Federal Communications Commission FCC 07-22
Before the
Federal Communications Commission
Washington, D.C. 20554
In the Matter of
Implementation of the Telecommunications Act of
1996:
Telecommunications CarriersUse of Customer
Proprietary Network Information and Other
Customer Information
IP-Enabled Services
)
)
)
)
)
)
)
)
)
)
)
CC Docket No. 96-115
WC Docket No. 04-36
REPORT AND ORDER AND
FURTHER NOTICE OF PROPOSED RULEMAKING
Adopted: March 13, 2007 Released: April 2, 2007
Comment Date: [30 days after publication in the Federal Register]
Reply Comment Date: [60 days after publication in the Federal Register]
By the Commission: Chairman Martin issuing a separate statement; Commissioners Copps and Adelstein
dissenting in part and issuing separate statements; Commissioner Tate concurring in
part and issuing a separate statement; Commissioner McDowell issuing a separate
statement.
TABLE OF CONTENTS
Para.
I. INTRODUCTION ...........................................................................................................................1
II. EXECUTIVE SUMMARY.............................................................................................................. 3
III. BACKGROUND .............................................................................................................................4
A. Section 222 and the Commission’s CPNI Rules................................................................. 4
B. IP-Enabled Services Notice .............................................................................................. 10
C. EPIC CPNI Notice ............................................................................................................ 11
IV. DISCUSSION ................................................................................................................................ 12
A. Carrier Authentication Requirements ............................................................................... 13
1. Customer-Initiated Telephone Account Access................................................... 13
2. Online Account Access........................................................................................ 20
3. Carrier Retail Location Account Access.............................................................. 23
4. Notification of Account Changes......................................................................... 24
5. Business Customer Exemption ............................................................................ 25
B. Notice of Unauthorized Disclosure of CPNI .................................................................... 26
C. Additional Protection Measures........................................................................................ 33
D. Joint Venture and Independent Contractor Use of CPNI.................................................. 37
E. Annual Certification Filing ............................................................................................... 51
F. Extension of CPNI Requirements to Providers of Interconnected VoIP Service ............. 54
G. Preemption ........................................................................................................................ 60
H. Implementation ................................................................................................................. 61
I. Enforcement......................................................................................................................63
Federal Communications Commission FCC 07-22
2
V. FURTHER NOTICE OF PROPOSED RULEMAKING .............................................................. 67
A. Additional CPNI Protective Measures.............................................................................. 68
B. Protection of Information Stored in Mobile Communications Devices............................ 72
VI. PROCEDURAL MATTERS ......................................................................................................... 73
A. Ex Parte Presentations ...................................................................................................... 73
B. Comment Filing Procedures.............................................................................................. 74
C. Final Regulatory Flexibility Analysis............................................................................... 77
D. Initial Regulatory Flexibility Analysis.............................................................................. 78
E. Paperwork Reduction Act ................................................................................................. 79
F. Congressional Review Act................................................................................................ 82
G. Accessible Formats ........................................................................................................... 83
VII. ORDERING CLAUSES ................................................................................................................ 84
Appendix A List of Commenters
Appendix B Final Rules
Appendix C Final Regulatory Flexibility Analysis
Appendix D Initial Regulatory Flexibility Analysis
I. INTRODUCTION
1. In this Order, the Commission responds to the practice of “pretexting”
1
by strengthening our
rules to protect the privacy of customer proprietary network information (CPNI)
2
that is collected and
held by providers of communications services (hereinafter, communications carriers or carriers).
3
Section
222 of the Communications Act requires telecommunications carriers to take specific steps to ensure that
CPNI is adequately protected from unauthorized disclosure.
4
Today, we strengthen our privacy rules by
adopting additional safeguards to protect customers’ CPNI against unauthorized access and disclosure.
2. Our Order is directly responsive to the actions of data brokers, or pretexters, to obtain
unauthorized access to CPNI. As the Electronic Privacy Information Center (EPIC) pointed out in its
1
As used in this Order, “pretexting” is the practice of pretending to be a particular customer or other authorized
person in order to obtain access to that customer’s call detail or other private communications records. Indeed,
Congress has responded to the problem by making pretexting a criminal offense subject to fines and imprisonment.
Telephone Records and Privacy Protection Act of 2006, Pub. L. No. 109-476, 120 Stat. 3568 (2007) (codified at 18
U.S.C. § 1039).
2
CPNI includes personally identifiable information derived from a customer’s relationship with a provider of
communications services. Section 222 of the Communications Act of 1934, as amended (Communications Act, or
Act), establishes a duty of every telecommunications carrier to protect the confidentiality of its customers’ CPNI.
47 U.S.C. § 222. Section 222 was added to the Communications Act by the Telecommunications Act of 1996.
Telecommunications Act of 1996, Pub. L. No. 104-104, 110 Stat. 56 (codified at 47 U.S.C. §§ 151 et seq.).
3
This Order also extends the CPNI requirements to interconnected VoIP service providers. See infra Section IV.F.
As used in this Order, the terms “communications carriers” and “carriers” refer to telecommunications carriers and
providers of interconnected VoIP service.
4
Prior to the 1996 Act, the Commission had established CPNI requirements applicable to the enhanced services
operations of AT&T, the Bell Operating Companies (BOCs), and GTE, and the customer premises equipment (CPE)
operations of AT&T and the BOCs, in the Computer II, Computer III, GTE Open Network Architecture (ONA), and
BOC CPE Relief proceedings. See Implementation of the Telecommunications Act of 1996: Telecommunications
Carriers’ Use of Customer Proprietary Network Information and Other Customer Information and Implementation
of Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, CC
Docket Nos. 96-115 and 96-149, Second Report and Order and Further Notice of Proposed Rulemaking, 13 FCC
Rcd 8061, 8068-70, para. 7 (1998) (CPNI Order) (describing the Commission’s privacy protections for confidential
customer information in place prior to the 1996 Act).
Federal Communications Commission FCC 07-22
3
petition that led to this rulemaking proceeding,
5
numerous websites advertise the sale of personal
telephone records for a price. These data brokers have been able to obtain private and personal
information, including what calls were made to and/or from a particular telephone number and the
duration of such calls. In many cases, the data brokers claim to be able to provide this information within
fairly quick time frames, ranging from a few hours to a few days. The additional privacy safeguards we
adopt today will sharply limit pretexters’ ability to obtain unauthorized access to this type of personal
customer information from carriers we regulate. We also adopt a Further Notice of Proposed Rulemaking
seeking comment on what steps the Commission should take, if any, to secure further the privacy of
customer information.
II. EXECUTIVE SUMMARY
3. As discussed below, we take the following actions to secure CPNI:
· Carrier Authentication Requirements. We prohibit carriers from releasing call detail
information to customers during customer-initiated telephone contact except when the customer
provides a password. If a customer does not provide a password, we prohibit the release of call
detail information except by sending it to an address of record or by the carrier calling the customer
at the telephone of record. We also require carriers to provide mandatory password protection for
online account access. However, we permit carriers to provide CPNI to customers based on in-
store contact with a valid photo ID.
· Notice to Customer of Account Changes. We require carriers to notify the customer immediately
when a password, customer response to a back-up means of authentication for lost or forgotten
passwords, online account, or address of record is created or changed.
· Notice of Unauthorized Disclosure of CPNI. We establish a notification process for both law
enforcement and customers in the event of a CPNI breach.
· Joint Venture and Independent Contractor Use of CPNI. We modify our rules to require
carriers to obtain opt-in consent from a customer before disclosing a customer’s CPNI to a carrier’s
joint venture partners or independent contractors for the purposes of marketing communications-
related services to that customer.
· Annual CPNI Certification. We amend the Commission’s rules and require carriers to file with
the Commission an annual certification, including an explanation of any actions taken against data
brokers and a summary of all consumer complaints received in the previous year regarding the
unauthorized release of CPNI.
· CPNI Regulations Applicable to Providers of Interconnected VoIP Service. We extend the
application of the CPNI rules to providers of interconnected VoIP service.
· Enforcement Proceedings. We require carriers to take reasonable measures to discover and
protect against pretexting, and, in enforcement proceedings, will infer from evidence of
unauthorized disclosures of CPNI that reasonable precautions were not taken.
5
Petition of the Electronic Privacy Information Center for Rulemaking to Enhance Security and Authentication
Standards for Access to Customer Proprietary Network Information, CC Docket No. 96-115 (filed Aug. 30, 2005)
(EPIC Petition).
Federal Communications Commission FCC 07-22
4
· Business Customers. In limited circumstances, we permit carriers to bind themselves
contractually to authentication regimes other than those adopted in this Order for services they
provide to their business customers that have a dedicated account representative and contracts that
specifically address the carrier’s protection of CPNI.
III. BACKGROUND
A. Section 222 and the Commissions CPNI Rules
4. Statutory Authority. In section 222, Congress created a framework to govern
telecommunications carriersprotection and use of information obtained by virtue of providing a
telecommunications service.
6
The section 222 framework calibrates the protection of such information
from disclosure based on the sensitivity of the information. Thus, section 222 places fewer restrictions on
the dissemination of information that is not highly sensitive and on information the customer authorizes to
be released, than on the dissemination of more sensitive information the carrier has gathered about
particular customers.
7
Congress accorded CPNI, the category of customer information at issue in this
Order, the greatest level of protection under this framework.
6
Section 222(a) imposes a general duty on telecommunications carriers to protect the confidentiality of proprietary
information a duty owed to other carriers, equipment manufacturers, and customers. 47 U.S.C. § 222(a).
Section 222(b) states that a carrier that receives or obtains proprietary information from other carriers in order to
provide a telecommunications service may only use such information for that purpose and may not use that
information for its own marketing efforts. 47 U.S.C. § 222(b). Section 222(c) outlines the confidentiality
protections applicable to customer information. 47 U.S.C. § 222(c). Section 222(d) delineates certain exceptions
to the general principle of confidentiality. 47 U.S.C. § 222(d). The Commission addressed the scope of section
222(e) in the Subscriber List Information Order and Order on Reconsideration. Implementation of the
Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network
Information and Other Customer Information, Implementation of the Local Competition Provisions of the
Telecommunications Act of 1996, Provision of Directory Listing Information Under the Telecommunications Act
of 1934, as amended, CC Docket Nos. 96-115, 96-98, and 99-273, Third Report and Order, Second Order on
Reconsideration, and Notice of Proposed Rulemaking, 14 FCC Rcd 15550 (1999) (Subscriber List Information
Order), on reconsideration, CC Docket No. 96-115, Memorandum Opinion and Order on Reconsideration, 19
FCC Rcd 18439 (2004) (Order on Reconsideration).
7
The Commission’s previous orders in this proceeding have addressed three general categories of customer
information to which different privacy protections and carrier obligations apply pursuant to section 222: (1)
individually identifiable CPNI, (2) aggregate customer information, and (3) subscriber list information. See, e.g.,
CPNI Order, 13 FCC Rcd 8061; Implementation of the Telecommunications Act of 1996: Telecommunications
Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Implementation of
the Local Competition Provisions of the Telecommunications Act of 1996, Provision of Directory Listing
Information Under the Telecommunications Act of 1934, as amended, CC Docket Nos. 96-115, 96-98, and 99-273,
Order on Reconsideration and Petitions for Forbearance, 14 FCC Rcd 14409 (1999) (CPNI Reconsideration
Order); Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer
Proprietary Network Information and Other Customer Information, Implementation of the Local Competition
Provisions of the Telecommunications Act of 1996, Provision of Directory Listing Information Under the
Telecommunications Act of 1934, as amended, CC Docket Nos. 96-115, 96-98, and 99-273, Clarification Order
and Second Further Notice of Proposed Rulemaking, 16 FCC Rcd 16506 (2001); Implementation of the
Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network
Information and Other Customer Information and Implementation of Non-Accounting Safeguards of Sections 271
and 272 of the Communications Act of 1934, as amended; 2000 Biennial Regulatory Review Review of Policies
and Rules Concerning Unauthorized Changes of Consumers’ Long Distance Carriers, Third Report and Order and
Third Further Notice of Proposed Rulemaking, CC Docket Nos. 96-115, 96-149, and 00-257, 17 FCC Rcd 14860
(2002) (Third Report and Order).
Federal Communications Commission FCC 07-22
5
5. CPNI is defined as (A) information that relates to the quantity, technical configuration, type,
destination, location, and amount of use of a telecommunications service subscribed to by any customer
of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue
of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone
exchange service or telephone toll service received by a customer of a carrier.
8
Practically speaking,
CPNI includes information such as the phone numbers called by a consumer; the frequency, duration, and
timing of such calls; and any services purchased by the consumer, such as call waiting. CPNI therefore
includes some highly-sensitive personal information.
6. Section 222 reflects the balance Congress sought to achieve between giving each customer
ready access to his or her own CPNI, and protecting customers from unauthorized use or disclosure of
CPNI. Every telecommunications carrier has a general duty pursuant to section 222(a) to protect the
confidentiality of CPNI.
9
In addition, section 222(c)(1) provides that a carrier may only use, disclose, or
permit access to customersCPNI in limited circumstances: (1) as required by law;
10
(2) with the
customers approval; or (3) in its provision of the telecommunications service from which such
information is derived, or services necessary to or used in the provision of such telecommunications
service.
11
Section 222 also guarantees that customers have a right to obtain access to, and compel
disclosure of, their own CPNI.
12
Specifically, pursuant to section 222(c)(2), every telecommunications
carrier must disclose CPNI upon affirmative written request by the customer, to any person designated
by the customer.
13
7. Existing Safeguards. On February 26, 1998, the Commission released the CPNI Order in
which it adopted a set of rules implementing section 222.
14
The Commissions CPNI rules have been
amended from time to time since the CPNI Order, primarily in respects that do not directly impact the
issues raised in this Order. Here, we focus on the substance of the Commissions rules most relevant to
this Order, and briefly review the history of the creation of those rules only to the extent necessary to
provide appropriate context for the actions we take today.
15
8. In the CPNI Order and subsequent orders, the Commission promulgated rules implementing
the express statutory obligations of section 222. Included among the Commissions CPNI regulations
implementing the express statutory obligations of section 222 are requirements outlining the extent to
which section 222 permits carriers to use CPNI to render the telecommunications service from which the
8
47 U.S.C. § 222(h)(1).
9
47 U.S.C. § 222(a).
10
See, e.g., Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Declaratory
Ruling, 21 FCC Rcd 9990 (2006) (clarifying that section 222 does not prevent a telecommunications carrier from
complying with the obligation in 42 U.S.C. § 13032 to report violations of specific federal statutes relating to child
pornography).
11
47 U.S.C. § 222(c)(1). Subsequent to the adoption of section 222(c)(1), Congress added section 222(f). Section
222(f) provides that for purposes of section 222(c)(1), without the “express prior authorization” of the customer, a
customer shall not be considered to have approved the use or disclosure of or access to (1) call location
information concerning the user of a commercial mobile service or (2) automatic crash notification information of
any person other than for use in the operation of an automatic crash notification system. 47 U.S.C. § 222(f).
12
See CPNI Order, 13 FCC Rcd at 8101-02, para. 53.
13
47 U.S.C. § 222(c)(2).
14
See CPNI Order, 13 FCC Rcd 8061.
15
The Commission summarized the history of the CPNI proceeding in the Third Report and Order. See Third
Report and Order, 17 FCC Rcd at 14863-72, paras. 5-25.
Federal Communications Commission FCC 07-22
6
CPNI was derived.
16
Beyond such use, the Commissions rules require carriers to obtain a customers
knowing consent before using or disclosing CPNI. As most relevant to this Order, under the
Commissions existing rules, telecommunications carriers must receive opt-out consent before disclosing
CPNI to joint venture partners and independent contractors for the purposes of marketing
communications-related services to customers.
17
Consistent with section 222(c)(2), the Commissions
rules recognize that a carrier must comply with the express desire of a customer seeking the disclosure of
his or her CPNI.
18
9. In addition to adopting restrictions on the use and disclosure of CPNI, the Commission in the
CPNI Order also adopted a set of rules designed to ensure that telecommunications carriers establish
effective safeguards to protect against unauthorized use or disclosure of CPNI.
19
Among these safeguards
are rules that require carriers to design their customer service records in such a way that the status of a
customers CPNI approval can be clearly established.
20
The Commission also requires
telecommunications carriers to train their personnel as to when they are and are not authorized to use
CPNI, and requires carriers to have an express disciplinary process in place.
21
The Commissions
safeguard rules also require carriers to maintain records that track access to customer CPNI records.
Specifically, section 64.2009(c) of the Commissions rules requires carriers to maintain a record of all
instances where CPNI was disclosed or provided to third parties, or where third parties were allowed
access to CPNI,and to maintain such records for a period of at least one year.
22
The Commissions
safeguard rules also require the establishment of a supervisory review process for outbound marketing
16
As the Commission discussed in the CPNI Order, “the language of section 222(c)(1)(A) and (B) reflects
Congress’ judgment that customer approval for carriers to use, disclose, and permit access to CPNI can be inferred
in the context of an existing customer-carrier relationship. This is so because the customer is aware that its carrier
has access to CPNI, and, through subscription to the carrier’s service, has implicitly approved the carrier’s use of
CPNI within that existing relationship.” CPNI Order, 13 FCC Rcd at 8080, para. 23 (introducing the “total service
approach” to define the boundaries of a customer’s implied consent concerning use of CPNI); see also 47 C.F.R.
§ 64.2005(a).
17
47 C.F.R. § 64.2007(b); but see infra Section IV.D. (modifying this disclosure requirement to require customer
opt-in consent). A customer is deemed to have provided “opt-out approval” if that customer has been given
appropriate notification of the carrier’s request for consent consistent with the Commission’s rules and the customer
has failed to object to such use or disclosure within the waiting period described in section 64.2008(d)(1) of the
Commission’s rules, a minimum of 30 days. 47 C.F.R. § 64.2003(i); see also 47 C.F.R. § 64.2008(d)(1). Under the
Commission’s rules, carriers must also receive a customer’s opt-out approval before intra-company use of CPNI
beyond the total service approach. 47 U.S.C. § 64.2005(a), (b). Except as required by law, carriers may not disclose
CPNI to third parties, or to their own affiliates that do not provide communications-related services, unless the
consumer has given opt-in consent, which is express written, oral, or electronic consent. 47 C.F.R. §§ 64.2005(b),
64.2007(b)(3), 64.2008(e); see also 47 C.F.R. § 64.2003(h) (defining “opt-in approval”).
18
47 U.S.C. § 222(c)(2); see also, e.g., CPNI Order, 13 FCC Rcd at 8101-02, para. 53; 47 C.F.R. § 2005(b)(3)
(prohibiting the disclosure of CPNI without opt-in consent except as permitted by section 222 of the Act or the
Commission’s rules).
19
See CPNI Order, 13 FCC Rcd at 8195, para. 193.
20
47 C.F.R. § 64.2009(a); see also CPNI Order, 13 FCC Rcd at 8198, para. 198.
21
47 C.F.R. § 64.2009(b); see also CPNI Order, 13 FCC Rcd at 8198, para. 198.
22
47 C.F.R. § 64.2009(c); see also CPNI Order, 13 FCC Rcd at 8198-99, para. 199.
Federal Communications Commission FCC 07-22
7
campaigns.
23
Finally, the Commission requires each carrier to certify annually regarding its compliance
with the carriers CPNI requirements and to make this certification publicly available.
24
B. IP-Enabled Services Notice
10. On March 10, 2004, the Commission initiated a proceeding to examine issues relating to
Internet Protocol (IP)-enabled services services and applications making use of IP, including, but not
limited to VoIP services.
25
In the IP-Enabled Notice, the Commission sought comment on, among other
things, whether to extend the CPNI requirements to any provider of VoIP or other IP-enabled services.
26
C. EPIC CPNI Notice
11. On August 30, 2005, EPIC filed a petition with the Commission asking the Commission to
investigate telecommunications carrierscurrent security practices and to initiate a rulemaking proceeding
to consider establishing more stringent security standards for telecommunications carriers to govern the
disclosure of CPNI.
27
In particular, EPIC proposed that the Commission consider requiring the use of
consumer-set passwords, creating audit trails, employing encryption, limiting data retention, and
improving notice procedures.
28
On February 14, 2006, the Commission released the EPIC CPNI Notice,
in which it sought comment on (a) the nature and scope of the problem identified by EPIC, including
pretexting, and (b) what additional steps, if any, the Commission should take to protect further the privacy
of CPNI.
29
Specifically, the Commission sought comment on the five EPIC proposals listed above. In
addition, the Commission tentatively concluded that it should amend its rules to require carriers annually
to file their section 64.2009(e) certifications with the Commission.
30
It also sought comment on whether
it should require carriers to obtain a customers opt-in consent before the carrier shares CPNI with its
joint venture partners and independent contractors; whether to impose rules relating to how carriers verify
customersidentities; whether to adopt a set of security requirements that could be used as the basis for
liability if a carrier failed to implement such requirements, or adopt a set of security requirements that a
carrier could implement to exempt itself from liability; whether VoIP service providers or other IP-
enabled service providers should be covered by any new rules the Commission adopts in the present
rulemaking; and other specific proposals that might increase the protection of CPNI.
23
47 C.F.R. § 64.2009(d); see also CPNI Order, 13 FCC Rcd at 8199, para. 200.
24
47 C.F.R. § 64.2009(e); see also CPNI Reconsideration Order, 14 FCC Rcd at 14468 n.331 (clarifying that
carriers must “make these certifications available for public inspection, copying and/or printing at any time during
regular business hours at a centrally located business office of the carrier”). The Commission’s rules also require
carriers to notify the Commission in writing within five business days of any instance in which the opt-out
mechanisms did not work properly, to such a degree that consumers’ inability to opt-out is more than an anomaly.
47 C.F.R. § 64.2009(f); see Third Report and Order, 17 FCC Rcd at 14910-11, paras. 114-15 (adopting such
requirement).
25
See IP-Enabled Services, WC Docket No. 04-36, Notice of Proposed Rulemaking, 19 FCC Rcd 4863 (2004)
(IP-Enabled Services Notice).
26
IP-Enabled Services Notice, 19 FCC Rcd at 4910, para. 71.
27
See EPIC Petition.
28
See id.
29
Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer
Proprietary Network Information and Other Customer Information; Petition for Rulemaking to Enhance Security
and Authentication Standards for Access to Customer Proprietary Network Information, CC Docket No. 96-115,
Notice of Proposed Rulemaking, 21 FCC Rcd 1782 (2006) (EPIC CPNI Notice or Notice).
30
See id. at 1793, para. 29.
Federal Communications Commission FCC 07-22
8
IV. DISCUSSION
12. In this Order, we adopt necessary protections put forward by EPIC to ensure the privacy of
CPNI. The carriers’ record on protecting CPNI demonstrates that the Commission must take additional
steps to protect customers from carriers that have failed to adequately protect CPNI.
31
The Attorneys
General of dozens of states cite numerous suits by telecommunications carriers seeking to enjoin
pretexting activities a clear indication that pretexters have been successful at gaining unauthorized
access to CPNI.
