in the Code of Federal Regulations (CFR) include the FCC’s CPNI rules in effect prior to the 2016 Privacy Order. As clients likely recall, the FCC’s 2016 Privacy Order was repealed under a resolution of disapproval invoked under the Congressional Review Act (see JSI’s March 30th e-Lert for additional details). While the 2016 Privacy Order was repealed, certain portions of that order that sought to harmonize voice and broadband privacy rules modified existing CPNI rules, causing confusion as to what rules are now currently in place. The current Order effectively removes 2016 Privacy Order rules from the CFR and reinstates voice CPNI rules 47 CFR § 64.2001 through § 64.2011, which include: customer notice requirements specific to opt-in, opt-out, and one-time use; safeguards required for use and disclosure of CPNI (including personnel training requirements, recordkeeping requirements for marketing campaigns using CPNI, supervisory review process and annual certifications); and notification of CPNI security breaches.

In effect, companies can travel back in their theoretical time machines to the fall of 2016, and reinstate the privacy rules and principles that were in effect at that time. However, clients are reminded that even in the fall of 2016, Sections 201, 202 and 222 of the Act governed more than just voice-centric CPNI, and carriers have been penalized for not applying reasonable security frameworks to both voice and broadband services. Therefore, JSI continues to recommend that carriers follow best industry practices, such as the FTC’s adopted NIST Framework for cybersecurity to protect customer data, in addition to following explicit CPNI rules.

JSI will continue to provide required privacy and Red Flag Rule training, and remains available to assist interested clients with annual certification compliance filings and the development of privacy policies to comply with web posting requirements. If you have questions about privacy training or compliance issues, please contact John Kuykendall or Cassandra Heyne at 301-459-7590. For privacy policy assistance, please contact Terri Parrilla at 301-459-7590.

Feds Roll Back Broadband Privacy & Lifeline Broadband ETC Designations

2017-12-14T10:39:56-05:00March 30, 2017|e-Lerts|

JSI Monitoring Both to Determine How They Affect Clients

As expected, the U.S. House of Representatives followed the Senate’s lead and voted Tuesday to repeal the privacy rules put in place in the FCC’s Broadband Privacy Order enacted in October 2016 by the Obama administration. The bill now goes to President Trump, who is expected to sign it. The repeal removes the rules adopted last year, and because the bill invokes a law called the Congressional Review Act, it would prohibit the FCC from passing similar regulations in the future. This rollback of the rules would result in a re-instatement of old voice-centric CPNI rules that require officer certifications, employee training, record keeping and CPNI-specific opt-in/opt-out notices that had been removed effective January 3, 2017, when certain parts of the 2016 Broadband Privacy Order became effective. At this time, it is unclear what would be required in the future, but JSI is closely monitoring this matter and will advise clients as soon as more information is announced.

These congressional activities follow the recent Stay Order that Chairman Ajit Pai issued, which effectively postponed certain data security measures in the 2016 Broadband Privacy Order that were scheduled to become effective earlier this month (see our March 2 e-Lert). With the anticipated approval of the bill to repeal the Order in its entirety, neither data security nor any other mandates resulting from the 2016 Broadband Privacy Order would be further regulated by the FCC.

Chairman Pai has been outspoken in his dissent of the privacy rules, calling them overreaching and designed to benefit one group over another. He believes that the Federal Trade Commission’s (FTC’s) rules that were in place until last year were effectively policing online companies’ privacy practices. In a statement made yesterday, Pai also said that the FCC and the FTC will work together to continue to protect consumers’ online privacy “through a consistent and comprehensive framework.”

Opponents of this recent development view this as a setback in protecting consumers’ privacy and that Americans will never be safe from having their personal details sold to the highest bidder. They also fear that this latest decision signals a potential rollback of Net Neutrality rules.

