In an order and further notice of proposed rulemaking released on April 2, 2007, the FCC issued new rules for the protection of customer proprietary network information ("CPNI") and extended those rules to providers of interconnected VoIP service.
Under section 222(a) of the Communications Act ("the Act"), every telecommunications carrier has a general duty to protect the confidentiality of CPNI. Section 222(c)(1) further provides that a carrier may only use, disclose, or permit access to customers’ CPNI in limited circumstances: (1) as required by law; (2) with the customer’s approval; or (3) in its provision of the telecommunications service from which such information is derived, or services necessary to or used in the provision of such telecommunications service. Section 222 also guarantees that customers have a right to obtain access to, and compel disclosure of, their own CPNI. Specifically, pursuant to section 222(c)(2), every telecommunications carrier must disclose CPNI “upon affirmative written request by the customer, to any person designated by the customer.”
Application of CPNI Obligations to VoIP Providers
Since the FCC has not decided whether interconnected VoIP services are telecommunications services or information services as those terms are defined in the Act, it analyzed the CPNI issues under its Title I ancillary jurisdiction to encompass both types of service.
Based on its previous determination that interconnected VoIP service is increasingly used to replace analog voice service, the FCC concluded that extending its CPNI rules to VoIP services is reasonable since American consumers expect that their telephone calls are private regardless of whether the call is made using the services of a wireline carrier, a wireless carrier, or an interconnected VoIP provider.
Additionally, the FCC found that extending section 222’s protections to interconnected VoIP service customers is necessary to protect the privacy of wireline and wireless customers that place calls to or receive calls from interconnected VoIP customers since the CPNI of interconnected VoIP customers includes call detail information concerning all calling and called parties. Therefore, the Commission found that the extension of the CPNI privacy requirements to providers of interconnected VoIP service is reasonably ancillary to the effective performance of its duty to protect the CPNI of all telecommunications customers under Title II.
Summary of the FCC's Order
In summary, the order announced the following with respect to protection of CPNI:
Carrier Authentication Requirements.
Carriers are prohibited from releasing call detail information to customers during customer-initiated telephone contact except when the customer provides a password. If a customer does not provide a password, carriers cannot release call detail information except by sending it to an address of record or by calling the customer at the telephone of record. Carriers must also provide mandatory password protection for online account access; however, they are permitted to provide CPNI to customers based on in-store contact with a valid photo ID.
Notice to Customer of Account Changes.
Carriers must notify their customers immediately when a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed.
In limited circumstances, carriers may bind themselves contractually to authentication regimes other than those adopted in the order for services they provide to their business customers that have a dedicated account representative and contracts that specifically address the carrier’s protection of CPNI.
Notice of Unauthorized Disclosure of CPNI.
A notification process is established for both law enforcement and customers in the event of a CPNI breach. Specifically, a telecommunications carrier must notify law enforcement of a breach of its customers’ CPNI no later than seven business days after a reasonable determination of a breach by sending electronic notification through a central reporting facility to the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI).
A telecommunications carrier may notify the customer and/or disclose the breach publicly after seven business days following
notification to the USSS and the FBI, if
the USSS and the FBI have not requested that the telecommunications carrier continue to postpone disclosure. If the relevant investigating agency determines that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, the law enforcement agency may direct the carrier not to disclose the breach for an initial 30-day period. This 30-day period may be extended by the law enforcement agency as reasonably necessary in the judgment of the agency. The law enforcement agency shall provide in writing to the carrier its initial direction to the carrier and any subsequent direction. A telecommunications carrier, however, may immediately notify a customer or disclose the breach publicly after consultation with the relevant investigative agency if the carrier believes that there is an extraordinarily urgent need to notify a customer or class of customers in order to avoid immediate and irreparable harm. A telecommunications carrier should indicate its desire to notify its customer or class of customers immediately concurrent with its notice to the USSS and FBI of a breach. Additionally, carriers must maintain a record of any discovered breaches, notifications to the USSS and the FBI regarding those breaches, as well as the USSS and the FBI response to the notifications, for a period of at least two years. This record must include, if available, the date that the carrier discovered the breach, the date that the carrier notified the USSS and the FBI, a detailed description of the CPNI that was breached, and the circumstances of the breach.
Guarding Against Pretexting.
The FCC codified the requirement that carriers take "reasonable measures to discover and protect against activity that is indicative of pretexting," but it opted to allow carriers to "determine what specific measures will best enable them to ensure compliance with this requirement."
While the FCC declined to specifically require carriers to encrypt their CPNI databases, it noted that the "reasonable steps" taken to protect a carrier's CPNI database from hackers may include encryption.
Joint Venture and Independent Contractor Use of CPNI.
Carriers must obtain opt-in consent from a customer before disclosing a customer’s CPNI to a carrier’s joint venture partners or independent contractors for the purposes of marketing communications-related services to that customer.
Annual CPNI Certification.