32
Cingular,
33
Sprint,
34
T-Mobile,
35
Verizon Wireless
36
and other companies have sued
31
For example, the Enforcement Bureau issued Notices of Apparent Liability against Cbeyond Communications,
LLC, Alltel Corporation, and AT&T for each failing to certify that they had established operating procedures
adequate to ensure compliance with the Commission’s rules governing the protection and use of CPNI. Cbeyond
Communications, LLC, Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 4316 (2006); Alltel Corporation,
Notice of Apparent Liability for Forfeiture, 21 FCC Rcd 746 (2006); AT&T, Inc., Notice of Apparent Liability for
Forfeiture, 21 FCC Rcd 751 (2006). Additionally, AT&T recently notified the Commission that it failed to send its
CPNI “opt-out” notice to 1.2 million customers resulting in the marketing to customers who may have otherwise
opted out. See Letter from Davida M. Grant, Senior Counsel, AT&T Inc., to Marlene H. Dortch, Secretary, FCC,
CC Docket No. 96-115 (filed Nov. 3, 2006) (AT&T CPNI Notification). Recent investigations by law enforcement
authorities, including the Chicago Police Department and Federal Bureau of Investigation (FBI), have documented
the ease with which a party, without proper authorization, may obtain the confidential calling records of consumers.
See Law Enforcement and Phone Privacy Protection Act of 2006, H.R. Rep. No. 109-395, 109th Cong. 2d Sess. 2
(2006) (citing Frank Main, Anyone Can Buy Cell Phone Records: Online Services Raise Security Concerns for Law
Enforcement, Chi. Sun-Times, January 5, 2006, at A3). For instance, a Chicago police official obtained call records
of an undercover narcotics officer’s telephone number, and received accurate call records within four hours of the
request. See Prevention of Fraudulent Access to Phone Records Act, H.R. Rep. No. 109-398, 109th Cong. 2d Sess.
2 (2006); Frank Main, Anyone Can Buy Cell Phone Records: Online Services Raise Security Concerns for Law
Enforcement, Chi. Sun Times, Jan. 5, 2006, at A3. In 1999, law enforcement authorities discovered that an
information broker sold a Los Angeles detective’s pager number to an Israeli mafia member who was trying to
determine the identity of the detective’s confidential information. See Frank Main, Cell Call Lists Reveal Your
Location: Anybody Can Pay to Track Where You Used Phone, Chi. Sun Times, Jan. 19, 2006, at A3. Citizens
themselves have also testified to the ease with which a pretexter can navigate easily around the carriers’
authentication systems. For example, a political Internet blogger purchased the cell phone records of former
presidential candidate General Wesley Clark. See Frank Main, Blogger Buys Presidential Candidate’s Call List:
“Nobody’s Records Are Untouchable,” as $90 Purchase Online Shows, Chi. Sun-Times, January 13, 2006, at A10.
Journalist Christopher Byron also testified before Congress about his own battle with pretexters, stating that
pretexters repeatedly called AT&T pretending to be him or his wife and asking for his phone records, which the
pretexter was able to obtain. See Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?:
Hearings Before the Subcommittee on Oversight and Investigations of the H. Comm. on Energy and Commerce,
109th Cong. (Sept. 29, 2006) (testimony of Christopher Byron).
32
See Attorneys General Comments at 3 (identifying multiple filed lawsuits). All comments and reply comments
cited in this Order refer to comments and reply comments cited in CC Docket No. 96-115 unless otherwise stated.
33
See, e.g., Cingular Wireless LLC v. Data Find Solutions, Inc.; James Kester; 1st Source Information Specialists
Inc.; Kenneth W. Gorman; Steven Schwartz; John Does 1-100; and XYZ Corps. 1-100, Case No. 1:05-CV-3269-CC
(N.D. Ga. filed Dec. 23, 2005); Cingular Wireless LLC v. Efindoutthetruth.com, Inc.; Lisa Loftus; Tiffany Wey;
North American Services, LLC d/b/a North American Information; Tom Doyle; John Does 1-100; and XYZ Corps.
1-100, Case No. 1:05-CV-3268-ODE (N.D. Ga. filed Dec. 23, 2005); Cingular Wireless LLC v. Global Information
Group, Inc.; GIG Liquidation, Inc. f/k/a Global Information Group; Bureau of Heirs, Inc.; Edward Herzog; Laurie
Misner; Robin Goodwin; John Does 1-100; and XYZ Corps. 1-100, Case No. 1:06-CV-0413-TWT (N.D. Ga. filed
Feb. 23, 2006); Cingular Wireless LLC v. Get A Grip Consulting, Inc.; Paraben Corporation d/b/a Get A Grip
Software Publishing; Robert Schroeder; John Does 1-100; and XYZ Corps. 1-100, Case No. 1:06-CV-0498 (N.D.
Ga. filed Mar. 2, 2006).
34
See, e.g., Sprint Nextel Corp. d/b/a Sprint Nextel v. I" Source Information Specialists, Inc., et al.,
Case No. 06001083 (02) (Broward County, Florida Cir. Ct. filed Jan. 26, 2006); Sprint Nextel Corp. d/b/a Sprint
Nextel v. All Star Investigations, Inc., et al., Case No. 06 01736 (Miami-Dade County, Florida Cir. Ct. filed Jan. 27,
(continued....)
Federal Communications Commission FCC 07-22
9
dozens of people whom they accuse of fraudulently obtaining phone records.
37
In one of the cases filed
by Cingular, Cingular states in a court-filed affidavit that certain defendants or their agents posed as an
employee/agent of Cingular and as a customer of the carrier to induce Cingular’s customer service
representative to provide them with the call records of a targeted customer.
38
The Federal Trade
Commission has also filed suits against several pretexters under laws barring unfair and deceptive
(...continued from previous page)
2006); Sprint Nextel Corp. d/b/a Sprint Nextel v. San Marco & Associates Private Investigation, Inc., et al., Case
No. 8:06-CV-00484-T-17TGW (MD. Fla. filed March 17, 2006).
35
See, e.g., T-Mobile USA, Inc. v. C.F. Anderson et al., Cause No. 06-2-04163 (King County Super. Ct. Feb. 2,
2006) (Stipulated Order and Permanent Injunction); T-Mobile USA, Inc. v. 1st Source Information Services, et al.,
Case No. 06-2-03113-0 SEA (King County Super. Ct. May 22, 2006) (Final Order and Judgment); T-Mobile USA,
Inc. v. AccuSearch, et al., Case No. 06-2-06933-1 SEA (King County Super. Ct. filed May 18, 2006) (Stipulated
Order of Injunction).
36
See, e.g., Cellco Partnership d/b/a Verizon Wireless v. Source Resources, Permanent Injunction on Consent,
Docket No. SOM-L-I013-05 (Sup. Ct. of N.J.; Law Div.: Somerset County Sept. 13, 2005); Cellco Partnership
d/b/a Verizon Wireless v. Global Information Group, Inc., et al., Order, No. 05-09757 (Fla. Cir. Ct., 13th Judicial
Circuit, Hillsborough County, Nov. 2, 2005); Cellco Partnership d/b/a Verizon Wireless v. Data Find Solutions,
Inc., et al., Order, No. 06-CV-326 (SRC) (D.N.J., Jan. 31, 2006).
37
See Matt Richtel and Miguel Helft, An Industry Is Based on a Simple Masquerade, N.Y. Times, Sept. 11, 2006, at
C1; see also Charles Toutant, Verizon Wireless Suing ‘Pretexters’ Who Gain Access to Customer Data, 186 N.J.L.J.
976 (2006); Marguerite E. Patrick, Lessons Learned: Issues Exposed in the Aftermath of the Hewlett-Packard
Debacle, 1 Privacy & Data Protection Leg. Rep. 1 (October 2006); Internet Data Brokers and Pretexting: Who Has
Access to Your Private Records?: Hearings Before the Subcommittee on Oversight and Investigations of the H.
Comm. on Energy and Commerce, 109th Cong. (Sept. 26, 2006) (testimony of Michael Holden).
38
See H.R. Rep. 109-398 at 2.
Federal Communications Commission FCC 07-22
10
practices.
39
Additionally, numerous states, including California,
40
Florida,
41
Illinois,
42
Missouri,
43
and
Texas
44
have all sued data brokers for pretexting phone records.
A. Carrier Authentication Requirements
1. Customer-Initiated Telephone Account Access
13. We find that the release of call detail
45
over the telephone presents an immediate risk to
privacy and therefore we prohibit carriers from releasing call detail information based on customer-
initiated telephone contact except under three circumstances.
46
First, a carrier can release call detail
39
See Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?: Hearings Before the
Subcommittee on Oversight and Investigations of the H. Comm. on Energy and Commerce, 109th Cong. 1 (Sept. 29,
2006) (testimony of the Joel Winston, Federal Trade Commission) (citing FTC v. Info Search, Inc., No. 1:06-CV-
01099-AMD (D. Md. filed May 1, 2006); FTC v. Accusearch, Inc. d/b/a Abika.com, No. 06-CV-0105 (D. Wyo. filed
May 1, 2006); FTC v. CEO Group, Inc. d/b/a Check Em Out, No. 06-60602 (S.D. Fla. filed May 1, 2006); FTC v. 77
Investigations, Inc., No. EDCV06-0439 VAP (C.D. Cal. filed May 1, 2006); FTC v. Integrity Sec. & Investigation
Servs., Inc., No. 2:06-CV-241-RGD-JEB (E.D. Va. filed May 1, 2006)).
40
See, e.g., California v. Data Trace USA Inc., No. GIC862672 (Cal. Super. Ct. filed Mar. 14, 2006).
41
See, e.g., Florida v. 1
st
Source Information Specialists, Inc., No. 37-2006-CA-00234 (Fla. Cir. Ct. filed Jan. 24,
2006); Florida v. Global Information Group, Inc., et al., No. 06-1570 (Fla. Cir. Ct. filed Feb. 24, 2006).
42
See, e.g., Illinois v. 1
st
Source Information Specialists, et al., No. 2006-CH-29 (Ill. Cir. Ct. filed Jan. 20, 2006); see
also Press Release, Office of the Attorney General, Madigan Sues Second Company that Sells Cell Phone Records
(Mar. 15, 2006), available at www.ag.state.il.us/pressroom/2006_03/20060315c.html (announcing the filing of a
law suit against a Florida company that allegedly obtained and sold phone records without customer consent).
43
See, e.g., Missouri v. Data Trace USA, Inc., et al., No. 06AC-CC-00158 (Mo. Cir. Ct. filed Mar. 3, 2006; see also
Press Release, Missouri Attorney General’s Office, Locatecell.com must stop selling cell phone records of
Missourians, under court order obtained by Nixon (Feb. 15, 2006), available at
www.ago.mo.gov/newsreleases/2006/021506.htm (announcing the issuance of a court order to stop the sale of
Missourians’ cell phone records by several people currently or formerly associated with the website
Locatecell.com).
44
See, e.g., Texas v. John Strange d/b/a USA Skiptrace.com, No. 06-1666 (Tex. Dist. Ct. Travis County filed Feb. 9,
2006); see also Press Release, Attorney General of Texas, Attorney General Abbott Files First Suit Against Sellers
of Private Phone Records (Feb. 9, 2006), available at http://www.oag.state.tx.us/oagnews/release.php?id=1449.
45
Call detailor “call records” includes any information that pertains to the transmission of specific telephone calls
including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound
calls, the number from which the call was placed, and the time, location, or duration of any call. See, e.g., Third
Report and Order, 17 FCC Rcd at 14864, para. 7. Remaining minutes of use is an example of CPNI that is not call
detail information. We disagree with commenters that argue we should adopt a more narrow definition of call
detail; a narrower definition that included only inbound or outbound telephone numbers would make it too easy for
unauthorized persons with partial information to confirm and expand on that information. See, e.g., Letter from Jim
Halpert, Counsel to the Anti-Pretexting Working Group, DLA Piper, to Marlene H. Dortch, Secretary, FCC, CC
Docket No. 96-115 Attach. at 2 (filed Oct. 31, 2006); Letter from William F. Maher, Jr. , Counsel for T-Mobile
USA, Inc., to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 at 1 (filed Nov. 30, 2006); Letter from
Charon Phillips, Verizon Wireless, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 at 1 (filed Dec. 1,
2006).
46
See, e.g., Letter form Donna Epps, Vice President Federal Regulatory, Verizon, to Marlene H. Dortch, Secretary,
FCC, CC Docket No. 96-115 (filed Nov. 20, 2006) (arguing that any password requirement should only apply to
accessing call detail information). By limiting our rules to the disclosure of call detail information, we believe that
we have narrowly tailored our requirements to address the problem of pretexting. See, e.g., AT&T Reply at 2
(arguing that the Commission should ensure that any measures taken are “narrowly tailored to address a
demonstrated problem”); Letter from Donna Epps, Vice President, Federal Regulatory, Verizon, to Marlene H.
(continued....)
Federal Communications Commission FCC 07-22
11
information if the customer provides the carrier with a pre-established password.
47
Second, a carrier may,
at the customer’s request, send call detail information to the customer’s address of record.
48
Third, a
carrier may call the telephone number of record and disclose call detail information.
49
A carrier may
disclose non-call detail CPNI to a customer after the carrier authenticates the customer.
50
14. The record reflects that pretexters use evolving methods to trick employees at customer
service call centers into releasing call detail information.
51
This release of call detail through customer-
initiated telephone contact presents heightened privacy concerns because of pretexters’ abilities to
circumvent carrier authentication requirements and gain immediate access to call detail.
52
By restricting
(...continued from previous page)
Dortch, Secretary, FCC, CC Docket No. 96-115 at Attach. (filed Jan. 29, 2007) (Verizon Jan. 29, 2007 Ex Parte
Letter) (stating that password protecting call detail records “is a narrowly tailored solution” that “directly targets the
means and methods used by pretexters”). We also limit the requirements we impose in this section to customer-
initiated contact with the carrier. We find that there is not the same need for authentication when the carrier initiates
contact with a customer via the telephone number of record or via the address of record. By “telephone number of
record,” we mean the telephone number associated with the underlying service, rather than some other telephone
number supplied as a customer’s “contact information.” By “address of record,” whether postal or electronic, we
mean an address that the carrier has associated with the customer’s account for at least 30 days. Requiring that the
address be on file for 30 days will foreclose a pretexter’s ability to change an address of record for the purpose of
being sent call detail information immediately.
47
We understand that many consumers may not like passwords and thus we only extend the use of password
protection of call detail information during customer-initiated telephone calls. See, e.g., AT&T Comments at 8-11
(noting studies that demonstrate customers are opposed to mandatory passwords; Centennial Comments at 3-4
(arguing that customers find passwords burdensome). Further, for those customers not interested in password
protection, we provide other alternatives for carrier disclosure of call detail information that directly advance our
goal of protecting against pretexter activity and will not unduly burden carrier-customer relations.
48
This exception to the disclosure of call detail information in no way alters a carrier’s usual practice of sending
monthly billing statements to the customer.
49
See supra note 46 (defining “telephone number of record”). We find that it is necessary for the carrier to call the
customer at the telephone number of record, rather than rely on caller ID as an authentication method, because
pretexters can easily replicate caller ID numbers. See, e.g., Alltel Comments at 5.
50
Although we do not enact password protection for non-call detail CPNI in this Order, carriers are still subject to
section 222’s duties to protect CPNI, and thus a carrier must authenticate a customer prior to disclosing non-call
detail CPNI. See 47 U.S.C. § 222; see also Verizon Wireless Comments at 9 (arguing that “passcodes” can lead to a
frustrating experience for customers seeking answers to simple billing questions). We rely on carriers to determine
the authentication method for the release of non-call detail CPNI that is appropriate for the information sought and
which adheres to section 222’s duty. However, we seek comment on whether the Commission should impose
password protection on non-call detail CPNI in today’s Further Notice. See infra Section V.A.
51
See, e.g., Alltel Comments at 5; Cingular Comments at 13; Dobson Comments at 2; Sprint Nextel Comments at 4-
5; see also Testimony of James Rapp, House Energy and Commerce Committee, Subcommittee on Oversight and
Investigations Hearing: “Internet Data Brokers and Pretexting: Who Has Access to Your Private Records?” Attach.
A (June 21, 2006) (setting forth an outline of a training manual on how to obtain call detail and other personal
information), available at http://energycommerce.house.gov/108/Hearings/06212006hearing1916/Rapp.pdf; Brad
Stone, A ‘Pretexter’ and His Tricks: Phone Records Are a Snap to Snag. Just Ask David Gandal, NEWSWEEK, Sept.
10, 2006, at 43 (interviewing a pretexter who explains how pretexting is accomplished); supra para. 12 and
accompanying notes (identifying lawsuits alleging pretexting activity).
52
Specifically, the Attorneys General state that data brokers consistently demonstrate that they can obtain almost
any type of personal information, including social security numbers and mother’s maiden name, which carriers
currently use to authenticate a customer. See, e.g., Attorneys General Comments at 15; see also EPIC et al.
Comments at 12.
Federal Communications Commission FCC 07-22
12
the ways in which carriers release call detail in response to customer-initiated telephone calls, we place at
most a minimal inconvenience on carriers and consumers.
53
15. Establishment of Password Protection. For new customers, carriers may request that the
customer establish a password at the time of service initiation because the carrier can easily authenticate
the customer at that time.
54
For existing customers to establish a password, a carrier must first
authenticate the customer without the use of readily available biographical information,
55
or account
information.
56
For example, a carrier could call the customer at the telephone number of record.
57
If a
carrier already has password protection in place for a customer account, a carrier does not have to
reinitialize a customer password.
58
By permitting the carrier to determine its authentication method, the
carrier has the most flexibility for designing an authentication program that can continue to evolve to fight
against pretexting efforts.
16. Use of Password Protection. For accounts that are password protected, a carrier cannot
obtain the customer’s password by asking for readily available biographical information, or account
53
Customers requiring instant access to call detail information also have the option of accessing such data online in
the protected manner described in Section IV.A.2, or by visiting a carrier’s retail location with a valid photo ID as
described in Section IV.A.3.
54
See, e.g., Virgin Mobile Reply at 4 (mandating that customers select a password at the time of the service
activation process). By “new customers,” we include only those customers that establish service after the effective
date of our rules.
55
“Readily available biographical information” includes such things as the customer’s social security number, or the
last four digits of that number; the customer’s mother’s maiden name; a home address; or a date of birth. See, e.g.,
EPIC Petition at 8; see also AT&T Comments at 3 (noting that authenticating customers by relying “solely on a
customer’s name, address and/or phone number may be insufficient” and that the Commission could reasonably
conclude “that all carriers should authenticate a customer’s identity using non-public information prior to releasing
CPNI”); id. at 7 (finding that authenticating the customer based on non-public information would impose “little
additional cost”).
56
See, e.g., EPIC Reply at 2. “Account information” includes such things as account number or any component
thereof, the telephone number associated with the account, or amount of last bill.
57
A carrier could also use a Personal Identification Number (PIN) method to authenticate the customer. A PIN
authentication method could entail a carrier supplying the customer with a randomly-generated PIN, not based on
readily available biographical information, or account information, which the customer would then provide to the
carrier prior to establishing a password. Carriers could supply the PIN to the customer by a carrier-originated
voicemail or text message to the telephone number of record, or by sending it to an address of record so as to
reasonably ensure that it is delivered to the intended party. See, e.g., Letter from William F. Maher, Jr., Counsel for
T-Mobile USA, Inc., Morrison & Foerster, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 at 2 (filed
Nov. 20, 2006) (providing customers with a temporary password by sending it to the customer’s mobile phone
number). A carrier cannot authenticate a customer by sending the customer a PIN (or any other type of carrier
chosen method of authentication) to new contact information that the customer provides at the time of the
customer’s PIN (or other authentication) request. Carriers could also authenticate the customer by requesting that
the customer present a valid photo ID at a carrier’s retail location. A “valid photo ID” is a government-issued
personal identification with a photograph such as a current driver’s license, passport, or comparable ID.
58
See, e.g., Sprint Nextel Reply at 7 (noting that most carriers already allow customers to choose password
protection); Letter from Donna Epps, Vice President, Federal Regulatory, Verizon, to Marlene H. Dortch, Secretary,
FCC, CC Docket No. 96-115 at 2 (filed Dec. 22, 2006) (Verizon Dec. 22, 2006 Ex Parte Letter) (noting that Verizon
already permits its customers to password protect telephone account access).
Federal Communications Commission FCC 07-22
13
information, to prompt the customer for his password.
59
We understand, of course, that passwords can be
lost or forgotten, and share commenters’ concern that security measures should not unnecessarily
inconvenience customers or impair customer service systems.
60
We therefore allow carriers to create
back-up customer authentication methods for lost or forgotten passwords that are also not based on
readily available biographical information, or account information.
61
For example, the Attorneys General
support the use of a shared secret back-up authentication procedure for lost or forgotten passwords.
62
As
further account protection, with a shared secret back-up authentication program, the carrier may offer the
opportunity for the customer to design the shared secret question.
63
We find that limiting back-up
authentication methods to those that do not include readily available biographical information, or account
information, will protect customers most effectively from pretexters.
17. Although we recognize that carriers and customers will be subject to a one-time burden to
implement password protection if a customer is interested in gaining access to call detail during a
customer-initiated telephone call, we believe that the ongoing burdens of these authentication
requirements will be minimal. Further, this method balances consumers’ interests in ready access to their
call detail, and carriers’ interests in providing efficient customer service, with the public interest in
maintaining the security and confidentiality of call detail information.
18. Alternative Access to Call Detail Information. If a customer does not want to establish a
password, the customer may still access call detail information, based on a customer-initiated telephone
call, by asking the carrier to send the call detail information to an address of record or by the carrier
calling the telephone number of record.
64
Because we provide multiple methods for the customer to
access call detail based on a customer-initiated telephone call, neither customers who dislike passwords
59
We agree with commenters that assert that individuals tend to choose passwords that are based on personal
information and therefore pretexters can easily circumvent password protections. See, e.g., Verizon Wireless
Comments at 9; Sprint Nextel Reply at 8. To prevent this, we prohibit carriers from using prompts to request the
customer’s password based on readily available biographical information, or account information. If a customer
cannot provide the correct password and the carrier does not offer a back-up authentication method to access call
detail, the carrier must reauthenticate the customer. A carrier cannot disclose call detail information over the
telephone during a customer-initiated telephone call until the carrier is able to reauthenticate the customer without
the use of readily available biographical information, or account information.
60
See, e.g., Verizon Wireless Comments at 9.
61
See, e.g., Letter from Cynthia R. Southworth, Director of the Safety Net Project, National Network to End
Domestic Violence, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 at 2 (filed Nov. 30, 2006)
(NNEDV Nov. 30, 2006 Ex Parte Letter). We do not require carriers to adopt a specific back-up authentication
method because we believe that by directing carriers to do so we might make it easier for pretexters to defeat the
protections we adopt in this Order. See, e.g., Verizon Wireless Reply at 9. If a customer cannot provide the correct
response to the back-up authentication method to access call detail, the carrier must reauthenticate the customer. A
carrier cannot disclose call detail information over the telephone during a customer-initiated telephone call until the
carrier is able to reauthenticate the customer without the use of readily available biographical information, or
account information.
62
See Attorneys General Comments at 16; see also Ohio PUC Comments at 9-10. A shared secret is one or more
question-answer combinations that are known to the customer and the carrier but are not widely known. Thus, if the
customer lost or forgot a password, the carrier could provide the pre-selected shared secret question, or set of shared
secret questions, to the customer for authentication purposes.
63
See, e.g., Virgin Mobile Reply at 5 n.3 (allowing the customer to create their own back-up authentication
question).
64
The customer may also access call detail information by establishing an online account or by visiting a carrier’s
retail location. See infra Sections IV.A.2 andIV.A.3.
Federal Communications Commission FCC 07-22
14
nor carriers concerned about timely customer service should find our requirements burdensome.