The Future of Lifeline for Broadband
Also yesterday, Chairman Pai issued a statement about the future of broadband in the Lifeline program. The Chairman supports including broadband in the federal Lifeline program, but strongly believes that the responsibility for the designation of “Lifeline Broadband Provider” (LBP) belongs to state governments, not the FCC. Pai believes that Congress gave the states, not the FCC, the responsibility to regulate eligible telecommunications carrier (ETC) designations, including LBP ETC designations. At this time, 12 states are challenging the FCC’s Order in the U.S. Court of Appeals, and Pai does not want to waste FCC resources defending what he considers the FCC’s unlawful action in court. Pai has instructed the FCC’s Office of General Counsel to ask the D.C. Circuit Court to send this case back to the Commission for further consideration, and it is anticipated that the FCC will begin a proceeding to eliminate the federal designation process.

Given Pai’s statement, JSI expects that the FCC will not approve any outstanding LBP ETC applications. Instead, companies pursuing Lifeline discount reimbursements for broadband services would have to follow any state-prescribed ETC designation processes.

JSI is working diligently to review both the repeal of the 2016 Broadband Privacy Order and the Lifeline Broadband Provider designation process changes to determine how the changes affect our clients. We will provide ongoing information as further details become available. If you have questions about privacy issues, please contact John Kuykendall or Cassandra Heyne at 301-459-7590. For Lifeline assistance, please contact Lans Chase at 770-569-2105 or Lisa McLaughlin at 512-338-0473.

Source: JSI e-Lert

FCC Grants Stay Petition for Data Security Rules

2017-12-14T10:56:45-05:00March 2, 2017|e-Lerts|

In an Order adopted yesterday, the FCC partially stayed rules requiring broadband Internet Service Providers (ISPs) to implement reasonable data security practices to protect their customers’ privacy. These rules, adopted in October 2016, were scheduled to become effective today, March 2. By the end of January 2017, the FCC had received 11 petitions to reconsider the 2016 Privacy Order, as well as one petition filed by nine trade associations requesting that the FCC stay the rules.

The partial stay will provide interim relief from the data security rules until the FCC can act on the petitions for reconsideration that are still outstanding. The stay does not impact other broadband privacy rules that became effective January 3, 2017, and does not take action on new notice requirements, customer approval requirements, and data breach notification requirements, which are all still pending Office of Management and Budget approval under the Paperwork Reduction Act.

The associations’ stay petition argued that the FCC’s interpretation of “reasonable” data security practices differs from the Federal Trade Commission’s (FTC) standards, and that ISPs have voluntarily committed to adhering to the FTC standards. The FCC agrees that based on language in the 2016 Privacy Order, the data security requirements, as they currently stand, would subject ISPs to more burdensome regulations than other participants in the Internet ecosystem are subjected to by the FTC. Further, a majority of the current FCC commissioner body dissented from the 2016 Privacy Order, including Chairman Pai.

The FCC also acknowledges that the resources broadband providers and other telecommunications carriers would be required to devote to complying with the “too broad” and “too vague” data security measures are substantial, and the providers are already obligated to comply with Section 222 of the Communications Act, and other applicable federal and state privacy, data security and breach notification laws.

JSI remains committed to assisting interested clients understand their privacy obligations. Our broadband privacy team can assist companies with any questions or staff training. Please contact John Kuykendall in JSI’s Maryland office at 301-459-7590 for more information.

Source: JSI e-Lert

Webinar: Data Defense, Part II – Cybersecurity Risk Assessment Preparation

2017-10-30T11:29:59-04:00January 26, 2017|Webinar Recordings|

Learn how to meet the FCC’s new broadband security risk assessment requirement

Although many of the rules in the FCC’s October 2016 Broadband Privacy Order will not be applicable for small ISPs until later down the road – or at all, depending on how the rules hold up against the incoming administration – one requirement has an upcoming deadline. By March 2, 2017, all telecom providers and ISPs, including those of JSI clients, must implement “reasonable” data security measures to protect customer information. The FCC suggested providers use the National Institute of Standards and Technology’s (NIST) framework as part of their overall data security risk management.

Recently experts from JSI, as well as NTCA’s cybersecurity risk assessment guru Jesse Ward, held a special webinar guiding clients through what is involved in implementing data security measures that comply with the FCC’s requirement, plus the tools and processes companies can use to conduct their data security risk assessment.