Carriers must file with the Commission an annual certification, including an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the previous year regarding the unauthorized release of CPNI.
Carriers must take reasonable measures to discover and protect against pretexting, and, in enforcement proceedings, the Commission will infer from evidence of unauthorized disclosures of CPNI that reasonable precautions were not taken.
State CPNI obligations are not preempted so long as they do not conflict with federal requirements.
Summary of the Notice of Proposed Rulemaking
The Commission also sought comment on the following issues:
While the Commission limited its rules to password protecting call detail information for customer-initiated telephone contact, it seeks comment on whether to extend these rules to include optional or mandatory password protection for non-call detail CPNI. For instance, should this password protection be for all non-call detail CPNI, or should it only include certain account changes? If the Commission were to adopt password protection for certain account changes, what should that include (e.g.
, changes in the address of record, account plans, or billing methods)? Would requiring these forms of password protection place an undue burden on carriers, customers, or others, including burdens placed on small carriers?
Should the Commission adopt rules pertinent to audit trails? Are audit trails generally used by carriers to track customer contact? Would an audit trail assist law enforcement with its criminal investigations against pretexters?
. Should the Commission adopt rules that govern the physical transfer of CPNI among companies, such as between a carrier and its affiliates, or the transfer of CPNI to any other third party authorized to access or maintain CPNI, including a carrier’s joint venture partners and independent contractors? What physical safeguards are carriers currently using when they transfer, or allow access to, CPNI to ensure that they maintain the security and confidentiality of CPNI? Are these safeguards for the physical transfer of, or for access to, CPNI sufficient? What steps should be required to protect CPNI when CPNI is being transferred or accessed by the carrier, its affiliates, or its third parties (e.g
., encryption, audit trails, logs, etc.)? What are the benefits and burdens, including the burdens on small carriers, of requiring carriers to physically safeguard the security and confidentiality of CPNI?
Limiting Data Retention.
Should the Commission adopt rules that require carriers to limit data retention? If the Commission did adopt such a rule, what should be the maximum amount of time that a carrier should be able to retain customer records? Should all customer records be eliminated or is there a subset of customer records that are more susceptible to abuse and should be destroyed? Should the Commission define exceptions where a carrier is permitted to retain certain records (e.g.
, for the length of carrier-carrier or carrier-customer disputes)? Are there any state or Commission data retention requirements that might conflict with a carrier’s data limitation? Does a limitation on data retention enhance protection of CPNI? Alternatively, should the Commission require carriers to de-identify customer records after a certain period? What are the benefits and burdens, including the burdens on small carriers, of requiring carriers to limit their data retention or to de-identify customer records?
Mobile Communications Devices.
What steps should the Commission take, if any, to secure the privacy of customer information stored in mobile communications devices? Specifically, what methods do carriers currently use, if any, for erasing customer information on mobile equipment prior to refurbishing the equipment, and to what extent do carriers enable customers to permanently erase their personal information prior to discarding the device? Should the Commission require carriers to permanently erase, or allow customers to permanently erase, customer information in such circumstances? Should the Commission require manufacturers to configure wireless devices so consumers can easily and permanently delete personal information from those devices? What are the burdens, including those placed on small carriers, associated with a Commission rule requiring carriers and manufacturers to fully expunge existing customer data from a mobile device at the customer’s request?
 In re Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115, WC Docket No. 04-36, ¶ 54 (rel. Apr. 2 , 2007) ("VoIP CPNI Order"). The rules announced in the order will become effective six months after its effective date or on receipt of Office of Management and Budget approval, whichever is later. Id. ¶ 61.
 47 U.S.C. § 222(a).
 See, e.g., Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Declaratory Ruling, 21 FCC Rcd 9990 (2006) (clarifying that section 222 does not prevent a telecommunications carrier from complying with the obligation in 42 U.S.C. § 13032 to report violations of specific federal statutes relating to child pornography).
 See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information and Implementation of Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, CC Docket Nos. 96-115 and 96-149, Second Report and Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061, ¶ 53 (1998).
 47 U.S.C. § 222(c)(2).
 VoIP CPNI Order ¶ 54.
 Id. ¶ 56.
 Id. ¶ 57. The Commission also relied on sections 1 and 706 of the Communications Act to support its extension of the CPNI obligations to providers of interconnected VoIP services. Id. ¶¶ 58-59.
 Id. ¶¶ 13-23.
 Id. ¶ 24.
 Id. ¶ 25.
 The Commission will maintain a link to the reporting facility at www.fcc.gov/eb/cpni.
 VoIP CPNI Order ¶¶ 26-32.
 Id. ¶¶ 33-34.
 Id. ¶ 36.
 Id. ¶ 37-50.
 Id. ¶¶ 51-53.
 Id. ¶¶ 63-66.
 Id. ¶ 60.
 Id. ¶ 68.
 Id. ¶ 69.
 Id. ¶ 70.
 Id. ¶ 71. Id
. ¶ 72.