65
Furthermore, by providing a variety of secure means for customers to receive call detail information from
carriers, and focusing on one of the most problematic means of pretexting obtaining call detail
information from customer service representatives without proper identity screening our rules are no
more extensive than necessary to protect consumers’ privacy with respect to telephone access to account
information.
66
19. We do not intend for the prohibition on the release of call detail over the telephone for
customer-initiated telephone contact to hinder routine carrier-customer relations regarding service/billing
disputes and questions.
67
If a customer is able to provide to the carrier, during a customer-initiated
telephone call, all of the call detail information necessary to address a customer service issue (i.e., the
telephone number called, when it was called, and, if applicable, the amount charged for the call), then the
carrier is permitted to proceed with its routine customer care procedures.
68
We believe that if a customer
is able to provide this information to the carrier, without carrier assistance, then the carrier does not
violate our rules if it takes routine customer service actions related to such information. We additionally
clarify that under these circumstances, carriers may not disclose to the customer any call detail
information about the customer account other than the call detail information that the customer provides
without the customer first providing a password. Our rule is intended to prevent pretexter phishing and
other pretexter methods for gaining unauthorized access to customer account information.
65
See, e.g., BellSouth Comments at 16 (noting the use of an optional customer-provided password for the release of
CPNI over the telephone).
66
See Verizon Dec. 22, 2006 Ex Parte Letter at 5 (arguing that “any password requirement would have to be
narrowly crafted to address the specific problem of pretexters fraudulently obtaining call detail information”).
67
See, e.g., Letter from Charon Phillips, Verizon Wireless, to Marlene H. Dortch, Secretary, FCC, CC Docket No.
96-115 at 1 (filed Dec. 1, 2006) (raising concerns about a carrier’s ability to serve customers during customer
service calls).
68
See, e.g., Letter from William F. Maher, Jr., Counsel for T-Mobile USA, Inc., to Marlene H. Dortch, Secretary,
FCC, CC Docket No. 96-115 at 2 (filed Nov. 20, 2006); Verizon Dec. 14, 2006 Ex Parte Letter at 2.
Federal Communications Commission FCC 07-22
15
2. Online Account Access
20. We also require carriers to password protect online access to CPNI.
69
Although section 222
of the Act imposes a duty on carriers to protect the privacy of CPNI,
70
data brokers and others have been
able to access CPNI online without the account holder’s knowledge or consent.
71
We agree with EPIC
that the apparent ease with which data brokers have been able to access CPNI online demonstrates the
insufficiency of carriers’ customer authentication procedures.
72
In particular, the record evidence
demonstrates that some carriers permit customers to establish online accounts by providing readily
available biographical information.
73
Thus, a data broker may obtain online account access easily without
the customer’s knowledge. Therefore, we agree with EPIC and others that use of such identifiers is an
insufficient mechanism for preventing data brokers from obtaining unauthorized online access to CPNI.
74
21. To close this gap, we prohibit carriers from relying on readily available biographical
information, or account information to authenticate a customer’s identity before a customer accesses
CPNI online. In addition, because a carrier is responsible to ensure the security and privacy of online
account access, a carrier must appropriately authenticate both new and existing customers seeking access
69
See, e.g., Letter from John T. Scott, III, Vice President & Deputy General Counsel Regulatory Law, Verizon
Wireless, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 at 1 (filed Oct. 18, 2006) (Verizon Wireless
Oct. 16 Ex Parte Letter) (arguing that carriers should require passwords for online access to CPNI); Verizon Dec.
22, 2006 Ex Parte Letter at 2 (supporting a proposal to require password protection for customer online account
access because passwords are “routine and readily accepted by customers” in the online environment). We do not
limit our online account access rules to just call detail because online account access presents a heightened security
risk. Specifically, online account access allows a customer (or pretexter) to view and change personal information
easily (including online passwords, addresses of record, and billing information) without carrier assistance. During
a telephone conversation with the customer, a carrier is able to authenticate a customer and sense whether the
customer is who he claims to be. In the online context, however, there is no person-to-person contact (or limited
interactive voice recognition menu) and thus a pretexter, if he were able to circumvent online password protection,
could obtain significant amounts of a customer’s private information (including home address, plan information,
billing information, and call detail records for months at a time) with only the click of a mouse. Thus, we believe
that we must extend our online account access rules to include the disclosure of all CPNI to protect customer
privacy. Furthermore, most carriers already require password protection for online accounts. See, e.g., Verizon
Dec. 22, 2006 Ex Parte Letter at 2. They do not differentiate their online account systems between access to call
detail information and non-call detail CPNI, and requiring them to do so likely would impose significant costs. For
these reasons, we find that our requirements in the online context are no more extensive than necessary to protect
consumers’ privacy. See Central Hudson Gas & Elec. Corp. v. Public Service Comm’n of N.Y., 447 U.S. 557, 564-
65 (1980).
70
See 47 U.S.C. § 222(a) (stating that “[e]very telecommunications carrier has a duty to protect the confidentiality
of proprietary information of, and relating to . . . customers”).
71
For instance, pretexters have been able to access CPNI by deceiving customer service representatives or by
exploiting security gaps in customers’ online accounts. See, e.g., EPIC Petition, Appendix C (providing a list of 40
web sites offering to sell CPNI to third parties); Attorneys General Comments at 3 (describing pretexters’ use of
online account access).
72
See, e.g., EPIC Petition at 8, 11; see also supra para. 12 and accompanying notes.
73
See, e.g., EPIC Petition at 8. The record in this proceeding reveals other holes in carriers’ existing authentication
measures, such as authenticating a customer’s identity through information the carrier readily provides to any person
purporting to be the customer without authentication, thus enabling a pretexter to obtain online access to CPNI by
first calling the carrier to obtain the information. The requirements we adopt in this Order fix such flaws.
74
See, e.g., EPIC et al. Comments at 12-13 (explaining that biographical identifiers are widely available on websites
and easily obtained by pretexters); Centennial Reply at 6 (stating that biographical information like social security
number can be found on the Internet).
Federal Communications Commission FCC 07-22
16
to CPNI online.
75
However, we do not require carriers to reinitialize existing passwords for online
customer accounts, but a carrier cannot base online access solely on readily available biographical
information, or account information, or prompts for such information.
76
22. As with the password protection for the release of call detail during customer-initiated
telephone contact, we understand that passwords for online access can also be lost or forgotten, and share
commenters’ concern that security measures should not unnecessarily inconvenience customers or impair
customer service systems.
77
We therefore allow carriers to create back-up customer authentication
methods for lost or forgotten passwords in line with the back-up authentication method framework
established for the password protection for customer-initiated telephone contact.
78
Further, if a customer
cannot provide a password or the proper response for the back-up authentication method to access an
online account, the carrier must reauthenticate the customer based on the authentication methods adopted
in this Order prior to the customer gaining online access to CPNI.
79
Finally, as with the establishment of
the password for the release of call detail for customer-initiated telephone contact, although we recognize
that carriers and customers will be subject to a one-time burden to implement this Order, we believe the
ongoing burdens of these authentication requirements will be minimal and are outweighed by the benefits
to consumer privacy.
3. Carrier Retail Location Account Access
23. We continue to allow carriers to provide customers with access to CPNI at a carrier’s retail
location if the customer presents a valid photo ID
80
and the valid photo ID matches the name on the
account.
81
We agree with the Attorneys General and find that this is a secure authentication practice
because it enables the carrier to make a reasonable judgment about the customer’s identity.
82
75
For new customers, a carrier could request that a customer establish an online password at the time of service
initiation. See supra note 54. Alternatively, for all customers, a carrier could use a PIN method, as described above,
to authenticate a customer if necessary. See supra note 56.
76
Although we do not mandate what specific level of password protection carriers must provide for their customers
for online access, we expect carriers to ensure that online access to CPNI is adequately password protected. For
example, we believe it would be reasonable for carriers to block access to a customer’s account after repeated
unsuccessful attempts to log in to that account to prevent hackers from using a so-called “brute force attack” to
discover account passwords. Carriers may also determine the password format they deem appropriate. For
example, carriers may decide the length of the password, whether or not the password should be case-sensitive, or
whether the password should require a mix of numerals, letters, and other symbols.
77
See supra note 60.
78
See supra Section IV.A.1. For existing online accounts, although we do not mandate that a carrier reinitialize
those accounts, if a carrier provides a back-up authentication method that is not in conformance with this Order (i.e.,
the method is based on carrier prompts for readily available biographical information, or account information), then
a carrier must modify its back-up authentication method to comply with this Order.
79
This requirement extends to all online accounts regardless of whether the online account access existed prior to
the effective date of these rules.
80
A “valid photo ID” is a government-issued personal identification with a photograph such as a current driver’s
license, passport, or comparable ID.
81
See, e.g., Cingular Comments at 18 (requiring a photo ID before providing a customer a print of the bill at a retail
location).
82
See Attorneys General Comments at 16.
Federal Communications Commission FCC 07-22
17
4. Notification of Account Changes
24. We require carriers to notify customers immediately of certain account changes, including
whenever a password, customer response to a carrier-designed back-up means of authentication,
83
online
account, or address of record is created or changed.
84
We agree with the New Jersey Ratepayer Advocate
that this notification is an important tool for customers to monitor their account’s security.
85
This
notification may be through a carrier-originated voicemail or text message to the telephone number of
record, or by mail to the address of record, as to reasonably ensure that the customer receives this
notification.
86
We believe this measure is appropriate to protect customers from data brokers that might
otherwise manage to circumvent the authentication protections we adopt in this Order, and to take
appropriate action in the event of pretexter activity. Further, we find that this notification requirement
will also empower customers to provide carriers with timely information about pretexting activity, which
the carriers may not be able to identify easily.
87
5. Business Customer Exemption
25. We do make an exception to the rules that we adopt today for certain business customers.
We agree with commenters who argue that privacy concerns of telecommunications consumers are
greatest when using personal telecommunications services.
88
Indeed, the fraudulent practices described
by EPIC have mainly targeted individual consumers, and the record indicates that the proprietary
information of wireline and wireless business account customers already is subject to stringent
safeguards, which are privately negotiated by contract.
89
Therefore, if the carrier’s contract with a
business customer is serviced by a dedicated account representative as the primary contact, and
specifically addresses the carrier’s protection of CPNI, we do not extend our carrier authentication rules
to cover these business customers because businesses are typically able to negotiate the appropriate
83
A customer response to a carrier-designed back-up means of authentication is the customer’s pre-selected answer
to the carrier’s back-up authentication method in the event that the customer lost or forgot his password.
84
This notification process is not required when the customer initiates service, including the selection of a password
at service initiation.
85
See New Jersey Ratepayer Advocate Comments at 4; see also Alltel Comments at 5 (noting that notice of certain
account changes may protect subscriber’s security); Ohio PUC Comments at 10 (asserting that providing notice to
customers of changed passwords is an effective strategy for protecting CPNI).
86
See, e.g., Verizon Dec. 22, 2006 Ex Parte Letter at 6 (arguing against a “one-size-fits-all” requirement for
notifying customers of account changes on First Amendment grounds). To protect the security of the potential
victim of pretexting, such notification must not reveal the changed account information. Additionally, a carrier may
not notify the customer of account changes by sending notice to the new account information, which might result in
the customer not being notified of the change (e.g., mailing a customer’s change of address to a new address rather
than to the former address of record).
87
See, e.g., NCTA Comments at 6 (arguing that a carrier generally does not know when a data broker breaches
carrier security measures because the carrier believes the data broker is the customer); TWTC Comments at 13
(stating that carriers usually are not aware when pretexting occurs); Cingular Reply at 7 n.17 (arguing that the
customer is usually aware of a security problem before the carrier).
88
See, e.g., Letter from Donna Epps, Vice President and Federal Regulatory, Verizon, to Marlene H. Dortch,
Secretary, FCC, CC Docket No. 96-115 at 2 (filed Dec. 14, 2006) (Verizon Dec. 14, 2006 Ex Parte Letter).
89
See, e.g., TWTC Comments at 19-20; Letter from John J. Heitmann and Jennifer M. Kashatus, Counsel to XO
Communications, to Marlene Dortch, Secretary, FCC, CC Docket No. 96-115, at 2 (filed Oct. 19, 2006); Letter from
Karen Reidy, Vice President, Regulatory Affairs, COMPTEL, to Marlene H. Dortch, Secretary, FCC, CC Docket
No. 96-115 at 1 (filed Dec. 18, 2006) (COMPTEL Dec. 18, 2006 Ex Parte Letter).
Federal Communications Commission FCC 07-22
18
protection of CPNI in their service agreements.
90
However, nothing in this Order exempts carriers
serving wireline enterprise and wireless business account customers from section 222 or the remainder of
the Commission’s CPNI rules.
B. Notice of Unauthorized Disclosure of CPNI
26. We agree with EPIC that carriers should be required to notify a customer whenever a
security breach results in that customer’s CPNI being disclosed to a third party without that customer’s
authorization.
91
However, we also appreciate law enforcements concern about delaying customer
notification in order to allow law enforcement to investigate crimes.
92
Therefore, we adopt a rule that we
believe balances a customer’s need to know with law enforcement’s ability to undertake an investigation
of suspected criminal activity, which itself might advance the goal of consumer protection.
93
27. In conjunction with the general rulemaking authority under the Act,
94
section 222(a), which
imposes a duty on “[e]very telecommunications carrier . . . to protect the confidentiality of proprietary
information,” provides ample authority for the Commission to require carriers to report CPNI breaches to
law enforcement and prohibit them from disclosing breaches to their customers until after law
enforcement has been notified. Notifying law enforcement of CPNI breaches is consistent with the goal
of protecting CPNI. Law enforcement can investigate the breach, which could result in legal action
against the perpetrators, thus ensuring that they do not continue to breach CPNI. When and if law
enforcement determines how the breach occurred, moreover, it can advise the carrier and the
Commission, enabling industry to take steps to prevent future breaches of that kind. Because law
enforcement will be informed of all breaches, it will be better positioned than individual carriers to
develop expertise about the methods and motives associated with CPNI breaches. Again, this should
enable law enforcement to advise industry, the Commission, and perhaps Congress regarding additional
measures that might prevent future breaches.
28. The requirement that carriers delay customer notification of breaches until after law
enforcement has been notified is also consistent with these goals. Once customers have been notified, a
90
These business customers are able to reach customer service representatives without going through a call center.
If the business customer must go through a call center to reach a customer service representative then this exemption
does not apply to that customer.
91
See EPIC et al. Comments at 15; see also, e.g., CaPUC Comments at 3 (recommending the adoption of a rule that
carriers notify a customer when the carrier discloses a customer’s CPNI without customer consent); MetroPCS
Comments at 9 (stating that it notifies a customer through a text message anytime that it releases CPNI); Verizon
Wireless Oct. 18, 2006 Ex Parte Letter at 2 (arguing that customers should be aware if a carrier disclosed their data
to a third party); NNEDV Nov. 30, 2006 Ex Parte Letter at 3 (arguing for a victim to be notified prior to law
enforcement).
92
See DOJ/DHS Comments at 14; Letter from Paul J. McNulty, Deputy Attorney General, United States
Department of Justice, to Kevin J. Martin, Chairman, FCC, CC Docket No. 96-115 (filed Dec. 28, 2006) (DOJ Dec.
28, 2006 Ex Parte Letter); Letter from Joseph E. Springsteen, Trial Attorney, United States Department of Justice,
to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 (filed Mar. 13, 2007).
93
See DOJ Dec. 28, 2006 Ex Parte Letter; see also Cal. Civ. Code § 1798.82 (permitting law enforcement to delay
customer notification of breaches of security if a law enforcement agency determines the notification will impede a
criminal investigation); N.Y. Gen. Bus. Law § 899-aa (permitting law enforcement to delay customer notification of
breaches of security if a law enforcement agency determines the notification impedes a criminal investigation).
94
Section 201(b) authorizes the Commission to “prescribes such rules and regulations as may be necessary in the
public interest to carry out the provisions of this Act,” including section 222. 47 U.S.C. § 201(b). Section 1 charges
the Commission with “promoting safety of life and property through the use of wire and radio communication.” 47
U.S.C. § 151.
Federal Communications Commission FCC 07-22
19
breach may become public knowledge, thereby impeding law enforcement’s ability to investigate the
breach, identify the perpetrators, and determine how the breach occurred. In short, immediate customer
notification may compromise all the benefits of requiring carriers to notify law enforcement of CPNI
breaches. A short delay is warranted, therefore, with the proviso that carriers may notify customers if
there is an urgent need to do so to avoid immediate and irreparable harm.
29. A telecommunications carrier shall notify law enforcement of a breach of its customers’
CPNI no later than seven business days after a reasonable determination of a breach by sending electronic
notification through a central reporting facility to the United States Secret Service (USSS) and the Federal
Bureau of Investigation (FBI).
95
A telecommunications carrier may notify the customer and/or disclose
the breach publicly after seven business days following notification to the USSS and the FBI, if the USSS
and the FBI have not requested that the telecommunications carrier continue to postpone disclosure.
96
A
telecommunications carrier, however, may immediately notify a customer or disclose the breach publicly
after consultation with the relevant investigative agency, if the carrier believes that there is an
extraordinarily urgent need to notify a customer or class of customers in order to avoid immediate and
irreparable harm.
97
Additionally, we require carriers to maintain a record of any discovered breaches,
notifications to the USSS and the FBI regarding those breaches, as well as the USSS and the FBI response
to the notifications for a period of at least two years. This record must include, if available, the date that
the carrier discovered the breach, the date that the carrier notified the USSS and the FBI, a detailed
description of the CPNI that was breached, and the circumstances of the breach.
30. We reject commentersargument that the Commission need not impose new rules about
notice to customers of unauthorized disclosure because competitive market conditions will protect CPNI
from unauthorized disclosure.
98
If customers and law enforcement agencies are unaware of pretexting
activity, unauthorized releases of CPNI will have little impact on carriers’ behavior, and thus provide
little incentive for carriers to prevent further unauthorized releases.
99
By mandating the notification
process adopted here, we better empower consumers to make informed decisions about service providers
and assist law enforcement with its investigations. This notice will also empower carriers and consumers
to take whatever “next steps” are appropriate in light of the customer’s particular situation.
100
31. We clarify, however, that nothing in today’s Order is intended to alter existing law regarding
customer notification of law enforcement access to customer records. Therefore, for example, when
95
The Commission will maintain a link to the reporting facility at www.fcc.gov/eb/cpni.
96
If the relevant investigating agency determines that public disclosure or notice to customers would impede or
compromise an ongoing or potential criminal investigation or national security, the law enforcement agency may
direct the carrier not to disclose the breach for an initial 30-day period. This 30-day period may be extended by the
law enforcement agency as reasonably necessary in the judgment of the agency. The law enforcement agency shall
provide in writing to the carrier its initial direction to the carrier and any subsequent direction.
97
A telecommunications carrier should indicate its desire to notify its customer or class of customers immediately
concurrent with its notice to the USSS and FBI of a breach.
98
See, e.g., Charter Comments at 7-9 (discussing how market forces give carriers incentive to protect CPNI); Time
Warner Comments at 6 (noting that AOL has market incentives to protect its subscribers’ personal information).
99
See, e.g., Charter Comments at 8 (noting that recent studies demonstrate that nearly 60% of consumers either
terminate service or consider switching service providers when a company fails to protect personally identifiable
information); NASUCA Comments at 26 (arguing that the Commission should not rely alone on the “good business
sense” of carriers to notify their customers of a security breach).
100
As EPIC states by way of example, such notice will “allow individuals to take actions to avoid stalking or
domestic violence. . . . and also allow individuals to pursue private claims against the pretexter or person employing
the pretexter.” EPIC et al. Comments at 15.
Federal Communications Commission FCC 07-22
20
CPNI is disclosed pursuant to the “except as required by law” exception contained in section 222(c)(1),
such disclosure does not trigger the carrier’s obligation to notify a customer of any “unauthorized” access
to CPNI.
101
We further clarify that nothing in today’s Order is intended to mandate customer notice when
providers of covered services are permitted by law to disclose customers’ personal information, such as to
“protect the rights or property of the carrier, or to protect users of those services and other carriers from
fraudulent, abusive, or unlawful use of, or subscription to, such services.”
102
Further, we do not intend to
supersede any statute, regulation, order, or interpretation in any state, except to the extent that such
statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only
to the extent of the inconsistency.
32. Content of Customer Notice. We decline to specify the precise content of the notice that
must be provided to customers in the event of a security breach of CPNI. The notice requirement we
adopt in this proceeding is general, and we recognize that numerous types of circumstances including
situations other than pretexting could result in the unauthorized disclosure of a customers CPNI to a
third party. Thus, we leave carriers the discretion to tailor the language and method of notification to the
circumstances.
103
Finally, we expect carriers to cooperate fully in any law enforcement investigation of
such unauthorized release of CPNI or attempted unauthorized access to an account consistent with
statutory and Commission requirements.
C. Additional Protection Measures
33. Guarding Against Pretexting. We agree with commenters that techniques for fraud vary and
tend to become more sophisticated over time, and that carriers need leeway to engage emerging threats.
104
We therefore clarify that carriers are free to bolster their security measures through additional measures to
meet their section 222 obligations to protect the privacy of CPNI.
105
We also codify the existing statutory
requirement contained in section 222 of the Act that carriers take reasonable measures to discover and
protect against activity that is indicative of pretexting.
106
As we discuss below, adoption of the rules in
this Order does not relieve carriers of their fundamental duty to remain vigilant in their protection of
CPNI, nor does it necessarily insulate them from enforcement action for unauthorized disclosure of CPNI.
34. Although we expect that carriers will use forms of self-monitoring to comply with this
obligation, at this time we allow carriers to determine what specific measures will best enable them to
101
See DOJ/DHS Comments at 14. In particular, a carrier is not required to notify the subject of a lawful
investigation that law enforcement has sought or obtained access to the subject’s telephone records, which could
jeopardize the investigation. As the Department of Justice explains, Congress already has established a structure for
customer notification of law enforcement access to customer records for providers of certain services, and by our
action today we do not disturb the balance Congress has struck on this issue for such providers. See id. at 15-16
(citing 18 U.S.C. §§ 2701 et seq.).
102
47 U.S.C. § 222(d); see also 18 U.S.C. § 2702.
103
NASUCA urges carriers to provide individualized notice to customers in the event of a security breach because
notice in a bill may not be read by the customer. See NASUCA Comments at 7-8.
104
See, e.g., CTIA Comments at 6 (explaining that carriers must respond to a constantly evolving threat from
pretexters who become more knowledgeable with every call to a carrier’s customer service representatives).
105
For example, several carriers already voluntarily refuse to divulge call detail information directly over the
telephone even with password protection. See, e.g., Letter from Brian F. Fontes, Vice President, Federal Relations,
Cingular Wireless LLC, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 (filed Sept. 29, 2006); Letter
from William F. Maher, Jr., Counsel for T-Mobile USA, Inc., to Marlene H. Dortch, Secretary, FCC, CC Docket
No. 96-115 at 2 (filed Dec. 4, 2006).
106
Section 222(a) of the Act imposes a generally duty on carriers to “protect the confidentiality of proprietary
information of, and relating to . . . customers.” 47 U.S.C. § 222(a).
Federal Communications Commission FCC 07-22
21
ensure compliance with this requirement.
107
By codifying a general requirement to take reasonable
measures to discover and protect against activity that is indicative of pretexting, we permit carriers to
weigh the benefits and burdens of particular methods of possibly detecting pretexting. This approach will
allow carriers to improve the security of CPNI in the most efficient manner possible,
108
and better enable
small businesses to comply with our rules.