In this webinar, you will learn:

  • Details of the risk assessment requirement that must be completed by March 2
  • Roles of directors, managers, and other key personnel in the data security risk assessment process
  • Features of NTCA’s cybersecurity tool
  • Benefits of following the NIST framework
  • Managing the costs of data security
  • Maintaining an ongoing risk assessment strategy
  • Changes coming to the FCC and how the broadband privacy rules might fare under a new chairman and commissioners

A recording of the webinar is available for $249. This webinar also is part of our 2017 Video Compliance Webinar series. Companies that subscribe to JSI’s Video Compliance Service will receive a $70 discount on this event.

For more information or to request the webinar recording, Brenda Cordwell in the Maryland office at 301-459-7590.

FCC Sets Deadlines for New Broadband Privacy Rules, Eliminates Annual CPNI Filing

2017-05-19T10:09:36-04:00January 13, 2017|e-Lerts|

The FCC’s Order applying CPNI and other privacy requirements to broadband Internet Service Providers (ISPs) became effective January 3, 2017. The Order eliminated several existing rules, but added additional key requirements for ISPs to meet.

JSI, in partnership with NTCA, will hold a webinar, “Data Defense, Part II – Cybersecurity Risk Assessment Preparation,” on January 26, 2017, at 2 p.m. Eastern (1 p.m. Central) to discuss these requirements in more detail and focus on data security obligations which become effective March 2, 2017.

Rules Eliminated
With the effective date of the Order, changes made to existing rules have taken effect. Most notably for JSI clients, this includes eliminating the requirement for telecom and VoIP providers to annually file a CPNI certification and procedures statement with the FCC. Accordingly, no annual CPNI certification must be filed by March 1, 2017.

The Order also eliminated the requirement to train personnel regarding the use of CPNI and to have an express disciplinary process in place. JSI cautions, however, that companies should continue to train their staff and have a disciplinary process in place to ensure that employees’ actions do not subject the company to fines for violating FCC privacy rules.

Additional changes to the existing rules include eliminating all of the requirements pertaining to “opt out” notices, including the requirement to send notices every two years. The Order also eliminated all recordkeeping requirements, including instances where CPNI was disclosed or provided to third parties. According to the Order, eliminating these requirements reduces burdens for small carriers “which often may not need to record approval if they do not use or share customers’ proprietary information for purposes other than the provision of service.”

Major New Rules & Effective Dates
Data Security: Voice and broadband providers must take reasonable measures to protect customer proprietary information (PI), which include adopting practices “appropriately calibrated” to the nature and scope of the providers’ activities, the sensitivity of the underlying data, the size of the provider, and technical feasibility.  Effective date: March 2, 2017.

Breach Notification: Voice and broadband providers must notify affected customers, the FCC and the FBI/Secret Service of data breaches unless the carrier is able to “reasonably determine” that a data breach poses no reasonable risk of harm to the affected customers. Effective date: June 2, 2017 or Paperwork Reduction Act (PRA) approval date, if later.

Notice and Customer Approval: Voice and broadband providers must provide privacy notices that “clearly and accurately” inform customers about what confidential information they collect, how they use it, under what circumstances they share it, and the categories of entities with which they will share it (examples of such “categories” include communications-related services, marketing firms or nonprofit organizations). Providers also must inform their customers about customers’ rights to opt in (for sensitive PI) or opt out (for non-sensitive PI) of the use or sharing of their confidential information. Providers must distribute their privacy policies at points of sale and have them posted on their websites and give customers advance notice of any material changes to the policies. Effective date: December 4, 2017 or Paperwork Reduction Act (PRA) approval date, if later; smaller providers have an additional 12 months to comply.

JSI remains committed to assisting interested clients with compliance activities associated with the new rules. JSI is revising its CPNI training materials to incorporate the changes and will provide further information regarding additional ways we can assist you in the coming weeks. In the meantime, our broadband privacy team is available to answer any questions. Please contact John Kuykendall or Terri Parrilla in JSI’s Maryland office at 301-459-7590, Dee Dee Longenecker in JSI’s Texas office at 512-338-0473, or Lans Chase in JSI’s Georgia office at 770-569-2105 for more information.

