Taking action that will lead to greater protection for consumers, the Federal Communications Commission (FCC) has announced new rules designed to protect consumers from pre-texting as a means to invade the privacy of telephone consumers. According to the FCC “pretexting” is the practice of pretending to be a particular customer or other authorized person in order to obtain access to that customer’s call detail or other private communications records.
Congress made the practice of pre-texting a crime by virtue of the recently passed Telephone Records and Privacy Protection Act of 2006. (Pub. L. No. 109-476, 120 Stat. 3568 (2007) (codified at 18 U.S.C. § 1039). The rules aim to more fully protect a consumer’s customer proprietary network information (CPNI), which includes personally identifying information, such as a customer’s call records. The new rules will also be applicable to voice over IP (VOIP) providers such as Vonage and an increasing number of cable companies.
The new rules require additional safeguards against a communications provider releasing private details, as follows:
1. Notification of Security Changes and Joint Ventures: Carriers must immediately notify customers of changes in any security processes, such as a changed password, changed address, or changed “prompt” questions, typically offered to consumers to allow the customer to remember his or her password. Customer’s must also be notified of joint ventures between carriers, and choose to affirmatively “opt-in” to such sharing of their data between ventures.
2. Notice of CPNI Breach: If a CPNI is breached, law enforcement and the customer have a right to know.
3. Password Protection: Before releasing a CPNI, a customer would be required to provide a password, similar to accessing an online bank account or other financial account. If the customer could not provide a password, the carrier would use additional methods, such as sending mail to the customer’s address or calling the customer back on the customer’s phone number of record.
4. Carrier Duties: Carriers must annually certify their procedures demonstrating their processes for protecting CPNIs. Carriers also have a “reasonable duty” to protect private information, and the FCC’s rules impose a “rebuttable presumption” that the carrier’s procedures were inadequate if a breach occurs.
5. Business Exemption: In certain cases, a business customer may contract with the provider to allow for “customized” security methods. While an exception, this exemption will likely only be applicable to the largest business customers.
Bottom Line: The FCC’s rules, while an additional burden to telecommunications carriers, are necessary to prevent what has become a more prevalent problem in recent years. The rules appear to be well designed to prevent pretexting. While there will certainly be additional data breaches, these rules are likely to stem the tide of such criminal behavior.