35. We stress our expectation that carriers will take affirmative measures to discover and protect
against activity that is indicative of pretexting beyond what is required by the Commission’s current
rules,
109
and remind carriers that the Act imposes on them the duty of instituting effective measures to
protect the privacy of CPNI.
110
Moreover, as discussed in the Enforcement Section, infra,
111
by requiring
carriers to demonstrate that they have taken adequate measures to guard against pretexting, we give
carriers adequate incentive to uncover situations where they have released CPNI to a third party without
authorization. We anticipate that a carrier that practices willful blindness with regard to pretexting would
not be able to demonstrate that it has taken sufficient measures to guard against pretexting. Although, we
do not adopt specific rules in this Order that fully encompass this affirmative duty, we seek comment in
our Further Notice on whether the Commission should require carriers to utilize audit trails and comply
with certain data retention requirements.
112
36. Network Security. In response to EPIC’s encryption proposal, we make clear that carriers’
existing statutory obligations to protect their customers’ CPNI include a requirement that carriers take
reasonable steps, which may include encryption, to protect their CPNI databases from hackers and other
unauthorized attempts by third parties to access CPNI.
113
Although several carriers report that they have
looked for, but not found, attempts by outsiders to penetrate their CPNI databases directly,
114
commenters
also report that pretexters’ methods for gaining access to data evolve over time.
115
As carriers take
stronger measures to safeguard CPNI, data brokers may respond by escalating their techniques to access
CPNI, such as through hacking. Therefore, although we decline at this time specifically to require
carriers to encrypt their CPNI databases, we interpret section 222 as requiring carriers to protect CPNI
when it is stored in a carrier’s databases.
116
107
See, e.g., Missouri PSC Comments at 3 (pointing out that audit trails are useful when tracking and prosecuting
entities that obtain CPNI dishonestly or inappropriately); NCTA Comments at 4 (arguing that while audit trails do
not deter pretexting, they can help carriers identify and investigate security breaches after they have occurred).
108
Moreover, as numerous commenters observe, publishing criteria for identifying suspect calls or calling patterns
or online attempts at access would aid pretexters more than it would enhance security. See, e.g., CTIA Comments at
3; T-Mobile Comments at 4; US Telecom Comments at 3-4 (arguing that overly-specific rules risk giving pretexters
a “roadmap”).
109
This expectation is reasonable given that the problem of pretexting emerged notwithstanding the Commission’s
current rules.
110
47 U.S.C. § 222(c); 47 C.F.R. § 64.2009.
111
See infra Section IV.I.
112
See Further Notice at paras. 69-70.
113
See EPIC Petition at 11.
114
See, e.g., AT&T Comments at 15-16; Cingular Comments at 13; Verizon Wireless Comments at 11.
115
See, e.g., Centennial Reply at 7.
116
Commenters report that the expense of encryption would be substantial, and would be of limited value in
protecting against pretexting. See, e.g., Verizon Wireless Comments at 11. Some carriers nevertheless may find
that encryption currently is a cost-effective way to increase the security of CPNI. See, e.g., Alltel Comments at 6
(noting that Alltel is encrypting some data stores to stop potential hackers). In addition, if carriers begin to
(continued....)
Federal Communications Commission FCC 07-22
22
D. Joint Venture and Independent Contractor Use of CPNI
37. We modify our rules to require telecommunications carriers to obtain opt-in consent from a
customer before disclosing that customer’s CPNI to a carrier’s joint venture partner or independent
contractor for the purpose of marketing communications-related services to that customer.
117
While we
realize that this is a change in Commission policy, we find that new circumstances force us to reassess our
existing regulations. As we have found previously, the Commission has a substantial interest in
protecting customer privacy.
118
Based on this and in light of new privacy concerns, we now find that an
opt-in framework for the sharing of CPNI with joint venture partners and independent contractors for the
purposes of marketing communications-related services to a customer both directly advances our interest
in protecting customer privacy and is narrowly tailored to achieve our goal of privacy protection.
Specifically, an opt-in regime will more effectively limit the circulation of a customer’s CPNI by
maintaining it in a carrier’s possession unless a customer provides informed consent for its release.
Moreover, we find that an opt-in regime will provide necessary informed customer choice concerning
these information sharing relationships with other companies.
38. In the Notice, the Commission sought comment on whether the existing opt-out regime is
sufficiently protective of the privacy of CPNI when CPNI is disclosed to telecommunications carriers’
joint venture partners and independent contractors, and whether the Commission should instead adopt an
opt-in policy for this type of CPNI sharing.
119
The current opt-out regime allows for carriers to share
CPNI with joint venture partners and independent contractors for the purposes of marketing
communications-related services after providing only a notice to a customer.
120
The burden is then placed
on the customer to opt-out of such sharing arrangements. If the customer does not respond, a carrier’s
sharing of customer information with these entities is allowed.
39. We find that there is a substantial need to limit the sharing of CPNI with others outside a
customer’s carrier to protect a customer’s privacy. The black market for CPNI has grown exponentially
with an increased market value placed on obtaining this data, and there is concrete evidence that the
dissemination of this private information does inflict specific and significant harm on individuals,
including harassment and the use of the data to assume a customer’s identity.
121
The reality of this private
information being disseminated is well-documented and has already resulted in irrevocable damage to
customers.
122
While there are safeguards in our current rules for sharing CPNI with joint venture partners
(...continued from previous page)
experience increased attempts to obtain CPNI through hacking or similar measures, we would expect all carriers to
revisit whether encryption of CPNI databases would satisfy their obligation to take reasonable steps to protect CPNI
databases from unauthorized third-party access.
117
We do not believe that this minor change to our rules will have a major effect on carriers because many carriers
already do not disclose CPNI to third parties. See, e.g., CTIA Comments at 12 (noting that most wireless carriers do
not disclose CPNI to third parties or use it outside of a total service approach); US Cellular Reply at 2 (stating that it
does not share CPNI other than in accordance with the total service approach). Additionally, we note that this opt-in
regime does not in any way affect a carrier’s permitted use of CPNI enumerated in section 222(d). 47 U.S.C. §
222(d).
118
See Third Report and Order, 17 FCC Rcd at 14875-75, para. 33; see also, e.g., Joint Commenters Comments at
16 (stating that they do not dispute that the Commission has a substantial interest in protecting privacy).
119
See Notice, 21 FCC Rcd at 1788, para. 12.
120
See 47 C.F.R. § 64.2007(b)(1); see also, e.g., NASUCA Comments at 9 (arguing that with an opt-out policy
“there is no assurance that any implied consent would be truly informed”).
121
See, e.g., supra para. 12 and accompanying notes; Telephone Records and Privacy Protection Act of 2006, H.R.
4709, 109th Cong. (2d Sess. 2006).
122
See, e.g., supra para. 12 and accompanying notes.
Federal Communications Commission FCC 07-22
23
and independent contractors,
123
we believe that these safeguards do not adequately protect a customer’s
CPNI in today’s environment. Specifically, we find that once the CPNI is shared with a joint venture
partner or independent contractor, the carrier no longer has control over it and thus the potential for loss
of this data is heightened.
124
We find that a carrier’s section 222 duty to protect CPNI extends to
situations where a carrier shares CPNI with its joint venture partners and independent contractors.
However, because a carrier is no longer in a position to personally protect the CPNI once it is shared
and section 222’s duties may not extend to joint venture partners or independent contractors themselves in
all cases we find that this sharing of data, while still permitted, warrants a requirement of express prior
customer authorization.
125
40. We agree with commenters that argue that the current opt-out notices allowing carriers to
share information with joint venture partners and independent contractors are often vague and not
comprehensible to an average customer.
126
Further, we find that many consumer studies on opt-out
regimes also reflect this consumer confusion.
127
We do not believe that simply modifying our existing
opt-out notice requirements will alleviate these concerns because opt-out notices do not involve a
customer actually authorizing the sharing of CPNI in the first instance, but rather leave it to the carrier to
decide whether to share it after sending a notice to a customer, which a customer may or may not have
read.
128
While many customers accept and understand that carriers will share their information with
affiliates and agents as provided in our existing opt-out rules there is less customer willingness for
their information to be shared without their express authorization with others outside the carrier-customer
relationship.
129
41. We disagree with commenters that assert that an opt-in approach will not serve to remedy the
concerns raised in this proceeding.
130
The Attorneys General note that since February 2005, security
breaches have resulted in the personal information of over 54 million Americans being compromised.
131
With the growing interest in obtaining customer CPNI and the resulting increase in the number of security
breaches, carriers must be more vigilant in protecting a customer’s CPNI from unauthorized disclosure.
132
123
47 C.F.R. § 64.2007(b)(2).
124
See, e.g., MoPSC Comments at 4 (asserting that there is a lack of control over third-party recipients of CPNI).
125
See 47 U.S.C. § 222.
126
See, e.g., EPIC et al. Comments at 7; MoPSC Comments at 5.
127
See Attorneys General Comments at 6 (noting studies surrounding Gramm-Leach-Bliley Act, including a study
by Harris Interactive, Inc.); MoPSC Comments at 5 (noting that during the state’s rulemaking on CPNI protections,
it found that the concept of opt-out was not understandable to the average consumer).
128
See, e.g., Attorneys General Comments at 6 (arguing that most customers are unlikely to read opt-out notices and
therefore not know that they are giving affirmative consent to share their information); NASUCA Comments at 9
(believing that customers might not read CPNI notices and thus they are unaware that they might need to take
affirmative action to prevent the sharing of their personal information).
129
See, e.g., EPIC et al. Comments at 9-10 (pointing to a series of studies finding that consumers support opt-in
privacy policies generally); NASUCA Comments at 9 (arguing that opt-in approval better protects a customer’s
privacy and gives the customer more control over the sharing of their personal information); Privacy Rights
Comments at 4 (arguing that only opt-in consent provides adequate privacy protection).
130
See, e.g., Alltel Comments at 3-4; AT&T Comments at 17-19; Cingular Comments at 14; CTIA Comments at 12;
Joint Commenters Comments at 12; TWTC Comments at 16; Verizon Comments at 22-26; Verizon Wireless
Comments at 10; DMA Reply at 1-2.
131
Attorneys General Comments at 7-9 (noting that there are over 152 major security breaches reported since
February 2005 resulting in the loss of information to at least 54 million Americans).
132
See 47 U.S.C. § 222; see also supra note 121.
Federal Communications Commission FCC 07-22
24
It stands to reason that placing customers’ personal data in the hands of companies outside the carrier-
customer relationship places customers at increased risk, not only of inappropriate handling of the
information, but also of innocent mishandling or loss of control over it. Further, we find that an opt-in
regime will clarify carriers’ information sharing practices because it will force carriers to provide clear
and comprehensible notices to their customers in order to gain their express authorization to engage in
such activity.
42. We also disagree with commenters that argue that the current opt-out approach is sufficient,
and that in the event of a breach, a carrier can terminate its relationship with the joint venture partner or
independent contractor, or that the Commission can simply deal with the situation through an
enforcement proceeding.
133
We find that in the event of a breach of CPNI security, the damage is already
inflicted upon the customer. We also find that the carrier cannot simply rectify the situation by
terminating its agreement nor can the Commission completely alleviate a customer’s concerns about the
privacy invasion through an enforcement proceeding.
134
43. This minor modification of our rules seeks to narrow the number of avenues available for an
unauthorized disclosure of CPNI without eliminating a carrier’s ability to share CPNI with its joint
venture partners and independent contractors under certain circumstances. We disagree that an opt-in
regime’s costs outweigh the benefits to customers.
135
While we appreciate commenter concern that
carriers may need to engage in broader marketing campaigns for their services as a result of an opt-in
regime, we believe that this cost is outweighed by the carriers’ duty to protect their customers’ private
information, and more importantly, customers’ interest in maintaining control over their private
information.
136
Thus, we believe that an opt-in regime is the least restrictive means to ensure that a
customer has control over its private information and is not subjected to permanent harm as a result of a
carrier’s disclosure of CPNI to one of its joint venture partners or independent contractors.
137
44. We disagree with commenters who assert that an opt-in regime for disclosures to joint
venture partners and independent contractors fails the Central Hudson test
138
for the regulation of
commercial speech.
139
We recognize that more than seven years ago, in U.S. West, Inc. v. FCC, the
United States Court of Appeals for the Tenth Circuit held that the Commission had failed, based on the
record in that proceeding, to satisfy its burden of showing that an opt-in rule passed the Central Hudson
test.
140
That decision, however, was based on a different record than the one compiled here and, in
133
See, e.g., Cingular Comments at 14; COMPTEL Comments at 4.
134
We note that while our enforcement actions may act as a deterrent to a carrier’s unauthorized use of CPNI, they
cannot undo the harm to a customer after a breach.
135
See, e.g., BellSouth Comments at 26-27.
136
Compare Verizon Comments at 26 with 47 U.S.C. § 222.
137
We note that this minor modification to our rules does not affect the opt-out regime for intra-company use of
CPNI beyond the total service approach, or the disclosure of CPNI to a carrier’s agents or affiliates that provide
communications-related services.
138
Central Hudson, 447 U.S. at 564-65. The Central Hudson test provides that if the commercial speech concerns
lawful activity and is not misleading, the government may restrict the speech only if it (1) “has a substantial state
interest in regulating the speech, (2) the regulation directly and materially advances that interest, and (3) the
regulation is no more extensive than necessary to serve the interest.” Central Hudson, 447 U.S. at 564-65.
139
See, e.g., BellSouth Comments at 27; Joint Commenters Comments at 14-16; TWTC Comments at 16-17;
Verizon Comments at 23-25; Verizon Wireless Comments at 11-12; BellSouth Reply at 3-9; Charter Reply at 3-14;
Verizon Reply at 2-8.
140
U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999).
Federal Communications Commission FCC 07-22
25
particular, on two premises that are no longer valid. First, the Tenth Circuit concluded that there was no
evidence showing harm to privacy interests from unauthorized disclosure of CPNI. “While protecting
against disclosure of sensitive and potentially embarrassing personal information may be important in the
abstract, we have no indication of how it may occur in reality with respect to CPNI. Indeed, we do not
even have indication that the disclosure might actually occur.”
141
The record in this proceeding, by
contrast, is replete with specific examples of unauthorized disclosure of CPNI and the adverse effects of
such disclosures on customers.
142
Indeed, in the Telephone Records and Privacy Protection Act of 2006,
Congress recently found that unauthorized disclosure of telephone records is a problem that “not only
assaults individual privacy but, in some instances, may further acts of domestic violence or stalking,
compromise the personal safety of law enforcement officers, their families, victims of crime, witnesses, or
confidential informants, and undermine the integrity of law enforcement investigations.”
143
Second, the
Tenth Circuit in U.S. West concluded that the record “d[id] not adequately show that an opt-out strategy
would not sufficiently protect customer privacy.”
144
In this proceeding, however, substantial evidence
shows that the current opt-out rules do not adequately protect customer privacy because most customers
either do not read or do not understand carriers’ opt-out notices.
145
For example, the National Association
of Attorneys General cites to “studies [that] serve as confirmation of what common sense tells us: that in
this harried country of multitaskers, most consumers are unlikely to read extra notices that arrived in
today’s or last week’s mail and thus, will not understand that failure to act will be treated as an
affirmative consent to share his or her information.”
146
45. We find, based on the record in this proceeding, that requiring carriers to obtain opt-in
consent from customers before sharing CPNI with joint venture partners and independent contractors for
marketing purposes satisfies the Central Hudson test. Specifically, we find that: (1) unauthorized
disclosure of CPNI is a serious and growing problem; (2) the government has a substantial interest in
preventing unauthorized disclosure of CPNI because such disclosure can have significant adverse
consequences for privacy and safety;
147
(3) the more independent entities that possess CPNI, the greater
the danger of unauthorized disclosure; (4) an opt-in regime directly and materially advances privacy and
safety interests by giving customers direct control over the distribution of their private information
outside the carrier-customer relationship; and (5) an opt-in regime is not more extensive than necessary to
protect privacy and safety interests because opt-out rules, the alternative cited by the Tenth Circuit in U.S.
West, Inc. v. FCC, do not adequately secure customers’ consent for carriers to share CPNI with
unaffiliated entities. In short, given the undisputed evidence demonstrating that unauthorized disclosures
of CPNI constitute a serious and prevalent problem in the United States today, we believe that carriers
should be required to obtain a customer’s explicit consent before sending such sensitive information
outside of the company for marketing purposes. In light of the serious damage that unauthorized CPNI
disclosures can cause, it is important that individual consumers determine if they want to bear the
increased risk associated with sharing CPNI with independent contractors and joint venture partners, and
the only way to ensure that a consumer is willingly bearing that risk is to require opt-in consent. In this
vein, we note that most United States privacy laws, such as the Family Educational Rights and Privacy
Act, Cable Communications Policy Act, Electronic Communications Privacy Act, Video Privacy
141
Id. at 1237.
142
See supra para. 10 and accompanying notes; see also, e.g., Attorneys General Comments at 1-4; NASUCA Reply
at 12.
143
Telephone Records and Privacy Protection Act of 2006, Pub. L. No. 109-476, 120 Stat. 3568, § 2(5) (2007).
144
U.S. West, Inc. v. FCC, 182 F.3d at 1239.
145
See supra para. 36 & nn.124-25.
146
Attorneys General Comments at 6.
147
See also U.S. West, Inc. v. FCC, 182 F.3d at 1236.
Federal Communications Commission FCC 07-22
26
Protection Act, Driver’s Privacy Protection Act, and Children’s Online Privacy Protection Act, do not
employ an opt-out approach but rather require an individual’s explicit consent before private information
is disclosed or employed for secondary purposes.
148
46. We disagree with commenters who contend that requiring carriers to obtain opt-in consent
from customers before sharing CPNI is unnecessary because, they claim, there is no evidence that data
brokers have obtained CPNI from carriers’ joint venture partners and independent contractors.
149
While
it is true that the record does not include specific examples of unauthorized disclosure of CPNI by a joint
venture partner or independent contractor, that does not mean unauthorized disclosure has not occurred or
will not occur in the future. We see no reason why joint venture partners and independent contractors
would be immune from this widespread problem. While carriers argue that pretexters do not focus their
efforts on independent contractors and joint venture partners, we disagree with commenters who suggest
that the governmental interests at stake in this proceeding are limited to the prevention of pretexting.
150
The rules we are adopting are designed to curtail all forms of unauthorized disclosure of CPNI, not just
pretexting. Unauthorized disclosure of CPNI by any method invades the privacy of unsuspecting
consumers and increases the risk of identity theft, harassment, stalking, and other threats to personal
safety.
151
In this proceeding, commenters have identified at least two other common forms of
unauthorized disclosure of CPNI: computer intrusion and disclosure by insiders.
152
Indeed, evidence in
the record suggests that 50-70% of cases of identity theft arise from wrongful conduct by insiders.
153
The
record further demonstrates that information security breaches are on the rise in this country, and it is
axiomatic that the more companies that have access to CPNI, the greater the risk of unauthorized
disclosure through disclosure by insiders or computer intrusion.
154
Thus, by sharing CPNI with joint
venture partners and independent contractors, it is clear that carriers increase the odds of wrongful
disclosure of this sensitive information, and before the chances of unauthorized disclosure are increased, a
customer’s explicit consent should be required. In any event, returning to the issue of pretexting, we also
reject the argument that pretexters do not attempt to obtain CPNI from independent contractors and joint
148
EPIC et al. Comments at 9. Moreover, Verizon contends that consumers have found “the mechanics of the opt-in
regime . . . confusing” and have been reluctant to use opt-in, that is based on its experiences following the
Commission’s 2001 Clarification Order. See Verizon Jan. 29 Ex Parte Letter, Verses Decl. at para. 16. We note,
however, that in the intervening years the use of opt-in approval methods appear to have become increasingly
common, such as in the mobile wireless context, and thus we do not find Verizon’s past experiences persuasive.
See, e.g., The Mobile Revolution Will Be Advertised, Wireless Business Forecast, 2006 WLNR 4911016 (Mar. 23,
2006) (discussing the use of opt-in approval processes in mobile wireless marketing); Betsy Spethmann, Next-Tech.,
Promo, 2005 WLNR 10551271 (July 1, 2005) (discussing the use of an opt-in approval process by Verizon
Wireless).
149
See Verizon Jan. 29, 2007 Ex Parte Letter at 3; Letter from William Maher, Jr., Counsel for T-Mobile USA, Inc.
to Marlene Dortch, Secretary, FCC, CC Docket No. 96-115 at 3 (filed Jan. 25, 2007) (T-Mobile Jan. 25 Ex Parte
Letter); Letter from Kathryn Marie Krause, Qwest, to Marlene Dortch, Secretary, FCC, CC Docket No. 96-115 at 3
(filed Jan. 18, 2007) (Qwest Jan. 18, 2007 Ex Parte Letter).
150
See Verizon Jan. 29, 2007 Ex Parte Letter at 20-22; Letter from Kent Nakamura, Vice President and Chief
Privacy Officer, Sprint Nextel, to Marlene Dortch, Secretary, FCC, CC Docket No. 96-115 at 1 (filed Jan. 26, 2007)
Sprint Nextel Jan. 26, 2007 Ex Parte Letter); Letter from James Jenkins, Vice President, United States Cellular
Corp., to Marlene Dortch, Secretary, FCC, CC Docket No. 96-115 at 1 (filed Feb. 5, 2007); T-Mobile Jan. 25, 2007
Ex Parte Letter at 3; Qwest Jan. 18, 2007 Ex Parte Letter at 3; Letter from Anisa Latif, AT&T, to Marlene Dortch,
Secretary, FCC, CC Docket No. 96-115 at 1 (filed Jan. 17, 2007).
151
See Telephone Records and Privacy Protection Act of 2006, § 2; NASUCA Reply at 12.
152
See Attorneys General Comments at 3; EPIC Comments at 5; NASUCA Reply at 11.
153
EPIC Comments at 6.
154
See, e.g., EPIC Comments at 6; NASUCA Reply at 15.
Federal Communications Commission FCC 07-22
27
venture partners. Indeed, Sprint admits that “pretexters persist without regard to the status of any carrier
representative (whether an employee, a joint venture partner, or an independent contractor).”
155
To be
sure, certain carriers claim that they do not provide the type of CPNI to joint venture partners and
independent contractors that are attractive to pretexters. But even assuming this to be true for the
moment, this does not appear to be the case across the entire industry.
47. Carriers also argue that there are more narrowly tailored alternatives to requiring opt-in
consent for disclosures of CPNI to independent contractors and joint venture partners. First, Verizon
suggests that the Commission could mandate password protection of call detail information.
156
While we
agree that this is a good idea and adopt it in this Order,
157
this step is plainly insufficient by itself to
address all of the legitimate privacy concerns at issue in this proceeding. Such a step, for example, would
do nothing to protect the unauthorized disclosure of call detail information in the possession of
independent contractors and joint venture partners by insiders or computer intrusion, let alone the
unauthorized disclosure of other forms of CPNI.
48. Second, Verizon argues that it would be sufficient to adopt an opt-in regime only for call
detail information shared with independent contractors and joint venture partners.
158
We likewise
conclude that this alternative would be inadequate. While we recognize that unauthorized disclosure of
call detail information is a significant problem, all CPNI constitutes sensitive information that is protected
under the Communications Act and our rules.
159
Moreover, we note that Congress did not distinguish
between call detail and non-call detail information in the Telephone Records and Privacy Protection Act
of 2006.
