The U.S. Federal Communications Commission (FCC) recently issued more than $13 million in fines to companies for apparently failing to file annual Customer Proprietary Network Information (CPNI) certifications. In the list of potential violators were more than 660 telecommunications carriers.

CPNI is the sensitive personal data that telecommunications carriers collect about customers’ telephone calls. This information includes the date, time, duration, origination, and destination of calls as well as any services purchased by the customers. The FCC has the authority to regulate how CPNI is used to enforce customer information privacy. Several satellite operators as well as satellite service providers have service offerings that include flat-rate or metered telephone service that connects customers to the public network. To the extent that these carriers offer telephony services to the public and collect CPNI data, these carriers are subject to the FCC’s privacy regulations.

Telecommunications carriers are required to make annual certifications to the FCC explaining any actions that were taken against data brokers and summarizing all consumer complaints received during the previous year regarding the unauthorized release of CPNI. These certifications must be signed by an officer of the company under penalty of perjury. Telecommunications carriers are prohibited from releasing call detail information to customers during customer-initiated telephone contact — except when the customer provides a password. In addition, carriers are limited to the amount of information they can provide to telemarketers without customer consent. The FCC may impose a fine of up to $130,000 for each CPNI violation or for each day of a continuing violation up to a maximum of $1.3 million.

Because of the unscrupulous activities of data miners and brokers and the exploitation of CPNI information by these entities, Congress has pressed the FCC to enforce existing regulations and further actions to protect consumer privacy. To this end, the FCC has started many company investigations regarding CPNI compliance.

What Can Carriers Do?

All carriers should have internal policies in place to protect customers’ CPNI. These policies should contain, at a minimum, provisions for:

• Maintaining Records: This includes keeping track of marketing campaigns that use CPNI. Carriers should record the instances where CPNI was provided to third parties. Carriers should also keep track of what products were promoted during the campaign.
• Training Employees: Carriers should train all personnel who come in contact with CPNI. Disciplinary measures should be taken for unauthorized use of CPNI.Supervising
• Campaigns: Carriers should establish a review process regarding CPNI compliance for all marketing campaigns. Executive approval should be obtained before any marketing campaign begins.
• Protecting Confidentiality: Carriers should have mechanisms in place to protect the confidentiality of customer CPNI. Part of this mechanism can include physical and electronic restrictions for employees who can access CPNI.
• Maintaining Compliance Certificates: Carriers must file with the FCC annual certificates signed by an officer of the company stating that the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules.

CPNI is the "where, when and to whom" of customer telephone calls as well as the types of service offerings a customer subscribes to and the extent to which the service is used. Customers are increasingly concerned about their privacy in a world where many entities collect and store private information. It is important for satellite operators and service providers to maintain CPNI policies for two primary reasons: First, because it assures customers that the company is serious about protecting private information and second, because it is required by privacy rules.