Telecom Tickler 2015 - CPNI Certifications Due By March 2
It's that time of year again - time for our annual reminder to all telecommunications carriers and interconnected VoIP providers that your CPNI certifications are due by March 2, 2015. While the Enforcement Bureau has announced the deadline as March 1, it appears not to have noticed that in 2015, March 1 is a Sunday. Thanks to our old friend Section 1.4(j) of the FCC's rules, when a filing deadline falls on a holiday - and the rules do indeed specifically confirm that Sundays are "holidays" - the deadline rolls over to the next business day, which in this case will be Monday, March 2.
As described by the Enforcement Bureau, CPNI - Customer Proprietary Network Information to the uninitiated - includes "some of the most sensitive personal information that carriers have about their customers as a result of their business relationship". Think phone numbers of calls made or received, or the frequency or duration of calls, etc. . . . basically the same stuff the NSA has apparently been collecting for years. While the NSA is not required to file CPNI certifications with the FCC, telecom carriers aren't so lucky.
The Bureau has issued a convenient "Enforcement Advisory" to remind one and all of the fast-approaching deadline. Like similar advisories in past years, this year's includes a helpful list of FAQs and a suggested template showing what a certificate should look like.
The potential fines run to $160,000 per violation (up to a max of $1,575,000) - no small potatoes. The Advisory also reminds us all in a footnote that last September the Commission and Verizon entered into a Consent Decree arising from a CPNI-related investigation; as a result of the Decree Verizon ended up forking over $7.4 million to the Commission. As those dollar figures indicate, the Commission takes CPNI compliance (including the annual reporting requirement) very seriously. Historically it has doled out five-digit fines to non-compliant carriers. In fact, the FCC's zeal is such that, in many instances, it has initiated forfeiture proceedings even against carriers who, as it turned out, had fully complied with the rules.
In light of this, it's a good idea not only to get the report filed on time, but also to be sure to get, and keep, records demonstrating what you filed and when you filed it. That way, if the FCC wrongly accuses you (as it has wrongly accused others in the past), you will ideally be able to avoid a considerable amount of hassle, not to mention liability for any fine.
As we have explained annually for the past several years, the CPNI rules are designed to safeguard customers' CPNI against unauthorized access and disclosure. The rules themselves are set out in Subpart U of Part 64 of the Commission's rules. True gluttons for punishment (or sufferers from sleep deprivation) can check them out here.
So what, exactly, needs to be filed? Since 2008, the rules have required that telecommunications carriers and interconnected VoIP providers have an officer sign and file with the Commission a compliance certificate, annually, stating that she or he has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules. The carrier must also provide: (a) a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules; and (b) an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI.
Who, exactly, needs to file this report? In its FAQs, the Commission offers examples of "telecommunications carriers" subject to the reporting requirement: "local exchange carriers (LECs) (including incumbent LECs, rural LECs and competitive LECs), interexchange carriers, paging providers, commercial mobile radio services providers, resellers, prepaid telecommunications providers, and calling card providers." But the FCC cautions (in italics, as it has in past years) that "this list is not exhaustive".
(The Commission emphasizes that aggregators are not required to file. An aggregator is "any person that, in the ordinary course of its operations, makes telephones available to the public or transient users of its premises, for interstate telephone calls using a provider of operator services.")
This is not something that can or should be left to guesswork: as in most other areas of the law, ignorance is no excuse. If you are a telecommunications carrier or an interconnected VoIP provider, it would behoove you to tie down, sooner rather than later, whether you are required to file a certification. (Your communications counsel would be a good place to start, if you have any questions.)
Remember: If you are in the broad universe of entities required to file the certification but you fail to do so for whatever reason, you're almost certainly looking at a $20,000 forfeiture (not to mention the aggravation and legal fees normally associated with responding to an NAL).