160
Verizon’s premise that non-call detail information is not sufficiently sensitive to warrant an
opt-in requirement is therefore incorrect. For example, information about a customer’s calling plan may
be highly sensitive. T-Mobile currently offers a “myFaves” plan that allows customers to make unlimited
calls to five “myFaves” contacts for a flat monthly charge, and Alltel offers a similar calling plan (the My
Circle Plan) that allows for unlimited calls to ten contacts.
161
While the identity of such contacts would
not constitute call detail information, such information is no doubt highly personal and would be of
significant interest to those seeking to invade another’s privacy. As a result, we believe that carriers
should be required to obtain a customer’s explicit consent before such information is shared with
independent contractors or joint venture partners and thus placed at greater risk of unauthorized
disclosure.
49. Finally, carriers suggest that the Commission could mandate that carriers sharing CPNI with
joint venture partners and independent contractors implement additional contractual safeguards.
162
We
again conclude that this alternative would not adequately vindicate our interest in protecting consumers’
155
See Sprint Nextel Jan. 26, 2007 Ex Parte Letter at 1.
156
Verizon Jan. 29, 2007 Ex Parte Letter at 22, 26.
157
See supra paras. 11, 13-15, 18-20.
158
Verizon Jan. 29, 2007 Ex Parte Letter at 22, 26.
159
See 47 U.S.C. § 222(a); 47 C.F.R. § 64.2007(b)(3).
160
See 18 U.S.C. § 1039 (prohibiting the sale, transfer, purchase or receipt of “confidential phone records
information” as defined in subsection (h)(1)).
161
See http://www.t-mobile.com/shop/plans/detail.aspx?id=9d4cbda1-c54e-496c-b11f-d8b6da5798b9 (describing a
myFaves plan); http://www.alltelcircle.com/about.php (comparing my circle plan to competitors offerings). Under
these plans, the telephone numbers of favorite contacts are CPNI because they relate to the service to which the
customer subscribes. See 47 U.S.C. § 222(h)(1)(A).
162
See, e.g., Letter from Kent Nakamura, Vice President and Chief Privacy Officer, Sprint Nextel, to Marlene
Dortch, Secretary, FCC, CC Docket No. 96-115 at 1 (filed Jan. 22, 2007).
Federal Communications Commission FCC 07-22
28
privacy. Further contractual safeguards would not change the fact that the risk of unauthorized CPNI
disclosures increases when such information is provided by a carrier to a joint venture partner or
independent contractor. Indeed, in light of the record developed in this proceeding, it is quite apparent
that safeguards implemented by carriers themselves often fail to prevent unauthorized disclosures of
CPNI.
163
It is for this reason that we believe that a carrier should be required to obtain explicit consent
from its customer before that customer’s CPNI is sent outside of the company for marketing purposes.
50. Grandfathering of Previously Obtained CPNI Approvals. To the extent that carriers
voluntarily obtained opt-in approval from their customers for the disclosure of customers’ CPNI to a joint
venture partner or independent contractor for the purposes of marketing communications-related services
to a customer prior to the adoption of this Order, those carriers can continue to use those approvals.
E. Annual Certification Filing
51. We adopt the Commission’s tentative conclusion and amend our rules to require carriers to
file their annual CPNI certification with the Commission, including an explanation of any actions taken
against data brokers and a summary of all customer complaints received in the past year concerning the
unauthorized release of CPNI.
164
We find that this amendment to the Commissions rules is an
appropriate measure and will ensure that carriers regularly focus their attention on their duty to safeguard
CPNI. Additionally, we find that this modification to our rules will remind carriers of the Commissions
oversight and high priority regarding carrier performance in this area. Further, with this filing, the
Commission will be better able to monitor the industrys response to CPNI privacy issues and to take any
necessary steps to ensure that carriers are managing customer CPNI securely.
165
52. Under the Commissions existing CPNI regulations, each telecommunications carrier must
have an officer, as an agent of the carrier, sign a compliance certificate on an annual basis stating that the
officer has personal knowledge that the company has established operating procedures that are adequate
to ensure compliance with the Commissions CPNI rules and to make that certification available to the
public.
166
While carriers currently are required to certify annually that their operating procedures are
163
See, e.g., NASUCA Reply at 20.
164
See Notice, 21 FCC Rcd at 1793, para. 29. By the term “any action,” we mean that carriers should report on
proceedings instituted or petitions filed by a carrier at either state commissions, the court system, or at the
Commission against data brokers. For the summary of customer complaints, carriers must report on the number of
customer complaints a carrier has received related to unauthorized access to CPNI, or unauthorized disclosure of
CPNI, broken down by category of complaint, e.g., instances of improper access by employees, instances of
improper disclosure to individuals not authorized to receive the information, or instances of improper access to
online information by individuals not authorized to view the information. Additionally, carriers must report on any
information that they have with respect to the processes pretexters are using to attempt to access CPNI, and what
steps carriers are taking to protect CPNI.
165
See, e.g., AT&T Comments at 14 (noting that the Commission could “reasonably conclude” that carriers should
annually filing their certifications with the Commission to enable the Commission to more effectively monitor CPNI
security measures). For this reason, we disagree with commenters that believe that the certification should not be
filed with the Commission. See, e.g., RCA Comments at 5 (arguing that the annual filing of the certification with an
explanation of the carrier’s actions against data brokers and a summary of the CPNI-related consumer complaints is
unjustified).
166
See 47 C.F.R. § 64.2009(e); see also CPNI Order, 13 FCC Rcd 8061, 8199, para. 201 (1998) (requiring the
annual certification to be made publicly available). As a reminder, the existing rules require the certification to be
executed by an officer of the carrier. The officer of the carrier must state in the certification that he or she has
“personal knowledge” that the carrier has established procedures adequate to ensure compliance with the
Commission’s CPNI rules. Further, the carrier must also provide an accompanying statement explaining how the
carrier’s procedures ensure that the carrier is or is not in compliance with the requirements set forth in sections
64.2100 through 64.2900 of the Commission’s rules. For example, the carrier may explain the training its
(continued....)
Federal Communications Commission FCC 07-22
29
adequate to ensure compliance with the Commissions CPNI rules, the failure of carriers to make this
annual certification in their own public file, and the evidence EPIC introduced into the record regarding
the industry-wide problem of pretexting, suggests that certain carriers have been less than vigilant
concerning the safeguarding of CPNI.
167
53. We find that carriers should be required to make this filing annually with the Enforcement
Bureau on, or before, March 1, in EB Docket No. 06-36, for data pertaining to the previous calendar
year.
168
We believe that this deadline will provide carriers with ample opportunity to review their own
CPNI protection programs and ensure the adequacy of their defenses against fraudulent attempts to access
customersprivate data.
169
Further, this deadline will allow carriers sufficient time to review their filings
without the certification being overshadowed by other annual filing requirements.
F. Extension of CPNI Requirements to Providers of Interconnected VoIP Service
54. We extend the application of the Commission’s CPNI rules to providers of interconnected
VoIP service.
170
In the IP-Enabled Services Notice and the EPIC CPNI Notice, the Commission sought
(...continued from previous page)
employees receive regarding protection of CPNI, the disciplinary process applicable to improper disclosure of
CPNI, the process used to ensure that opt-out elections are recorded and followed, and other measures relevant to
demonstrating compliance with the CPNI rules. Finally, we remind carriers that the certification is required even if
the carrier does not use CPNI for marketing purposes, as the obligation to protect CPNI from improper disclosure
exists regardless of whether the carrier uses it for marketing purposes.
167
See, e.g., Alltel Corporation Apparent Liability for Forfeiture, Notice of Apparent Liability for Forfeiture, 21
FCC Rcd 746 (2006); AT&T Inc. Apparent Liability for Forfeiture, Notice of Apparent Liability for Forfeiture, 21
FCC Rcd 751 (2006); Cbeyond Communications, LLC Apparent Liability for Forfeiture, Notice of Apparent
Liability for Forfeiture, 21 FCC Rcd 4316 (2006). Because carriers currently are required to make such a
certification, requiring that this filing be made to the Commission will be minimally burdensome to the industry.
See, e.g., AT&T Comments at 14; Cingular Comments at 17; CTIA Comments at 2-3; Kim Comments at 11;
OPASTCO Comments at 2, 8-9; Verizon Comments at 9; Verizon Wireless Comments at 19; MetroPCS Reply at
18. The additional information required by the expanded reporting obligation should not require carriers to make
significant changes to their procedures, and some carriers report that they already keep track of CPNI-related
complaints and actions taken against data brokers. See, e.g., Kim Comments at 11; Phan Comments at 6; Verizon
Comments at 9; Verizon Wireless Comments at 19. We disagree with commenters who assert that such a filing
requirement will disadvantage small and regional carriers. We are equally concerned about the privacy of customers
of small and regional carriers as we are about the privacy of customers of larger carriers and find that the benefits of
customer privacy protection are significantly outweighed by a carrier’s costs to implement these CPNI rules. See,
e.g., EWA Comments at 5; MetroPCS Reply at 18. We recognize carrier concerns about providing a roadmap for
pretexters with this annual filing, and thus we will allow carriers to submit their certifications confidentially with the
Commission. See, e.g., AT&T Comments at 15; Cingular Comments at 16-17; CTIA Comments at 9-10; Phan
Comments at 15. Carriers should supply the Commission with redacted and non-redacted versions of their filings.
A carrier may only redact specific data about its actual security procedures and actual complaints in its filing. A
carrier may not redact summary data about the number or type of customer complaints or other aggregate or general
data because we believe it is in the public’s interest to have access to such data when selecting a service provider.
Members of the public will have the opportunity to review redacted filings and bring to the attention of the
Commission any potential violations or concerns identified in those filings.
168
See, e.g., Joint Commenters Reply at 9 (requesting a date certain for this annual filing for administrative
convenience).
169
See, e.g., AT&T Comments at 15; Cingular Comments at 17; T-Mobile Comments at 13; Verizon Comments
at 9.
170
The Commission defines “interconnected VoIP service” as “a service that: (1) enables real-time, two-way voice
communications; (2) requires a broadband connection from the user’s location; (3) requires Internet protocol-
compatible customer premises equipment (CPE); and (4) permits users generally to receive calls that originate on
(continued....)
Federal Communications Commission FCC 07-22
30
comment on whether to extend the CPNI requirements to VoIP service providers.
171
Since we have not
decided whether interconnected VoIP services are telecommunications services or information services as
those terms are defined in the Act, nor do we do so today,
172
we analyze the issues addressed in this Order
under our Title I ancillary jurisdiction to encompass both types of service.
173
If the Commission later
classifies interconnected VoIP service as a telecommunications service, the providers of interconnected
VoIP services would be subject to the requirements of section 222 and the Commission’s CPNI rules as
telecommunications carriers under Title II.
174
55. We conclude that we have authority under Title I of the Act to impose CPNI requirements on
providers of interconnected VoIP service. Ancillary jurisdiction may be employed, in the Commission’s
discretion, when Title I of the Act gives the Commission subject matter jurisdiction over the service to be
regulated
175
and the assertion of jurisdiction is “reasonably ancillary to the effective performance of [its]
(...continued from previous page)
the public switched telephone network and to terminate calls to the public switched telephone network.” 47 C.F.R.
§ 9.3; see also IP-Enabled Services; E911 Requirements for IP-Enabled Service Providers, First Report and Order
and Notice of Proposed Rulemaking, 20 FCC Rcd 10245, 10257-57, para. 24 (2005) (VoIP 911 Order), aff’d, Nuvio
Corp. v. FCC, No. 473 F.3d 302 (D.C. Cir. 2006). We emphasize that interconnected VoIP service offers the
capability for users to receive calls from and terminate calls to the PSTN; the obligations we establish apply to all
VoIP communications made using an interconnected VoIP service, even those that do not involve the PSTN. See,
e.g., VoIP 911 Order, 20 FCC Rcd at 10257-58, para. 24. As we have in the past, we limit our extension of the rules
to interconnected VoIP service providers because we continue to believe that consumers have a reasonable
expectation that such services are replacements for “regular telephone” service. See, e.g., id. at 10256, para. 23; see
also Internet Companies Comments at 22; Time Warner Comments at 13.
171
See IP-Enabled Services Notice, 19 FCC Rcd at 4910, para. 71; EPIC CPNI Notice, 21 FCC Rcd at 1793,
para. 28.
172
See 47 U.S.C. § 153(20), (46) (defining “information service” and “telecommunications service”).
173
See, e.g., VoIP 911 Order, 20 FCC Rcd at 10261-65, paras. 26-32. We therefore disagree with commenters that
we do not have statutory authority to extend the CPNI requirements to interconnected VoIP service providers. See,
e.g., Charter Comments at 36-37; Internet Companies Comments at 17-22.
174
47 U.S.C. § 222.
175
See United States v. Southwestern Cable Co., 392 U.S. 157, 177-78 (1968) (Southwestern Cable). Southwestern
Cable, the lead case on the ancillary jurisdiction doctrine, upheld certain regulations applied to cable television
systems at a time before the Commission had an express congressional grant of regulatory authority over that
medium. See id. at 170-71. In Midwest Video I, the Supreme Court expanded upon its holding in Southwestern
Cable. The plurality stated that “the critical question in this case is whether the Commission has reasonably
determined that its origination rule will ‘further the achievement of long-established regulatory goals in the field of
television broadcasting by increasing the number of outlets for community self-expression and augmenting the
public’s choice of programs and types of services.’” United States v. Midwest Video Corp., 406 U.S. 649, 667-68
(1972) (Midwest Video I) (quoting Amendment of Part 74, Subpart K, of the Commission’s Rules and Regulations
Relative to Community Antenna Television Systems; and Inquiry into the Development of Communications
Technology and Services to Formulate Regulatory Policy and Rulemaking and/or Legislative Proposals, Docket No.
18397, First Report and Order, 20 FCC 2d 201, 202 (1969) (CATV First Report and Order)). The Court later
restricted the scope of Midwest Video I by finding that if the basis for jurisdiction over cable is that the authority is
ancillary to the regulation of broadcasting, the cable regulation cannot be antithetical to a basic regulatory parameter
established for broadcast. See FCC v. Midwest Video Corp., 440 U.S. 689, 700 (1979) (Midwest Video II); see also
American Library Ass’n v. FCC, 406 F.3d 689 (D.C. Cir. 2005) (holding that the Commission lacked authority to
impose broadcast content redistribution rules on equipment manufacturers using ancillary jurisdiction because the
equipment at issue was not subject to the Commission’s subject matter jurisdiction over wire and radio
communications).
Federal Communications Commission FCC 07-22
31
various responsibilities.”
176
Both predicates for ancillary jurisdiction are satisfied here. First, as we
concluded in the Interim USF Order and VoIP 911 Order, interconnected VoIP services fall within the
subject matter jurisdiction granted to us in the Act.
177
Second, our analysis requires us to evaluate
whether imposing CPNI obligations is reasonably ancillary to the effective performance of the
Commission’s various responsibilities. Based on the record in this matter, we find that sections 222 and 1
of the Act provide the requisite nexus, with additional support from section 706.
56. Section 222 requires telecommunications carriers to protect the confidentiality of CPNI, and
the Commission has adopted detailed regulations to help clarify this duty.
178
The Commission already
has determined that interconnected VoIP service “is increasingly used to replace analog voice service” a
trend that we expect will continue.
179
It therefore seems reasonable for American consumers to expect
that their telephone calls are private irrespective of whether the call is made using the services of a
wireline carrier, a wireless carrier, or an interconnected VoIP provider, given that these services, from the
perspective of a customer making an ordinary telephone call, are virtually indistinguishable.
180
57. Moreover, extending section 222’s protections to interconnected VoIP service customers is
necessary to protect the privacy of wireline and wireless customers that place calls to or receive calls from
interconnected VoIP customers. The CPNI of interconnected VoIP customers includes call detail
information concerning all calling and called parties. Thus, by protecting from inadvertent disclosure the
CPNI of interconnected VoIP customers, the Commission will more effectively protect the privacy of
wireline and wireless service customers. We therefore find that the extension of the CPNI privacy
requirements to providers of interconnected VoIP service is reasonably ancillary to the effective
performance of the Commission’s duty to protect the CPNI of all telecommunications customers under
Title II.
58. Section 1 of the Act charges the Commission with responsibility for making available “a
rapid, efficient, Nation-wide, and world-wide wire and radio communication service . . . for the purpose
176
Southwestern Cable, 392 U.S. at 178.
177
See Universal Service Contribution Methodology; Federal-State Joint Board on Universal Service; 1998
Biennial Regulatory Review Streamlined Contributor Reporting Requirements Associated with Administration of
Telecommunications Relay Service, North American Numbering Plan, Local Number Portability, and Universal
Service Support Mechanisms; Telecommunications Services for Individuals with Hearing and Speech Disabilities,
and the Americans with Disabilities Act of 1990; Administration of the North American Numbering Plan and North
American Numbering Plan Cost Recovery Contribution Factor and Fund Size; Number Resource Optimization;
Telephone Number Portability; Truth-in-Billing and Billing Format; IP-Enabled Services, Report and Order and
Notice of Proposed Rulemaking, 21 FCC Rcd 7518, 7542, para. 47 (2006) (Interim USF Order), appeal pending,
Vonage Holdings Corp. v. FCC, No. 06-1276 (D.C. Cir. filed July 18, 2006); VoIP 911 Order, 20 FCC Rcd at
10261-62, para. 28 (“[I]nterconnected VoIP services are covered by the statutory definitions of ‘wire
communication’ and/or ‘radio communication’ because they involve ‘transmission of [voice] by aid of wire, cable,
or other like connection . . .’ and/or ‘transmission by radio . . .’ of voice. Therefore, these services come within the
scope of the Commission’s subject matter jurisdiction granted in section 2(a) of the Act.”). This determination was
not challenged in the appeal of the VoIP 911 Order. See supra note 170.
178
47 U.S.C. § 222(a), (c)(1); see also 47 C.F.R. § 64.2001 et seq.
179
See Interim USF Order, 21 FCC Rcd at 7542-43, para. 48 (citing Communications Assistance for Law
Enforcement Act and Broadband Access and Services, First Report and Order and Further Notice of Proposed
Rulemaking, 20 FCC Rcd 14989, 15009-10, para. 42 (2005), aff’d, American Council on Education v. FCC, 451
F.3d 226 (D.C. Cir. 2006)); see also Attorneys General Comments at 11 (arguing that VoIP customers have the
same privacy concerns as wireline and wireless customers).
180
To be clear, a service offering is “interconnected VoIP” if it offers the capability for users to receive calls from
and terminate calls to the PSTN regardless of whether access to the PSTN is directly through the interconnected
VoIP provider or through arrangements with a third party.
Federal Communications Commission FCC 07-22
32
of promoting safety of life and property through the use of wire and radio communication.”
181
In light of
this statutory mandate in conjunction with the recent real-life implications of the unauthorized release of
CPNI, protecting a consumer’s private information continues to be one of the Commission’s public safety
responsibilities.
182
If we failed to exercise our responsibilities under sections 222 and 1 of the Act with
respect to customers of interconnected VoIP service, a significant number of American consumers might
suffer a loss of privacy and/or safety resulting from unauthorized disclosure of their CPNI and be
harmed by this loss. Therefore, we believe that extending the CPNI obligations to interconnected VoIP
service providers is “reasonably ancillary to the effective performance of [our] responsibilities”
183
under
sections 222 and 1 of the Act, and “will ‘further the achievement of long-established regulatory goals’”
184
to protect the confidentiality of CPNI.
185
59. We also are guided by section 706 of the Act, which, among other things, directs the
Commission to encourage the deployment of advanced telecommunications capability to all Americans
by using measures that “promote competition in the local telecommunications market.”
186
The protection
of CPNI may spur consumer demand for interconnected VoIP services, in turn driving demand for
broadband connections, and consequently encouraging more broadband investment and deployment
consistent with the goals of section 706.
187
Thus, pursuant to our ancillary jurisdiction, we extend the
CPNI obligations to providers of interconnected VoIP services.
188
181
47 U.S.C. § 151 (emphasis added).
182
See 47 U.S.C. § 222; EPIC Petition at 5-10.
183
Southwestern Cable, 392 U.S. at 178.
184
Midwest Video I, 406 U.S. at 667-68 (quoting CATV First Report and Order, 20 FCC 2d at 202).
185
See, e.g., AARP Comments at 2 (WC Docket No. 04-36); Arizona Commission Comments at 15-16 (WC Docket
No. 04-36); California PSC Comments at 14 (WC Docket No. 04-36); CenturyTel Comments at 22-23 (WC Docket
No. 04-36); CWA Comments at 23 (WC Docket No. 04-36); Missouri PSC Comments at 21 (WC Docket No. 04-
36); NCL Comments at 5 (WC Docket No. 04-36); New Jersey Ratepayer Advocate Comments at 39-43 (WC
Docket No. 04-36); New York Attorney General Comments at 10-11 (WC Docket No. 04-36); Ohio PUC
Comments at 37-38 (WC Docket No. 04-36); Rural Carriers Comments at 7-8 (WC Docket No. 04-36); Texas
Attorney General Comments at 20-21 (WC Docket No. 04-36); Time Warner Comments at 31-32 (WC Docket No.
04-36); DOJ Comments at 17-20 (WC Docket No. 04-36); APT Reply at 8-9 (WC Docket No. 04-36). We disagree
with commenters that argue there is no clear justification for CPNI protections, including because there is sufficient
competition for such services. See, e.g., 8x8 Comments at 29 (WC Docket No. 04-36); AT&T Comments at 41
(WC Docket No. 04-36); SBC Comments at 124-25 (WC Docket No. 04-36); ALTS Reply at 1-2 (WC Docket No.
04-36). We find on the contrary that the continuing trend toward customer use of these services as a replacement for
analog voice services in large measure justifies the extension of our rules to these services to protect consumer
privacy.
186
47 U.S.C. § 157 nt.
187
See Availability of Advanced Telecommunications Capability in the United States, Fourth Report to Congress, 20
FCC Rcd 20540, 20578 (2004) (“[S]ubscribership to broadband services will increase in the future as new
applications that require broadband access, such as VoIP, are introduced into the marketplace, and consumers
become more aware of such applications.”) (emphasis added).
188
We do not believe that our actions today are in conflict or otherwise inconsistent with any provision of the Act.
We acknowledge that section 230 of the Act provides that “[i]t is the policy of the United States to preserve the
vibrant and competitive free market that presently exists for the Internet and other interactive computer services,
unfettered by Federal or State regulation.” 47 U.S.C. § 230(b)(2). We do not believe, however, that this
congressional policy statement precludes us from extending the CPNI obligations to interconnected VoIP service
providers here. We note that the Commission’s discussion of section 230 in the Vonage Order as cautioning against
regulation was limited to “traditional common carrier economic regulations.” Vonage Holdings Corporation
Petition for Declaratory Ruling Concerning an Order of the Minnesota Public Utilities Commission, Memorandum
(continued....)
Federal Communications Commission FCC 07-22
33
G. Preemption
60. We reject commenter requests to preempt all state CPNI obligations
189
because we agree
with commenters that assert we should allow states to also create rules for protecting CPNI.
190
We
recognize that many states already have laws relating to safeguarding personal information such as
CPNI.
191
To the extent those laws do not create a conflict with federal requirements, carriers are able to
comply with federal law and state law. Should a carrier find that it is unable to comply simultaneously
with the Commission’s rules and with the laws of another jurisdiction, the carrier should bring the matter
to our attention in an appropriate petition.
