Starting out the New Year with its first “enforcement advisory,” the FCC’s Enforcement Bureau on February 5, 2016 issued a Public Notice reminding telecommunications carriers and interconnected VoIP providers that they have until March 1, 2016 to file annual Customer Proprietary Network Information (CPNI) certifications with the FCC.
The Public Notice states that “many companies have either failed to file certifications entirely or filed certifications that violate our rules in material respects.” The Public Notice of course is a warning that continued failure to comply with the certification filing requirement as well as the underlying legal requirement to protect certain personal information about customers could result in serious monetary forfeitures. The Public Notice includes a Frequently Asked Questions portion that covers the basics of the regulatory obligation and the contents of the annual certification filing. Based on the highlighted information, it seems plain that the Enforcement Bureau intends to question filers that simply affirm without explanation that they have adequate operating procedures to handle CPNI without explaining how they specifically determine that they achieve compliance. The Bureau goes so far as to offer a “template” CPNI certification that includes several potential attachments, including most notably a separate attachment that is meant to explain the CPNI procedures actually used by the company certifying compliance.
Given the massive Consent Decrees that several providers entered into in the last year or so with the Bureau dealing with CPNI unauthorized access or security breaches, the Bureau may well be intending to use information provided by annual filers as a means to question some practices they find wanting. The Public Notice thus signals continued emphasis on Bureau policing of CPNI protection mechanisms, and simply making a certification on its own may no longer be sufficient. We note that currently the FCC does not apply CPNI rules to broadband Internet access service, but an expected Notice of Proposed Rulemaking on privacy issues in that area is expected before long.