Source: JSI e-Lert

New Broadband Privacy Rules Adopted by FCC

2017-05-19T10:09:36-04:00November 1, 2016|e-Lerts|

On October 27, 2016, the FCC adopted rules requiring broadband Internet Service Providers (ISPs) to protect the privacy of their customers. As predicted (see JSI’s October 7e-Lert), the rules implement privacy requirements that have been enforced under Section 222 of the Communications Act, and establish requirements for providing customers with transparency, choice and security of customers’ personal information.

New Requirements
While the text of the adopted Order is not yet publicly available, the FCC’s News Release and related Fact Sheet indicate that ISPs will be required to use affirmative opt-in consent from consumers to use and share sensitive information, such as precise geo-locations, financial information, health information, children’s information, social security numbers, web browsing history, app usage history, and the content of communications. Opt-out consent may be used by ISPs for all other individually identifiable customer information, such as email addresses or service tier information. Customer consent to the use and sharing of customer information is inferred for the provision and billing of broadband services when the customer is already a broadband subscriber.

In addition, the new rules require ISPs to:

  • Provide customers with clear, conspicuous and persistent notice about the information being collected, how it may be used, and with whom it may be shared, as well as how the customer can change their privacy preferences;
  • Engage in reasonable data security practices, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and properly disposing of data consistent with Federal Trade Commission best practices and the Consumer Privacy Bill of Rights; and
  • Notify appropriate law enforcement and customers of failures to protect confidential customer data.

Implementation Timeline
Per the FCC’s Fact Sheet, the Order adopts the following implementation timeline:

  • The data security requirements will go into effect 90 days after publication of the summary of the Order in the Federal Register.
  • The data breach notification requirements will become effective approximately six months after publication of the summary of the Order in the Federal Register.
  • The Notice and Choice requirements will become effective approximately 12 months after publication of the summary of the Order in the Federal Register. Small providers will have an additional 12 months to comply.

JSI remains committed to assisting interested clients with compliance activities associated with the new rules. After the text of the Order is released, JSI will hold a webinar to cover all of the details and offer helpful tools for companies to use in training their employees. Additionally, our broadband privacy team will be available to answer any questions and assist in drafting the required customer notices, privacy policies and data security practices. Please contact John Kuykendall or Terri Parrilla in JSI’s Maryland office at 301-459-7590, Dee Dee Longenecker in JSI’s Texas office at 512-338-0473, or Lans Chase in JSI’s Georgia office at 770-569-2105 for more information.

Source: JSI e-Lert

FCC to Vote on Rules to Protect Broadband Customers’ Privacy

2017-05-19T10:09:37-04:00October 7, 2016|e-Lerts|

Item on Oct. 27 Open Meeting agenda

FCC Chairman Tom Wheeler this week began circulating his proposed order for new privacy protection rules for broadband consumers. The FCC fact sheet indicates that the FCC intends to adopt many of the proposed rules introduced in the Notice of Proposed Rulemaking released in March (See JSI’s March 11 e-Lert). The Commission is scheduled to vote on the proposed rules at its October 27 Open Meeting.

The proposed rules are intended to give consumers the tools they need to choose how their Internet Service Provider (ISP) uses and shares customers’ personal data. The rules would require ISPs to provide privacy notices and a persistent method by which customers can give or withdraw consent to use their proprietary information. ISPs would be allowed, however, to share information without seeking consent from the customer by “de-identifying” the information. This would involve altering the data so that it is no longer associated with individual customers or devices. The proposed order also provides guidelines that ISPs should follow to develop reasonable data security practices.

JSI will provide more information on the new rules once the text of the order is released. For more information about the proposed rules, contact John Kuykendall in the Maryland office at 301-459-7590 or Dee Dee Longenecker in the Texas office at 512-338-0473.

Source: JSI e-Lert

JSI Webinar: Data Defense – Protecting Your Broadband Customers’ Privacy

JSI recently held a webinar outlining the details of all of these broadband privacy rules. A recording of “Data Defense – Protecting Your Broadband Customers’ Privacy” is available.
Tell Me More
Go to Top