192
H. Implementation
61. In light of the importance of this issue to the public interest,
193
we require that our rules
become effective within an aggressively short amount of time because of the important consumer and
public safety considerations raised by pretexting that demand near immediate action.
194
The rules we
adopt in this Order, however, are subject to approval by the Office of Management and Budget (OMB).
Thus, our rules become effective six months after the Order’s effective date or on receipt of OMB
(...continued from previous page)
Opinion and Order, 19 FCC Rcd 22404, 22426, para. 35 (2004) (Vonage Order), appeal pending, National Ass’n of
State Util. Consumer Advocates v. FCC, No. 05-71238 (9th Cir. filed Feb. 22, 2005).
189
See, e.g., Centennial Comments at 5-6; USISPA Comments at 7; Verizon Wireless Comments at 14-16; Charter
Reply at 20-21.
190
See, e.g., Ohio PUC Comments at 32; PaPUC Comments at 3-4; NASUCA Reply at 28-30.
191
See, e.g., Letter from Richard T. Ellis, Director Federal Regulatory Advocacy, Verizon, to Marlene H. Dortch,
Secretary, FCC, CC Docket No. 96-115 (filed Feb. 6, 2004) (Verizon Feb. 6 Ex Parte Letter) (expressing concern
regarding state regulations of CPNI that are inconsistent with federal CPNI rules and citing the rules of California,
Oregon and Washington). Verizon has not asked the Commission specifically to rule on whether those states’ CPNI
regulations should be preempted, and apparently obtained the preemption it sought regarding the Washington CPNI
regulations from a U.S. District Court in Washington. See id., Attach.; see also Ariz. Rev. Stat. § 40-202(C)(5)
(conferring authority on the Arizona Corporation Commission to adopt rules that “customer information, account
information and related proprietary information are confidential unless specifically waived by the customer in
writing”).
192
See, e.g., Dobson Reply at 6; Verizon Wireless Reply at 13-14. The Commission reviews petitions for
preemption of CPNI rules on a case-by-case basis. See Third Report and Order, 17 FCC Rcd at 14890-93, paras.
69, 74 (“By reviewing requests for preemption on a case-by-case basis, we will be able to make preemption
decisions based on the factual circumstances as they exist at the time and on a full and a complete record.”).
Verizon and AT&T Wireless Services filed petitions for reconsideration of the Third Report and Order regarding
preemption of state CPNI regulation. See Verizon Petition for Reconsideration (filed Oct. 21, 2002); AT&T
Wireless Services, Inc. Petition for Reconsideration (filed Oct. 21, 2002). This Order does not constitute a decision
on the merits of those petitions.
193
See, e.g., Ellen Nakashima, HP Scandal Shines Light on a Simple, Treacherous Act, WASH. POST, Sept. 19, 2006,
D1. Carriers of course may begin instituting our rules earlier to protect their customers’ CPNI.
194
See 47 C.F.R. § 1.427(b). For this reason, we reject requests for longer implementation periods. See, e.g., Letter
from Kent Y. Nakamura, Vice President and Chief Privacy Officer, Sprint Nextel Corporation, to Marlene H.
Dortch, Secretary, FCC, CC Docket No. 96-115 at 2 (filed Dec. 11, 2006); Letter from Donna Epps, Vice President
Federal Regulatory, Verizon, to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 at 1-4 (filed Dec. 22,
2006); Letter from Anisa A. Latif, Associate Director Federal Regulatory, AT&T, to Marlene H. Dortch, Secretary,
FCC, CC Docket No. 96-115 at 1 (filed Jan. 10, 2007); Letter from Indra Sehdev Chalk, Counsel for USTelecom, to
Marlene Dortch, Secretary, FCC, CC Docket No. 96-115 at 1 (filed Jan. 18, 2007); Letter from William F. Maher,
Counsel for T-Mobile USA, Inc., to Marlene H. Dortch, Secretary, FCC, CC Docket No. 96-115 at 4 (filed Jan. 25,
2007).
Federal Communications Commission FCC 07-22
34
approval, as required by the Paperwork Reduction Act,
195
whichever is later. We will issue a Public
Notice when OMB approval is received. For carriers satisfying the definition of a “small entity” or a
“small business concern” under the Regulatory Flexibility Act or Small Business Act,
196
we provide an
additional six months to implement the rules pertaining to the online carrier authentication
requirements.
197
62. We find that the requirements we adopt in this Order most appropriately respond to actions
by wrongdoers to obtain unauthorized access to CPNI, and carriers’ failures to adequately protect CPNI in
violation of their section 222 duty. This order balances those actions and inactions against the privacy
concerns of all Americans. By requiring carriers (including interconnected VoIP service providers) to
implement CPNI protections as a top priority, we hope to minimize the likelihood of future unauthorized
disclosures of consumer’s CPNI.
I. Enforcement
63. We take seriously the protection of customersprivate information and commit to remaining
vigilant to ensure compliance with applicable privacy laws within our jurisdiction. One way in which we
will help protect consumer privacy is through strong enforcement measures. When investigating
compliance with the rules and statutory obligations, the Commission will consider whether the carrier has
taken reasonable precautions to prevent the unauthorized disclosure of a customers CPNI. Specifically,
we hereby put carriers on notice that the Commission henceforth will infer from evidence that a pretexter
has obtained unauthorized access to a customers CPNI that the carrier did not sufficiently protect that
customers CPNI. A carrier then must demonstrate that the steps it has taken to protect CPNI from
unauthorized disclosure, including the carriers policies and procedures, are reasonable in light of the
threat posed by pretexting and the sensitivity of the customer information at issue. If the Commission
finds at the conclusion of its investigation that the carrier indeed has not taken sufficient steps adequately
to protect the privacy of CPNI, the Commission may sanction it for this oversight, including through
forfeiture.
64. We offer here additional guidance regarding the Commissions expectations that will inform
our investigations. We fully expect carriers to take every reasonable precaution to protect the
confidentiality of proprietary or personal customer information.
198
Of course, we require carriers to
implement the specific minimum requirements set forth in the Commissions rules. We further expect
195
While the recent passage of the Telephone Records and Privacy Protection Act of 2006, 18 U.S.C. § 1039, which
imposes new criminal penalties against pretexters, should reduce pretexting, we believe that our Order today is
necessary to protect customer privacy and help bring an end to the unauthorized access to CPNI. We disagree with
commenters that argue that we should allow the law to take effect and reassess the situation later because the actions
we take today go beyond the legislation to ensure the privacy of CPNI by focusing on carriers that have not
vigilantly discharged their obligations under section 222 to adequately protect CPNI. See, e.g., Dobson Comments
at 3; COMPTEL Dec. 18, 2006 Ex Parte Letter at 1.
196
The RFA generally defines the term small entityas having the same meaning as the terms small business,
small organization,and small governmental jurisdiction.5 U.S.C. § 601(6). The term “small business” has the
same meaning as the term “small business concern” under the Small Business Act. 5 U.S.C. § 601(3) (incorporating
by reference the definition of small business concernin the Small Business Act, 15 U.S.C. § 632). Pursuant to 5
U.S.C. § 601(3), the statutory definition of a small business applies unless an agency, after consultation with the
Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one
or more definitions of such terms which are appropriate to the activities of the agency and publishes such
definitions(s) in the Federal Register.
197
We find this implementation period is reasonable for small carriers to avoid disruption and inconvenience to
consumers.
198
See 47 U.S.C. § 222(a).
Federal Communications Commission FCC 07-22
35
carriers to take additional steps to protect the privacy of CPNI to the extent such additional measures are
feasible for a particular carrier. For instance, and as discussed above, although we decline to impose audit
trail obligations on carriers at this time, we expect carriers through audits or other measures to take
reasonable measures to discover and protect against activity that is indicative of pretexting. Similarly,
although we do not specifically require carriers to encrypt their customersCPNI, we expect a carrier to
encrypt its CPNI databases if doing so would provide significant additional protection against the
unauthorized access to CPNI at a cost that is reasonable given the technology a carrier already has
implemented.
65. By adopting certain specific minimum standards regarding what measures carriers must take
to protect the privacy of CPNI, and by committing to taking resolute enforcement action to ensure that the
goals of section 222 are achieved, we believe we appropriately balance consumer privacy interests with
carriers’ interests in minimizing burdens on their customers. Our two-prong approach will (1) allow
carriers to implement whatever security measures are warranted in light of their technological choices, (2)
create a diversity of security practices that will enable market forces to improve carriers’ security
measures over time, (3) avoid creating unnecessary regulatory barriers that could impede carriers from
adapting to new threats as the methods used by data brokers evolve, and (4) alleviate commenters
concerns that specific safeguard rules could provide pretexters with a roadmapof how to obtain CPNI
without authorization. We further believe that our two-pronged approach will ensure a high level of
privacy protection for CPNI because carriers will have sufficient incentive and ability to adopt whatever
security mechanisms work best with their existing systems and procedures.
66. Carrier Safe Harbor. We decline to immunize carriers from possible sanction for disclosing
customers’ private information without appropriate authorization. Some carriers support the adoption of a
“safe harbor,” which would immunize carriers from liability for improper disclosure of CPNI if the carrier
followed certain security guidelines, such as those comparable to the Federal Trade Commission’s
(FTC’s) guidelines for the financial industry.
199
We decline to adopt this proposal because such a rule
would result in less protection of customers’ CPNI than exists under the status quo. The guidelines the
carriers propose to trigger immunity do not add meaningful protections beyond carriers’ existing
regulatory obligations.
200
Therefore, if we adopted the proposed safe harbor, carriers would receive
immunity from liability for meeting the requirements set forth in the safe harbor, even if a carrier acted
egregiously and in derogation of its general duty to protect CPNI from unauthorized release. The public
interest is better served if the Commission retains the option of taking strong enforcement measures
regarding carriers’ duties under section 222 and the Commission’s rules.
V. FURTHER NOTICE OF PROPOSED RULEMAKING
67. The Commission has a duty to ensure that, as technologies evolve, the consumer protection
objectives of the Act are maintained. Through this Further Notice of Proposed Rulemaking, we seek
comment on whether the Commission should act to expand its CPNI rules further, and whether it should
expand the consumer protections to ensure that customer information and CPNI are protected in the
context of mobile communication devices.
199
See, e.g., Cingular Comments at 31-33 (stating that the Commission should follow FTC Safeguards Rule issued
pursuant to Section 501(b) of Gramm Leach Bliley Act (15 U.S.C. §6801(b)), and should offer safe harbor
inducement to follow standards); Qwest Comments at 2-3 (arguing in favor of safe harbor procedures); AT&T
Comments at n.7 (arguing that carriers with good personnel training, audit trails, and adequate customer
authentication procedures should enjoy a safe harbor).
200
See, e.g., CTIA Comments at 13 (supporting a safe harbor for carriers that disclose account information to any
person who provides a correct password); Qwest Comments at 2-3 (urging the Commission to find that carriers are
already subject to the right balance of CPNI regulatory oversight, or alternatively pronounce guidelines that would
frame a safe harbor for a carrier incorporating those guidelines into its operating practices).
Federal Communications Commission FCC 07-22
36
A. Additional CPNI Protective Measures
68. Password Protection. In light of the rules we adopt in today’s Order and the recent
enactment of criminal penalties against pretexters, we seek comment on whether the Commission should
adopt any further carrier requirements to protect CPNI. Specifically, while we limited our rules to
password protecting call detail information for customer-initiated telephone contact, we seek comment on
whether to extend these rules to include optional or mandatory password protection for non-call detail
CPNI. Should this password protection be for all non-call detail CPNI or should it only include certain
account changes? Further, if the Commission were to adopt password protection for certain account
changes, what should that include (e.g., changes in the address of record, account plans, or billing
methods)? Would requiring these forms of password protection place an undue burden on carriers,
customers, or others, including any burdens placed on small carriers? We solicit further comment on any
other modifications to our rules that we should adopt in light of pretexting activity, and a carriers duty to
protect CPNI.
69. Audit Trails. While we did not adopt rules requiring audit trails at this time, in light of our
new rules and the recent enactment of criminal penalties against pretexters, we seek comment on whether
the Commission should adopt rules pertinent to audit trails. Are audit trails generally used by carriers to
track customer contact? We ask carriers to assess the benefits and burdens, including the burdens on
small carriers, of recording the disclosure of CPNI and customer contact. Our current record indicates
that the broad use of audit trails likely would be of limited value in ending pretexting because such a log
would record enormous amounts of data, the vast majority of it being legitimate customer inquiry.
201
Commenters also report that implementing and maintaining audit trails would be costly with little to no
corresponding benefit to the consumer.
202
However, would an audit trail assist law enforcement with its
criminal investigations against pretexters? Further, in the interim period since we sought comment on
this issue, have carriers’ reactions to audit trails changed or has the technology changed such that audit
trails are now an economically feasible option?
70. Physical Safeguards. We also seek comment on whether the Commission, in light of the
rules we adopt in this Order and the recent enactment of criminal penalties against pretexters, should
adopt rules that govern the physical transfer of CPNI among companies, such as between a carrier and its
affiliates, or the transfer of CPNI to any other third party authorized to access or maintain CPNI,
including a carriers joint venture partners and independent contractors. Specifically, we seek comment
on what physical safeguards carriers currently are using when they transfer, or allow access to, CPNI to
ensure that they maintain the security and confidentiality of CPNI?
203
We also seek comment on whether
these safeguards for the physical transfer of, or for access to, CPNI are sufficient? Further, we seek
comment on what steps the Commission should require of a carrier to protect CPNI when CPNI is being
transferred or accessed by the carrier, its affiliates, or its third parties (e.g., encryption, audit trails, logs,
etc.). Additionally, we seek comment on the benefits and burdens, including the burdens on small
carriers, of requiring carriers to physically safeguard the security and confidentiality of CPNI.
201
See, e.g., Centennial Reply at 4; CTIA Comments at 14 (stating that even in the case of pretexting, the customer
service representatives’ annotations would note that CPNI was given out at the customer’s request).
202
See, e.g., Charter Comments at 36; Dobson Comments at 6; OPATSCO Comments at 4; TWTC Comments at 14;
Verizon Comments at 13. We note that the Commission in the 1999 Reconsideration Order previously weighed the
costs and benefits of establishing audit trails and decided not to require audit trails. See 1999 Reconsideration
Order, 13 FCC Rcd at 8101-02, para. 126.
203
Commenters may request confidential treatment for the information that they submit in response to this Further
Notice if they are concerned about compromising their physical safeguard measures. See 47 C.F.R. § 0.459.
Federal Communications Commission FCC 07-22
37
71. Limiting Data Retention. We also seek comment on whether the Commission, in light of the
rules we adopt in this Order and the recent enactment of criminal penalties against pretexters, should
adopt rules that require carriers to limit data retention. If the Commission did adopt such a rule, what
should be the maximum amount of time that a carrier should be able to retain customer records?
Additionally, should all customer records be eliminated or is there a subset of customer records that are
more susceptible to abuse and should be destroyed? Also, should the Commission define exceptions
where a carrier is permitted to retain certain records (e.g., for the length of carrier-carrier or carrier-
customer disputes)? The Department of Justice argues that destruction of CPNI after a specified period
would hamper law enforcement efforts by destroying data sometimes needed for criminal and other
lawful investigations.
204
We also seek comment on whether there are any state or Commission data
retention requirements that might conflict with a carrier’s data limitation.
205
Additionally, does a
limitation on data retention enhance protection of CPNI?
206
Alternatively, should the Commission require
carriers to de-identify customer records after a certain period?
207
We seek comment on the benefits and
burdens, including the burdens on small carriers, of requiring carriers to limit their data retention or to de-
identify customer records.
B. Protection of Information Stored in Mobile Communications Devices
72. We seek comment on what steps the Commission should take, if any, to secure the privacy of
customer information stored in mobile communications devices.
208
Specifically, we seek comment on
what methods carriers currently use, if any, for erasing customer information on mobile equipment prior
to refurbishing the equipment,
209
and the extent to which carriers enable customers to permanently erase
their personal information prior to discarding the device. We also seek comment on whether the
Commission should require carriers to permanently erase, or allow customers to permanently erase,
customer information in such circumstances. Should the Commission require manufacturers to configure
wireless devices so consumers can easily and permanently delete personal information from those
devices? Further, we seek comment on the burdens, including those placed on small carriers, associated
with a Commission rule requiring carriers and manufacturers to fully expunge existing customer data
from a mobile device at the customer’s request.
204
See DOJ/DHS Comments at 3 (stating that CPNI is an invaluable investigative resource, the mandatory
destruction of which would severely impact the DOJ/DHS’s ability to protect national security and public safety).
205
See, e.g., 47 C.F.R. § 42.6 (requiring that carriers retain telephone toll records for 18 months), § 42.7
(establishing record retention requirements for documents on a carrier’s master index of records, and for documents
relevant to complaint proceedings and certain Commission inquiries and proceedings).
206
See Cingular Comments at 25-26 (reporting that Cingular’s experience is that most data brokers are focusing on
the last 100 calls made or calls within the last 90 days).
207
See, e.g., EPIC Petition at 11-12 (suggesting that carriers should “de-identify” records, that is, separate data that
identify a particular caller from the general transaction records); but see, e.g., Ohio PUC Comments at 17-18
(arguing that de-identifying records would frustrate customer’s ability to dispute billing).
208
See Letter from Governor Rod R. Blagojevich, Governor of Illinois, to Deborah Platt Majoras, Chairperson,
Federal Trade Commission, and Kevin J. Martin, Chairman, Federal Communications Commission (dated Sept. 5,
2006); see also Ted Brindis, Secrets Linger on Old Cell Phones, Houston Chronicle.com (Aug. 31, 2006) (reporting
that someone was able to retrieve a company’s plans regarding a multi-million dollar federal transportation contract,
bank account information, and passwords from discarded mobile devices).
209
Cell phones may be refurbished and provided to a different customer as a replacement for a cell phone that has
malfunctioned. The original customer’s private information may remain on the cell phone. See Andrew Brandt,
Privacy Watch: Wipe Your Cell Phone’s Memory Before Giving It Away, PC WORLD, available at
http://www.pcworld.com/printable/articl/id,124157/printable.html (Jan. 30, 2006).
Federal Communications Commission FCC 07-22
38
VI. PROCEDURAL MATTERS
A. Ex Parte Presentations
73. The rulemaking this Notice initiates shall be treated as a “permit-but-disclose” proceeding in
accordance with the Commission’s ex parte rules.
210
Persons making oral ex parte presentations are
reminded that memoranda summarizing the presentations must contain summaries of the substance of the
presentations and not merely a listing of the subjects discussed. More than a one or two sentence
description of the views and arguments presented generally is required.
211
Other requirements pertaining
to oral and written presentations are set forth in section 1.1206(b) of the Commission’s rules.
212
B. Comment Filing Procedures
74. Pursuant to sections 1.415 and 1.419 of the Commission’s rules,
213
interested parties may file
comments and reply comments regarding the Notice on or before the dates indicated on the first page of
this document. All filings related to this Further Notice of Proposed Rulemaking should refer to CC
Docket No. 96-115 and WC Docket No. 04-36. Comments may be filed using: (1) the Commission’s
Electronic Comment Filing System (ECFS), (2) the Federal Government’s eRulemaking Portal, or (3) by
filing paper copies. See Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121
(1998).
· Electronic Filers: Comments may be filed electronically using the Internet by accessing the
ECFS: http://www.fcc.gov/cgb/ecfs/ or the Federal eRulemaking Portal:
http://www.regulations.gov. Filers should follow the instructions provided on the website for
submitting comments.
· ECFS filers must transmit one electronic copy of the comments for CC Docket No.
96-115 and WC Docket No. 04-36. In completing the transmittal screen, filers should
include their full name, U.S. Postal Service mailing address, and the applicable docket
number. Parties may also submit an electronic comment by Internet e-mail. To get filing
instructions, filers should send an e-mail to [email protected], and include the following
words in the body of the message, “get form.” A sample form and directions will be sent
in response.
· Paper Filers: Parties who choose to file by paper must file an original and four copies of each
filing. Filings can be sent by hand or messenger delivery, by commercial overnight courier,
or by first-class or overnight U.S. Postal Service mail (although we continue to experience
delays in receiving U.S. Postal Service mail). All filings must be addressed to the
Commission’s Secretary, Marlene H. Dortch, Office of the Secretary, Federal
Communications Commission, 445 12th Street, S.W., Washington, D.C. 20554.
· The Commission’s contractor will receive hand-delivered or messenger-delivered paper
filings for the Commission’s Secretary at 236 Massachusetts Avenue, N.E., Suite 110,
Washington, D.C. 20002. The filing hours at this location are 8:00 a.m. to 7:00 p.m. All
hand deliveries must be held together with rubber bands or fasteners. Any envelopes
must be disposed of before entering the building.
210
47 C.F.R. §§ 1.200 et seq.
211
See 47 C.F.R. § 1.1206(b)(2).
212
47 C.F.R. § 1.1206(b).
213
47 C.F.R. §§ 1.415, 1.419.
Federal Communications Commission FCC 07-22
39
· Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority
Mail) must be sent to 9300 East Hampton Drive, Capitol Heights, MD 20743.
· U.S. Postal Service first-class, Express, and Priority mail should be addressed to 445 12th
Street, S.W., Washington D.C. 20554.
75. Parties should send a copy of their filings to Janice Myles, Competition Policy Division,
Wireline Competition Bureau, Federal Communications Commission, Room 5-C140, 445 12th Street,
S.W., Washington, D.C. 20554, or by e-mail to [email protected]. Parties shall also serve one copy
with the Commission’s copy contractor, Best Copy and Printing, Inc. (BCPI), Portals II, 445 12th Street,
S.W., Room CY-B402, Washington, D.C. 20554, (202) 488-5300, or via e-mail to [email protected].
76. Documents in CC Docket No. 96-115 and WC Docket No. 04-36 will be available for public
inspection and copying during business hours at the FCC Reference Information Center, Portals II, 445
12th Street S.W., Room CY-A257, Washington, D.C. 20554. The documents may also be purchased
from BCPI, telephone (202) 488-5300, facsimile (202) 488-5563, TTY (202) 488-5562, e-mail
[email protected].
C. Final Regulatory Flexibility Analysis
77. As required by the Regulatory Flexibility Act of 1980, see 5 U.S.C. § 604, the Commission
has prepared a Final Regulatory Flexibility Analysis (FRFA) of the possible significant economic impact
on small entities of the policies and rules addressed in this document. The FRFA is set forth in Appendix
C.
D. Initial Regulatory Flexibility Analysis
78. As required by the Regulatory Flexibility Act of 1980, see 5 U.S.C. § 603, the Commission
has prepared an Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic
impact on small entities of the policies and rules addressed in this document. The IRFA is set forth in
Appendix D. Written public comments are requested on this IRFA. Comments must be identified as
responses to the IRFA and must be filed by the deadlines for comments on the Notice provided below in
Appendix D.
E. Paperwork Reduction Act
79. This Order contains modified information collection requirements subject to the Paperwork
Reduction Act of 1995 (PRA), Public Law 104-13. It will be submitted to the Office of Management and
Budget (OMB) for review under Section 3507(d) of the PRA. OMB, the general public, and other
Federal agencies are invited to comment on the new information collection requirements contained in this
proceeding. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-
198, see 44 U.S.C. § 3506(c)(4), we previously sought specific comment on how we might further
reduce the information collection burden for small business concerns with fewer than 25 employees.
