FCC Fines Telcos Over Data Security
In April of 2007, the Federal Communications Commission (FCC) created a new rule requiring all phone companies to submit reports on its Customer Proprietary Network Information (CPNI) practices. Unfortunately, many of those required to submit the yearly reports have not done so, and now face hefty fines.
Today, the FCC proposed fining over 600 different companies up to $20,000 for not complying with the CPNI certificate order. "I have long stressed the importance of protecting the sensitive information that telecommunications carriers collect about their customers," said FCC Chairman Michael Copps (view the statement PDF here). "The broad nature of this enforcement action hopefully will ensure substantial compliance with our CPNI rules going forward as the Commission continues to make consumer privacy protection a top priority."
According to Ars Technica, the FCC also said there are a number of other companies who filed certificates, but did so improperly. These companies may face fines up to $10,000.
The CPNI debacle dates back to 2006, when "pretexting" became popular with scam artists. The scammers would call up phone companies and convince the service rep that they were a subscriber, and then gain full access to that subscribers' account information and phone records. The gleaned info would then be sold on the black market. The most infamous abuse of CPNI came when Hewlett-Packard used such tactics to keep track of executives' phone records. With the 2007 FCC order in place, subscribers who call their carrier must provide a password before any sensitive information can be given out over the phone. If no password can be given, the service rep can only mail information to the address on record with the company, or call the subscriber back on the phone number of record. Also, phone companies are required to keep a "CPNI officer" on staff, who would oversee the certificate process.
With hundreds of different companies facing fines, one has to wonder why no one seems to be complying with the nearly two year old order. In the end, it may simply be cheaper for a telco to eat the fine rather than set up a system for creating and filing certificates. Look to Tom's Guide for more details in the coming days and weeks.
Also, if you have a few hours to kill, you can read the original FCC CPNI order (all 101 pages of it) here.