80. In the Order, we have assessed the burdens placed on small businesses to notify customers of
account changes, to notify law enforcement and customers of unauthorized CPNI disclosure; to obtain
opt-in consent prior to sharing CPNI with joint venture partners and independent contractors; to file
annually a CPNI certification with the Commission, including an explanation of any actions taken against
data brokers and a summary of all consumer complaints received in the past year concerning the
unauthorized release of CPNI, and to extend the CPNI rules to providers of interconnected VoIP services,
and find that these requirements do not place a significant burden on small businesses.
Federal Communications Commission FCC 07-22
40
81. This Further Notice contains proposed information collection requirements. The
Commission, as part of its continuing effort to reduce paperwork burdens, invited the general public and
the Office of Management and Budget (OMB) to comment on the information collection requirements
contained in this Further Notice, as required by the Paperwork Reduction Act of 1995 (PRA), Public Law
104-13. Public and agency comments are due 60 days after publication in the Federal Register.
Comments should address: (a) whether the proposed collection of information is necessary for the proper
performance of the functions of the Commission, including whether the information shall have practical
utility; (b) the accuracy of the Commission’s burden estimates; (c) ways to enhance the quality, utility,
and clarity of the information collected; and (d) ways to minimize the burden of the collection of
information on the respondents, including the use of automated collection techniques or other forms of
information technology. In addition, pursuant to the Small Business Paperwork Relief Act of 2002,
Public Law 107-198, see 44 U.S.C. § 3506(c)(4), we seek comment on how we might “further reduce the
information collection burden for small business concerns with fewer than 25 employees.”
F. Congressional Review Act
82. The Commission will send a copy of this Report and Order and Further Notice of Proposed
Rulemaking in a report to be sent to Congress and the Government Accountability Office pursuant to the
Congressional Review Act (CRA), see 5 U.S.C. § 801(a)(1)(A).
G. Accessible Formats
83. To request materials in accessible formats for people with disabilities (Braille, large print,
electronic files, audio format), send an e-mail to [email protected] or call the Consumer & Governmental
Affairs Bureau at 202-418-0530 (voice) or 202-418-0432 (TTY). Contact the FCC to request reasonable
accommodations for filing comments (accessible format documents, sign language interpreters, CART,
etc.) by e-mail: [email protected]; phone: 202-418-0530 or TTY: 202-418-0432.
VII. ORDERING CLAUSES
84. Accordingly, IT IS ORDERED that pursuant to sections 1, 4(i), 4(j), 222, and 303(r) of the
Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 154(i)-(j), 222, 303(r), this Report and
Order and Further Notice of Proposed Rulemaking in CC Docket No. 96-115 and WC Docket No. 04-36
IS ADOPTED, and that Part 64 of the Commission’s rules, 47 C.F.R. Part 64, is amended as set forth in
Appendix B. The Order shall become effective upon publication in the Federal Register subject to OMB
approval for new information collection requirements or six months after the Order’s effective date,
whichever is later.
85. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs
Bureau, Reference Information Center, SHALL SEND a copy of this Report and Order and Further
Notice of Proposed Rulemaking, including the Final Regulatory Flexibility Analysis and the Initial
Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business
Administration.
FEDERAL COMMUNICATIONS COMMISSION
Marlene H. Dortch
Secretary
Federal Communications Commission FCC 07-22
41
Appendix A
Commenters in CC Docket No. 96-115
Comments Abbreviation
Alexicon Telecommunications Consulting Alexicon
Alltel Corporation Alltel
American Association of Paging Carriers AAPC
American Cable Association ACA
AT&T Inc. AT&T
Attorneys General of the Undersigned States Attorneys General
BellSouth Corporation BellSouth
Centennial Communications Corp. Centennial
Charter Communications, Inc. Charter
Cingular Wireless LLC Cingular
COMPTEL COMPTEL
Cross Telephone Company, Cimmaron Telephone
Company, Pottawatomie Telephone Company, Chickaswa
Telephone, and Salina-Spavinaw Telephone Company
Oklahoma Carriers
Crown Castle International Corp. Crown Castle
CTIA-The Wireless Association
®
CTIA
Dobson Communications Corporation Dobson
Electronic Privacy Information Center, Consumer Action,
Privacy Rights Now Coalition, Center for Digital
Democracy, Consumer Federation of America, Privacy
Journal, Center for Financial Privacy and Human Rights,
and National Consumers League
EPIC et al.
Enterprise Wireless Alliance and the USMSS, Inc. Enterprise Wireless
Eschelon Telecom, Inc., SNIP Link Inc., and XO
Communications, Inc.
Joint Commenters
Global Crossing North America, Inc. Global Crossing
Infonxx, Inc. Infonxx
Independent Carrier Group ICG
Kim Phan Phan
Leap Wireless International, Inc. and Cricket
Communications, Inc.
Leap
McManis & Monsaive Association MMA
MetroPCS Communications, Inc. MetroPCS
Microsoft Corporation, Skype Inc. and Yahoo! Inc. Internet Companies
Myung Kim Kim
National Association of State Utility Consumer Advocates NASUCA
National Cable & Telecommunications Association NCTA
National Telecommunications Cooperative Association NTCA
New Jersey Division of the Ratepayer Advocate New Jersey Ratepayer Advocate
NextG Networks, Inc. NextG
Nicholas Leggett Leggett
Organization for the Promotion and Advancement of
Small Telecommunications Companies
OPASTCO
Pennsylvania Public Utility Commission PaPUC
Princeton University Students Princeton Students
Privacy Rights Clearinghouse Privacy Rights
Federal Communications Commission FCC 07-22
42
Public Service Commission of the State of Missouri MoPSC
Public Utilities Commission of Ohio Ohio PUC
Qwest Communications International Inc. Qwest
RNK Inc. d/b/a RNK Telecom RNK
Rural Cellular Association RCA
Sprint Nextel Corporation Sprint Nextel
TCA, Inc. Telecom Consulting Associations TCA
Texas Office of Public Utility Counsel TX OPUC
Texas Statewide Telephone Cooperative, Inc. TSTCI
The People of the State of California and the California
Public Utilities Commission
CaPUC
Time Warner Inc. Time Warner
Time Warner Telecom Inc. TWTC
T-Mobile USA, Inc. T-Mobile
United States Departments of Justice and Homeland
Security
DOJ/DHS
United States Internet Service Provider Association USISPA
United States Telecom Association USTelecom
USA Mobility, Inc. USA Mobility
US LEC Corp. US LEC
Verizon Verizon
Verizon Wireless Verizon Wireless
Reply Commenters in CC Docket No. 96-115
Reply Comments Abbreviation
AT&T Inc. AT&T
BellSouth Corporation BellSouth
Centennial Communications Corp. d/b/a Centennial
Wireless
Centennial
Charter Communications, Inc. Charter
Cingular Wireless LLC Cingular
CTIA-The Wireless Association
®
CTIA
Direct Marketing Association, Inc. DMA
Dobson Communications Corporation Dobson
Electronic Privacy Information Center EPIC
Embarq Corporation Embarq
Enterprise Wireless Alliance, together with USMSS, Inc. EWA
Eschelon Telecom, Inc., SNiP LiNK Inc., and XO
Communications, Inc.
Joint Commenters
Insite Wireless LLC Insite
MetroPCS Communications Inc. MetroPCS
National Association of State Utility Consumer Advocates NASUCA
Pennsylvania Public Utility Commission PA PUC
Rock Hill Telephone Company d/b/a Comporium
Communications, Fort Mill Telephone Company d/b/a
Comporium Communications, and Lancaster Telephone
Company d/b/a Comporium Communications
Comporium
Sprint Nextel Corporation Sprint Nextel
T-Mobile USA, Inc. T-Mobile
United States Cellular Corporation US Cellular
Federal Communications Commission FCC 07-22
43
Verizon Verizon
Verizon Wireless Verizon Wireless
Virgin Mobile USA, LLC Virgin Mobile
Commenters in WC Docket No. 04-36
Comments Abbreviation
8X8, Inc. 8X8
AARP AARP
ACN Communications Services, Inc. ACN
Ad Hoc Telecommunications Users Committee Ad Hoc
Alcatel North America Alcatel
Alliance for Public Technology APT
America’s Rural Consortium ARC
American Foundation for the Blind AFB
American Public Communications Council APCC
Amherst, Massachusetts Cable Advisory Committee Amherst CAC
Arizona Corporation Commission Arizona Commission
Artic Slope Telephone Association Cooperative, Inc.
Cellular Mobile Systems of St. Cloud, LLC d/b/a
Cellular 2000
Comanche County Telephone, Inc.
DeKalb Telephone Cooperative, Inc. d/b/a DTC
Communications
Grand River Mutual Telephone Corporation
Interstate 35 Telephone Company
KanOkla Telephone Association, Inc.
Siskiyou Telephone Company
Uintah Basin Telecommunications Association, Inc.
Vermont Telephone Company, Inc.
Wheat State Telephone, Inc.
Artic Slope et al.
Association for Communications Technology
Professionals in Higher Education
ACUTA
Association for Local Telecommunications Services ALTS
Association of Public-Safety Communications Officials-
International, Inc.
APCO
AT&T Corporation AT&T
Attorney General of the State of New York New York Attorney General
Avaya, Inc. Avaya
BellSouth Corporation BellSouth
Bend Broadband
Cebridge Connections, Inc.
Insight Communications Company, Inc.
Susquehanna Communication
Bend Broadband et al.
Boulder Regional Emergency Telephone Service
Authority
BRETSA
BT Americas Inc. BTA
Cablevision Systems Corp. Cablevision
Callipso Corporation Callipso
Cbeyond Communications, LLC
GlobalCom, Inc.
Cbeyond et al.
Federal Communications Commission FCC 07-22
44
MPower Communications, Corp.
CenturyTel, Inc. CenturyTel
Charter Communications Charter
Cheyenne River Sioux Tribe Telephone Authority Cheyenne Telephone Authority
Cisco Systems, Inc. Cisco
Citizens Utility Board CUB
City and County of San Francisco San Francisco
City of New York New York City
Comcast Corporation Comcast
Communication Service for the Deaf, Inc. CSD
Communications Workers of America CWA
CompTel/ASCENT CompTel
Computer & Communications Industry Association CCIA
Computing Technology Industry Association CompTIA
Consumer Electronics Association CEA
Covad Communications Covad
Cox Communications, Inc. Cox
CTIA-The Wireless Association CTIA
Department of Homeland Security DHS
DialPad Communication, Inc.
ICG Communications, Inc.
Qovia, Inc.
VoicePulse, Inc.
Dialpad et al.
DJE Teleconsulting, LLC DJE
Donald Clark Jackson Jackson
EarthLink, Inc. EarthLink
EDUCAUSE EDUCAUSE
Electronic Frontier Foundation EFF
Enterprise Communications Association ECA
Federation for Economically Rational Utility Policy FERUP
Francois D. Menard Menard
Frontier and Citizens Telephone Companies Frontier/Citizens
General Communications, Inc. GCI
Global Crossing North America, Inc. Global Crossing
GVNW Consulting, Inc. GVNW
ICORE, Inc. ICORE
IEEE-USA IEEE-USA
Illinois Commerce Commission Illinois Commerce Commission
Inclusive Technologies Inclusive Technologies
Independent Telephone & Telecommunications Alliance ITTA
Information Technology Association of America ITAA
Information Technology Industry Council ITIC
Interstate Telcom Consulting, Inc. ITCI
Ionary Consulting Ionary
Iowa Utilities Board Iowa Commission
King County E911 Program King County
Level 3 Communications LLC Level 3
Lucent Technologies Inc. Lucent Technologies
Maine Public Utilities Commissioners Maine Commissioners
MCI MCI
Federal Communications Commission FCC 07-22
45
Microsoft Corporation Microsoft
Minnesota Public Utilities Commission Minnesota Commission
Montana Public Service Commission Montana Commission
Motorola, Inc. Motorola
National Association of Regulatory Utility Commission NARUC
National Association of State Utility Consumer Advocates NASUCA
National Association of Telecommunications Officers and
Advisors
National League of Cities
National Association of Counties
U.S. Conference of Mayors
National Association of Towns and Townships
Texas Coalition of Cities for Utility Issues
Washington Association of Telecommunications
Officers and Advisors
Greater Metro Telecommunications Consortium
Mr. Hood Cable Regulatory Commission
Metropolitan Washington Council of Governments
Rainier Communications Commission
City of Philadelphia
City of Tacoma, Washington
Montgomery County, Maryland
NATOA et al.
National Cable & Telecommunications Association NCTA
National Consumers League NCL
National Emergency Number Association NENA
National Exchange Carrier Association, Inc. NECA
National Governors Association NGA
National Grange National Grange
National Telecommunications Cooperative Association NTCA
Nebraska Public Service Commission Nebraska Commission
Nebraska Rural Independent Companies Nebraska Rural Independent Companies
Net2Phone, Inc. Net2Phone
New Jersey Board of Public Utilities New Jersey Commission
New Jersey Division of the Ratepayer Advocate New Jersey Ratepayer Advocate
New York State Department of Public Service New York Commission
NexVortex, Inc. nexVortex
Nortel Networks Nortel
Nuvio Corporation Nuvio
Office of Advocacy, U.S. Small Business Administration SBA
Office of the Attorney General of Texas Texas Attorney General
Office of the People’s Counsel for the District of
Columbia
D.C. Counsel
Ohio Public Utilities Commission Ohio Commission
Omnitor Omnitor
Organization for the Promotion and Advancement of
Small Telecommunications Companies
OPASTCO
Pac-West Telecomm, Inc. Pac-West
People of the State of California and the California Public
Utilities Commission
California Commission
Public Service Commission of the State of Missouri Missouri Commission
Pulver.com pulver.com
Federal Communications Commission FCC 07-22
46
Qwest Communications International Inc. Qwest
Rehabilitation Engineering Research Center on
Telecommunications Access
RERCTA
Rural Independent Competitive Alliance RICA
SBC Communications, Inc. SBC
Self Help for Hard of Hearing People SHHHP
Skype, Inc. Skype
Sonic.net, Inc. Sonic.net
SPI Solutions, Inc. SPI Solutions
Spokane County 911 Communications Spokane County 911
Sprint Corporation Sprint
TCA, Inc. Telecom Consulting Associates TCA
Telecommunications for the Deaf, Inc TDI
Telecommunications Industry Association TIA
Tellme Networks, Inc Tellme Networks
Tennessee Regulatory Authority TRA
Texas Coalition of Cities for Utility Issues TCCFUI
Texas Commission on State Emergency Communications. TCSEC
Texas Department of Information Resources Texas DIR
Time Warner Inc. Time Warner
Time Warner Telecom TWTC
TracFone Wireless, Inc. TracFone
UniPoint Enhanced Services Inc. d/b/a PointOne PointOne
United States Conference of Catholic Bishops
Alliance for Community Media
Appalachian People’s Actions Coalition
Center for Digital Democracy
Consumer Action
Edgemont Neighborhood Coalition
Migrant Legal Action Program
USCCB et al.
United States Department of Justice DOJ
United States Telecom Association USTA
United Telecom Council
The United Power Line Council
UTC et al.
USA Datanet Corporation USAD Datanet
Utah Division of Public Utilities Utah Commission
Valor Telecommunications of Texas, L.P. and Iowa
Telecommunications Services, Inc.
Valor et al.
VeriSign, Inc. VeriSign
Verizon Telephone Company Verizon
Vermont Public Service Board Vermont
Virgin Mobile USA, LLC Virgin Mobile
Virginia State Corporation Commission Virginia Commission
Voice on the Net Coalition VON Coalition
Vonage Holdings Corp Vonage
Western Telecommunications Alliance WTA
WilTel Communications, LLC WilTel
Wisconsin Electric Power Company
Wisconsin Gas
Wisconsin Electric et al.
Yellow Pages Integrated Media Association YPIMA
Federal Communications Commission FCC 07-22
47
Z-Tel Communications, Inc. Z-Tel
Reply Commenters in WC Docket No. 04-36
Reply Comments Abbreviation
8X8, Inc. 8X8
Ad Hoc Telecom Manufacturer Coalition Ad Hoc Telecom Manufacturers Coalition
Ad Hoc Telecommunications Users Committee Ad Hoc
Adam D. Thierer, Director of Telecommunications
Studies, Cato Institute
Thierer
Alcatel North America Alcatel
Alliance for Public Technology et al. APT et al.
American Cable Association ACA
American Electric Power Service Corporation
Duke Energy Corporation
Xcel Energy Inc.
American Electric Power et al.
Association for Local Telecommunications Services ALTS
AT&T Corp. AT&T
Avaya Inc. Avaya
BellSouth Corporation BellSouth
Broadband Service Providers Association BSPA
Cablevision Systems Corp. Cablevision
Callipso Corporation Callipso
Central Station Alarm Association CSAA
Cingular Wireless LLC Cingular
Cisco Systems, Inc. Cisco
City and County of San Francisco San Francisco
Comcast Corporation Comcast
CompTel/Ascent CompTel
Consumer Electronics Association CEA
Consumer Federation of America
Consumers Union
CFA et al.
Covad Communications Covad
CTC Communications Corp. CTS
CTIA-The Wireless Association CTIA
Department of Defense DoD
Donald Clark Jackson Jackson
EarthLink, Inc. EarthLink
Educause Educause
Enterprise Communications Association ECA
Ericsson Inc. Ericsson
Florida Public Service Commission Florida Commission
Francois D. Menard Menard
General Communication (GCI) GCI
Global Crossing North America, Inc. Global Crossing
Independent Telephone & Telecommunications Alliance ITTA
Information Technology Association of America Information Technology Association of
America
Intergovernmental Advisory Committee IAC
Intrado Inc. Intrado
Knology, Inc. Knology
Federal Communications Commission FCC 07-22
48
Level 3 Communications LLC Level 3
Massachusetts Office of the Attorney General Massachusetts Attorney General
MCI MCI
Montana Public Service Commission Montana Commission
Motorola, Inc. Motorola
National Association of State Utility Consumer Advocates NASUCA
National Association of Telecommunications Officers and
Advisors
National League of Cities
National Association of Counties
U.S. Conference of Mayors
National Association of Towns and Townships
Texas Coalition of Cities for Utility Issues
Washington Association of Telecommunications
Officers and Advisors
Greater Metro Telecommunications Consortium
Mr. Hood Cable Regulatory Commission
Metropolitan Washington Council of Governments
Rainier Communications Commission
City of Philadelphia
City of Tacoma, Washington
Montgomery County, Maryland
NATOA et al.
National Cable & Telecommunications Association NCTA
National Emergency Number Association NENA
National Exchange Carrier Association, Inc. NECA
Nebraska Public Service Commission Nebraska Commission
Nebraska Rural Independent Companies Nebraska Rural Independent Companies
Net2Phone, Inc. Net2Phone
New Jersey Division of the Ratepayer Advocate New Jersey Ratepayer Advocate
New York State Department of Public Service New York Commission
Nextel Communications, Inc. Nextel
Nuvio Corporation Nuvio
Office of the People’s Counsel for the District of
Columbia
D.C. Counsel
Organization for the Promotion and Advancement of
Small Telecommunications Companies
OPASTCO
Pac-West Telecomm, Inc. Pac-West
Pennsylvania Public Utility Commission Pennsylvania Commission
Public Service Commission of Wisconsin Wisconsin Commission
Qwest Communications International Inc. Qwest
Regulatory Studies Program (RSP) of the Mercatus Center
at George Mason University
Mercatus Center
Rehabilitation Engineering Research Center on
Telecommunications Access
RERCTA
RNKL, Inc. d/b/a RNK Telecom RNK
Rural Independent Competitive Alliance RICA
SBC Communications Inc. SBC
Skype, Inc. Skype
Southern Communications Services, Inc. d/b/a Southern
LINC
Southern LINC
Sprint Corporation Sprint
Federal Communications Commission FCC 07-22
49
Telecommunications Industry Association TIA
Tellme Networks, Inc Tellme Networks
Texas Statewide Telephone Cooperative, Inc. Texas Statewide Telephone Cooperative
Time Warner Telecom, Inc. Time Warner Telecom
T-Mobile USA, Inc. T-Mobile
TracFone Wireless, Inc. TracFone
United States Conference of Catholic Bishops
Alliance for Community Media
Appalachian Peoples’ Action Coalition
Center for Digital Democracy
Consumer Action
Edgemont Neighborhood Coalition
Migrant Legal Action Program
USCCB et al.
United States Department of Justice DOJ
United States Telecom Association USTA
USA Datanet Corporation USA Datanet
Utah Division of Public Utilities Utah Commission
VeriSign, Inc. VeriSign
Verizon Telephone Companies Verizon
Voice on the Net Coalition VON Coalition
Wisconsin Department of Public Instruction Wisconsin Department of Public
Instruction
Federal Communications Commission FCC 07-22
50
Appendix B
Final Rules
Subpart U of Part 64, of Title 47 of the Code of Federal Regulations is amended to read as follows:
SUBPART U CUSTOMER PROPRIETARY NETWORK INFORMATION
1. Section 64.2003(k) is amended to read as follows:
(k) Telecommunications carrier or carrier. The terms “telecommunications carrier” or “carrier”
shall have the same meaning as set forth in section 3(44) of the Communications Act of 1934,
as amended, 47 U.S.C. 153(44). For the purposes of this subpart, the term
“telecommunications carrier” or “carrier” shall include an entity that provides interconnected
VoIP service, as that term is defined in section 9.3 of these rules.
2. Section 64.2003 is amended by redesignating paragraphs (a)-(l) and by adding the following
paragraphs:
(a) Account information. “Account information” is information that is specifically connected to
the customer’s service relationship with the carrier, including such things as an account
number or any component thereof, the telephone number associated with the account, or the
bill’s amount.
(b) Address of record. An “address of record,” whether postal or electronic, is an address that the
carrier has associated with the customer’s account for at least 30 days.
(d) Call detail information. Any information that pertains to the transmission of specific
telephone calls, including, for outbound calls, the number called, and the time, location, or
duration of any call and, for inbound calls, the number from which the call was placed, and
the time, location, or duration of any call.
(m) Readily available biographical information. Readily available biographical information” is
information drawn from the customer’s life history and includes such things as the customer’s
social security number, or the last four digits of that number; mother’s maiden name; home
address; or date of birth.
(q) Telephone number of record. The telephone number associated with the underlying service,
not the telephone number supplied as a customer’s “contact information.”
(r) Valid photo ID. A “valid photo ID” is a government-issued means of personal identification
with a photograph such as a driver’s license, passport, or comparable ID that is not expired.
3. Section 64.2005(c)(3) is amended to read as follows:
(3) LECs, CMRS providers, and entities that provide interconnected VoIP service as that term is
defined in section 9.3 of these rules, may use CPNI, without customer approval, to market
services formerly known as adjunct-to-basic services, such as, but not limited to, speed
dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking,
call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain
centrex features.
Federal Communications Commission FCC 07-22
51
4. Section 64.2007 is amended by deleting paragraphs (b)(2) and (b)(3), and revising paragraph
(b)(1) to read as follows:
(b) Use of Opt-Out and Opt-In Approval Processes. A telecommunications carrier may, subject
to opt-out approval or opt-in approval, use its customer’s individually identifiable CPNI for
the purpose of marketing communications-related services to that customer. A
telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its
customer’s individually identifiable CPNI, for the purpose of marketing communications-
related services to that customer, to its agents and its affiliates that provide communications-
related services. A telecommunications carrier may also permit such persons or entities to
obtain access to such CPNI for such purposes. Except for use and disclosure of CPNI that is
permitted without customer approval under section § 64.2005, or that is described in this
paragraph, or as otherwise provided in section 222 of the Communications Act of 1934, as
amended, a telecommunications carrier may only use, disclose, or permit access to its
customer’s individually identifiable CPNI subject to opt-in approval.
5. Section 64.2009 is amended by revising paragraph (e) to read as follows:
(e) A telecommunications carrier must have an officer, as an agent of the carrier, sign and file
with the Commission a compliance certificate on an annual basis. The officer must state in
the certification that he or she has personal knowledge that the company has established
operating procedures that are adequate to ensure compliance with the rules in this subpart.
The carrier must provide a statement accompanying the certificate explaining how its
operating procedures ensure that it is or is not in compliance with the rules in this subpart. In
addition, the carrier must include an explanation of any actions taken against data brokers and
a summary of all customer complaints received in the past year concerning the unauthorized
release of CPNI. This filing must be made annually with the Enforcement Bureau on or
before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year.
6. Section 64.2010 is added to read as follows:
§ 64.2010 Safeguards on the disclosure of customer proprietary network information
(a) Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover
and protect against attempts to gain unauthorized access to CPNI. Telecommunications
carriers must properly authenticate a customer prior to disclosing CPNI based on customer-
initiated telephone contact, online account access, or an in-store visit.
(b) Telephone access to CPNI. Telecommunications carriers may only disclose call detail
information over the telephone, based on customer-initiated telephone contact, if the
customer first provides the carrier with a password, as described in paragraph (e) of this
section, that is not prompted by the carrier asking for readily available biographical
information, or account information. If the customer does not provide a password, the
telecommunications carrier may only disclose call detail information by sending it to the
customer’s address of record, or, by calling the customer at the telephone number of record.
If the customer is able to provide call detail information to the telecommunications carrier
during a customer-initiated call without the telecommunications carrier’s assistance, then the
telecommunications carrier is permitted to discuss the call detail information provided by the
customer.
Federal Communications Commission FCC 07-22
52
(c) Online access to CPNI. A telecommunications carrier must authenticate a customer without
the use of readily available biographical information, or account information, prior to
allowing the customer online access to CPNI related to a telecommunications service
account. Once authenticated, the customer may only obtain online access to CPNI related to
a telecommunications service account through a password, as described in paragraph (e) of
this section, that is not prompted by the carrier asking for readily available biographical
information, or account information.
(d) In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer
who, at a carrier’s retail location, first presents to the telecommunications carrier or its agent
a valid photo ID matching the customer’s account information.
(e) Establishment of a Password and Back-up Authentication Methods for Lost or Forgotten
Passwords. To establish a password, a telecommunications carrier must authenticate the
customer without the use of readily available biographical information, or account
information. Telecommunications carriers may create a back-up customer authentication
method in the event of a lost or forgotten password, but such back-up customer authentication
method may not prompt the customer for readily available biographical information, or
account information. If a customer cannot provide the correct password or the correct
response for the back-up customer authentication method, the customer must establish a new
password as described in this paragraph.
(f) Notification of account changes. Telecommunications carriers must notify customers
immediately whenever a password, customer response to a back-up means of authentication
for lost or forgotten passwords, online account, or address of record is created or changed.
This notification is not required when the customer initiates service, including the selection of
a password at service initiation. This notification may be through a carrier-originated
voicemail or text message to the telephone number of record, or by mail to the address of
record, and must not reveal the changed information or be sent to the new account
information.
(g) Business Customer Exemption. Telecommunications carriers may bind themselves
contractually to authentication regimes other than those described in this section for services
they provide to their business customers that have both a dedicated account representative
and a contract that specifically addresses the carriers’ protection of CPNI.
7. Section 64.2011 is added to read as follows:
§ 64.2011 Notification of customer proprietary network information security breaches
(a) A telecommunications carrier shall notify law enforcement of a breach of its customers’
CPNI as provided in this section. The carrier shall not notify its customers or disclose the
breach publicly, whether voluntarily or under state or local law or these rules, until it has
completed the process of notifying law enforcement pursuant to paragraph (b).
(b) As soon as practicable, and in no event later than seven (7) business days, after reasonable
determination of the breach, the telecommunications carrier shall electronically notify the
United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a
central reporting facility. The Commission will maintain a link to the reporting facility at
http://www.fcc.gov/eb/cpni.
Federal Communications Commission FCC 07-22
53
(1) Notwithstanding any state law to the contrary, the carrier shall not notify customers or
disclose the breach to the public until 7 full business days have passed after notification
to the USSS and the FBI except as provided in paragraphs (2) and (3).
(2) If the carrier believes that there is an extraordinarily urgent need to notify any class of
affected customers sooner than otherwise allowed under paragraph (1), in order to avoid
immediate and irreparable harm, it shall so indicate in its notification and may proceed to
immediately notify its affected customers only after consultation with the relevant
investigating agency. The carrier shall cooperate with the relevant investigating agency’s
request to minimize any adverse effects of such customer notification.
(3) If the relevant investigating agency determines that public disclosure or notice to
customers would impede or compromise an ongoing or potential criminal investigation or
national security, such agency may direct the carrier not to so disclose or notify for an
initial period of up to 30 days. Such period may be extended by the agency as reasonably
necessary in the judgment of the agency. If such direction is given, the agency shall
notify the carrier when it appears that public disclosure or notice to affected customers
will no longer impede or compromise a criminal investigation or national security. The
agency shall provide in writing its initial direction to the carrier, any subsequent
extension, and any notification that notice will no longer impede or compromise a
criminal investigation or national security and such writings shall be contemporaneously
logged on the same reporting facility that contains records of notifications filed by
carriers.
(c) Customer Notification. After a telecommunications carrier has completed the process of
notifying law enforcement pursuant to paragraph (b), it shall notify its customers of a breach
of those customers’ CPNI.
(d) Recordkeeping. All carriers shall maintain a record, electronically or in some other manner,
of any breaches discovered, notifications made to the USSS and the FBI pursuant to
paragraph (b), and notifications made to customers. The record must include, if available,
dates of discovery and notification, a detailed description of the CPNI that was the subject of
the breach, and the circumstances of the breach. Carriers shall retain the record for a
minimum of 2 years.
(e) Definitions. As used in this section, a “breach” has occurred when a person, without
authorization or exceeding authorization, has intentionally gained access to, used, or
disclosed CPNI.
(f) This section does not supersede any statute, regulation, order, or interpretation in any State,
except to the extent that such statute, regulation, order, or interpretation is inconsistent with
the provisions of this section, and then only to the extent of the inconsistency.
Federal Communications Commission FCC 07-22
54
Appendix C
Final Regulatory Flexibility Analysis
86. As required by the Regulatory Flexibility Act of 1980, as amended (RFA),
214
an Initial
Regulatory Flexibility Analysis (IRFA) was incorporated in the EPIC CPNI Notice in CC Docket No. 96-
115 and the IP-Enabled Services Notice in WC Docket 04-36.
215
The Commission sought written public
comment on the proposals in both notices, including comment on the IRFA.
216
We received comments
specifically directed toward the IRFA from three commenters in CC Docket No. 96-115 and from three
commenters in WC Docket No. 04-36. These comments are discussed below. This Final Regulatory
Flexibility Analysis (FRFA) conforms to the RFA.
217
A. Need for, and Objectives of, the Rules
87. Todays Order strengthens the Commission’s rules to protect the privacy of CPNI that is
collected and held by providers of communications services. Section 222 of the Communications Act
requires telecommunications carriers to take specific steps to ensure that CPNI is adequately protected
from unauthorized disclosure. This Order adopts additional safeguards to protect customers’ CPNI
against unauthorized access and disclosure.
B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA
88. Comments Received in Response to the EPIC CPNI Notice. In this section, we respond to
comments filed in response to the IRFA.
218
To the extent we received comments raising general small
business concerns during this proceeding, those comments are discussed throughout the Order.
89. We disagree with Alexicon that small carriers are less vulnerable to unauthorized attempts to
access CPNI.
219
In fact, Alexicon itself points out that one of its client companies actually experienced an
unauthorized access attempt, and thus we find the steps the Commission takes in this Order are applicable
to all carriers.
220
We do, however, agree with commenters that argue the Commission should not adopt
many of EPIC’s suggested requirements.
221
We also agree with commenters that argue for flexible rules
to allow carriers to determine proper authentication methods for its customers.
222
Therefore, we do not
adopt specific authentication methods, or back-up authentication methods for lost or forgotten passwords
and instead adopt rules that provide limits on the types of authentication methods that meet section 222’s
214
See 5 U.S.C. § 603. The RFA, see 5 U.S.C. §§ 601-12, has been amended by the Small Business Regulatory
Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996).
215
See EPIC CPNI Notice, 21 FCC Rcd at 1794, para. 31 & Appendix B; IP-Enabled Services Notice, 19 FCC Rcd
at 4917, para. 91 & Appendix A.
216
See EPIC CPNI Notice, 21 FCC Rcd at 1794, para. 31 & Appendix B; IP-Enabled Services Notice, 19 FCC Rcd
at 4917, para. 91 & Appendix A.
217
See 5 U.S.C. § 604.
218
See Alexicon Comments at 1-9; NTCA Comments at 1-5; OPASTCO Comments at 1-9.
219
See Alexicon Comments at 7.
220
See Alexicon Comments at 2, n.6.
221
See, e.g., NTCA Comments at 3-4; OPASTCO Comments at 2-7.
222
See, e.g., NTCA Comments at 4.
Federal Communications Commission FCC 07-22
55
mandate to protect CPNI.
223
Further, we agree with commenters that small carriers should be provided
additional time to implement the requirements that we do adopt in this Order.
224
Thus, we provide small
carriers with an additional six month implementation period for the online carrier authentication
requirements adopted in this Order.
225
90. Comments Received in Response to the IP-Enabled Services Notice. In this section, we
respond to comments filed in response to the IRFA.
226
To the extent we received comments raising
general small business concerns during this proceeding, those comments are discussed throughout the
Order.
91. We disagree with the SBA and Menard that the Commission should postpone acting in this
proceeding thereby postponing extending the application of the CPNI rules to interconnected VoIP
service providers and instead should reevaluate the economic impact and the compliance burdens on
small entities and issue a further notice of proposed rulemaking in conjunction with a supplemental IRFA
identifying and analyzing the economic impacts on small entities and less burdensome alternatives.
227
We
believe the additional steps suggested by SBA and Menard are unnecessary because small entities already
have received sufficient notice of the issues addressed in today’s Order
228
and because the Commission
has considered the economic impact on small entities and what ways are feasible to minimize the burdens
imposed on those entities, and, to the extent feasible, has implemented those less burdensome
alternatives.
229
C. Description and Estimate of the Number of Small Entities to Which Rules Will
Apply
92. The RFA directs agencies to provide a description of and, where feasible, an estimate of the
number of small entities that may be affected by the rules adopted herein.
230
The RFA generally defines
the term small entityas having the same meaning as the terms small business,” “small organization,
and small governmental jurisdiction.
231
In addition, the term small businesshas the same meaning as
the term small business concernunder the Small Business Act.
232
A small business concern is one
223
See Order at paras. 13-22.
224
See, e.g., Alexicon Comments at 8; NTCA Comments at 3.
225
See Order at para. 61.
226
See SBA Comments; Menard Comments; Menard Reply.
227
See SBA Comments at 2, 4, 6; Menard Comments; Menard Reply at 4.
228
The IP-Enabled Services Notice specifically sought comment on whether the CPNI requirements should apply to
any provider of interconnected VoIP service, and the Commission published a summary of that notice in the Federal
Register. See IP-Enabled Services Notice, 19 FCC Rcd at 4910, para. 71; Regulatory Requirements for IP-Enabled
Services, WC Docket No. 04-36, Notice of Proposed Rulemaking, 69 Fed. Reg. 16193-01 (Mar. 29, 2004). We note
that a number of small entities submitted comments in this proceeding. See supra Appendix A.
229
See Order at para. 61.
230
5 U.S.C. §§ 603(b)(3), 604(a)(3).
231
5 U.S.C. § 601(6).
232
5 U.S.C. § 601(3) (incorporating by reference the definition of small business concernin the Small Business
Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies unless an
agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity
for public comment, establishes one or more definitions of such terms which are appropriate to the activities of the
agency and publishes such definitions(s) in the Federal Register.
Federal Communications Commission FCC 07-22
56
which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3)
satisfies any additional criteria established by the Small Business Administration (SBA).
233
93. Small Businesses. Nationwide, there are a total of approximately 22.4 million small
businesses, according to SBA data.
234
94. Small Organizations. Nationwide, there are approximately 1.6 million small
organizations.
235
95. Small Governmental Jurisdictions. The term small governmental jurisdictionis defined
generally as governments of cities, towns, townships, villages, school districts, or special districts, with a
population of less than fifty thousand.
236
Census Bureau data for 2002 indicate that there were 87,525
local governmental jurisdictions in the United States.
237
We estimate that, of this total, 84,377 entities
were small governmental jurisdictions.
238
Thus, we estimate that most governmental jurisdictions are
small.
1. Telecommunications Service Entities
a. Wireline Carriers and Service Providers
96. We have included small incumbent local exchange carriers in this present RFA analysis. As
noted above, a small businessunder the RFA is one that, inter alia, meets the pertinent small business
size standard (e.g., a telephone communications business having 1,500 or fewer employees), and is not
dominant in its field of operation.
239
The SBAs Office of Advocacy contends that, for RFA purposes,
small incumbent local exchange carriers are not dominant in their field of operation because any such
dominance is not nationalin scope.
240
We have therefore included small incumbent local exchange
carriers in this RFA analysis, although we emphasize that this RFA action has no effect on Commission
analyses and determinations in other, non-RFA contexts.
97. Incumbent Local Exchange Carriers (LECs). Neither the Commission nor the SBA has
developed a small business size standard specifically for incumbent local exchange services. The
appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under
that size standard, such a business is small if it has 1,500 or fewer employees.
241
According to
233
15 U.S.C. § 632.
234
See SBA, Programs and Services, SBA Pamphlet No. CO-0028, at page 40 (July 2002).
235
Independent Sector, The New Nonprofit Almanac & Desk Reference (2002).
236
5 U.S.C. § 601(5).
237
U.S. Census Bureau, Statistical Abstract of the United States: 2006, Section 8, page 272, Table 415.
238
We assume that the villages, school districts, and special districts are small, and total 48,558. See U.S. Census
Bureau, Statistical Abstract of the United States: 2006, section 8, page 273, Table 417. For 2002, Census Bureau
data indicate that the total number of county, municipal, and township governments nationwide was 38,967, of
which 35,819 were small. Id.
239
15 U.S.C. § 632.
240
Letter from Jere W. Glover, Chief Counsel for Advocacy, SBA, to William E. Kennard, Chairman, FCC (May
27, 1999). The Small Business Act contains a definition of small-business concern,which the RFA incorporates
into its own definition of small business.See 15 U.S.C. § 632(a) (Small Business Act); 5 U.S.C. § 601(3) (RFA).
SBA regulations interpret small business concernto include the concept of dominance on a national basis. See 13
C.F.R. § 121.102(b).
241
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
Federal Communications Commission FCC 07-22
57
Commission data,
242
1,303 carriers have reported that they are engaged in the provision of incumbent
local exchange services. Of these 1,303 carriers, an estimated 1,020 have 1,500 or fewer employees and
283 have more than 1,500 employees. Consequently, the Commission estimates that most providers of
incumbent local exchange service are small businesses that may be affected by our action.
98. Competitive Local Exchange Carriers, Competitive Access Providers (CAPs), “Shared-
Tenant Service Providers,” and “Other Local Service Providers.” Neither the Commission nor the SBA
has developed a small business size standard specifically for these service providers. The appropriate size
standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
243
According to Commission
data,
244
769 carriers have reported that they are engaged in the provision of either competitive access
provider services or competitive local exchange carrier services. Of these 769 carriers, an estimated 676
have 1,500 or fewer employees and 93 have more than 1,500 employees. In addition, 12 carriers have
reported that they are Shared-Tenant Service Providers,and all 12 are estimated to have 1,500 or fewer
employees. In addition, 39 carriers have reported that they are Other Local Service Providers. Of the
39, an estimated 38 have 1,500 or fewer employees and one has more than 1,500 employees.
Consequently, the Commission estimates that most providers of competitive local exchange service,
competitive access providers, Shared-Tenant Service Providers,and Other Local Service Providers
are small entities that may be affected by our action.
99. Local Resellers. The SBA has developed a small business size standard for the category of
Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer
employees.
245
According to Commission data,
246
143 carriers have reported that they are engaged in the
provision of local resale services. Of these, an estimated 141 have 1,500 or fewer employees and two
have more than 1,500 employees. Consequently, the Commission estimates that the majority of local
resellers are small entities that may be affected by our action.
100. Toll Resellers. The SBA has developed a small business size standard for the category
of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or
fewer employees.
247
According to Commission data,
248
770 carriers have reported that they are engaged
in the provision of toll resale services. Of these, an estimated 747 have 1,500 or fewer employees and 23
have more than 1,500 employees. Consequently, the Commission estimates that the majority of toll
resellers are small entities that may be affected by our action.
101. Payphone Service Providers (PSPs). Neither the Commission nor the SBA has
developed a small business size standard specifically for payphone services providers. The appropriate
size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
249
According to Commission
242
FCC, Wireline Competition Bureau, Industry Analysis and Technology Division, Trends in Telephone Service
at Table 5.3, page 5-5 (April 2005) (Trends in Telephone Service). This source uses data that are current as of
October 1, 2004.
243
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
244
Trends in Telephone Serviceat Table 5.3.
245
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
246
Trends in Telephone Serviceat Table 5.3.
247
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
248
Trends in Telephone Serviceat Table 5.3.
249
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
Federal Communications Commission FCC 07-22
58
data,
250
613 carriers have reported that they are engaged in the provision of payphone services. Of these,
an estimated 609 have 1,500 or fewer employees and four have more than 1,500 employees.
Consequently, the Commission estimates that the majority of payphone service providers are small
entities that may be affected by our action.
102. Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a
small business size standard specifically for providers of interexchange services. The appropriate size
standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
251
According to Commission
data,
252
316 carriers have reported that they are engaged in the provision of interexchange service. Of
these, an estimated 292 have 1,500 or fewer employees and 24 have more than 1,500 employees.
Consequently, the Commission estimates that the majority of IXCs are small entities that may be affected
by our action.
103. Operator Service Providers (OSPs). Neither the Commission nor the SBA has
developed a small business size standard specifically for operator service providers. The appropriate size
standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
253
According to Commission
data,
254
23 carriers have reported that they are engaged in the provision of operator services. Of these, an
estimated 20 have 1,500 or fewer employees and three have more than 1,500 employees. Consequently,
the Commission estimates that the majority of OSPs are small entities that may be affected by our action.
104. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a
small business size standard specifically for prepaid calling card providers. The appropriate size standard
under SBA rules is for the category Telecommunications Resellers. Under that size standard, such a
business is small if it has 1,500 or fewer employees.
255
According to Commission data,
256
89 carriers
have reported that they are engaged in the provision of prepaid calling cards. Of these, 88 are estimated
to have 1,500 or fewer employees and one has more than 1,500 employees. Consequently, the
Commission estimates that all or the majority of prepaid calling card providers are small entities that may
be affected by our action.
105. 800 and 800-Like Service Subscribers.
257
Neither the Commission nor the SBA has
developed a small business size standard specifically for 800 and 800-like service (toll free)
subscribers. The appropriate size standard under SBA rules is for the category Telecommunications
Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees.
258
The
most reliable source of information regarding the number of these service subscribers appears to be data
the Commission collects on the 800, 888, and 877 numbers in use.
259
According to our data, at the end of
250
Trends in Telephone Serviceat Table 5.3.
251
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
252
Trends in Telephone Serviceat Table 5.3.
253
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
254
Trends in Telephone Serviceat Table 5.3.
255
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
256
Trends in Telephone Serviceat Table 5.3.
257
We include all toll-free number subscribers in this category, including those for 888 numbers.
258
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
259
See FCC, Common Carrier Bureau, Industry Analysis Division, Study on Telephone Trends, Tables 21.2, 21.3,
and 21.4 (Feb. 1999).
Federal Communications Commission FCC 07-22
59
January, 1999, the number of 800 numbers assigned was 7,692,955; the number of 888 numbers assigned
was 7,706,393; and the number of 877 numbers assigned was 1,946,538. We do not have data specifying
the number of these subscribers that are not independently owned and operated or have more than 1,500
employees, and thus are unable at this time to estimate with greater precision the number of toll free
subscribers that would qualify as small businesses under the SBA size standard. Consequently, we
estimate that there are 7,692,955 or fewer small entity 800 subscribers; 7,706,393 or fewer small entity
888 subscribers; and 1,946,538 or fewer small entity 877 subscribers.
b. International Service Providers
106. The Commission has not developed a small business size standard specifically for
providers of international service. The appropriate size standards under SBA rules are for the two broad
census categories of “Satellite Telecommunicationsand Other Telecommunications. Under both
categories, such a business is small if it has $12.5 million or less in average annual receipts.
260
107. The first category of Satellite Telecommunications comprises establishments primarily
engaged in providing point-to-point telecommunications services to other establishments in the
telecommunications and broadcasting industries by forwarding and receiving communications signals via
a system of satellites or reselling satellite telecommunications.
261
For this category, Census Bureau data
for 2002 show that there were a total of 371 firms that operated for the entire year.
262
Of this total, 307
firms had annual receipts of under $10 million, and 26 firms had receipts of $10 million to
$24,999,999.
263
Consequently, we estimate that the majority of Satellite Telecommunications firms are
small entities that might be affected by our action.
108. The second category of Other Telecommunications comprises establishments primarily
engaged in (1) providing specialized telecommunications applications, such as satellite tracking,
communications telemetry, and radar station operations; or (2) providing satellite terminal stations and
associated facilities operationally connected with one or more terrestrial communications systems and
capable of transmitting telecommunications to or receiving telecommunications from satellite systems.
264
For this category, Census Bureau data for 2002 show that there were a total of 332 firms that operated for
the entire year.
265
Of this total, 259 firms had annual receipts of under $10 million and 15 firms had
annual receipts of $10 million to $24,999,999.
266
Consequently, we estimate that the majority of Other
Telecommunications firms are small entities that might be affected by our action.
c. Wireless Telecommunications Service Providers
109. Below, for those services subject to auctions, we note that, as a general matter, the
number of winning bidders that qualify as small businesses at the close of an auction does not necessarily
260
13 C.F.R. § 121.201 , NAICS codes 517410 and 517910.
261
U.S. Census Bureau, 2002 NAICS Definitions: 517410 Satellite Telecommunications” (www.census.gov,
visited Feb. 2006).
262
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Establishment and Firm Size
(Including Legal Form of Organization),Table 4, NAICS code 517410 (issued Nov. 2005).
263
Id. An additional 38 firms had annual receipts of $25 million or more.
264
U.S. Census Bureau, 2002 NAICS Definitions: 517910 Other Telecommunications” (www.census.gov, visited
Feb. 2006).
265
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Establishment and Firm Size
(Including Legal Form of Organization),Table 4, NAICS code 517910 (issued Nov. 2005).
266
Id. An additional 14 firms had annual receipts of $25 million or more.
Federal Communications Commission FCC 07-22
60
represent the number of small businesses currently in service. Also, the Commission does not generally
track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues
are implicated.
110. Wireless Service Providers. The SBA has developed a small business size standard for
wireless firms within the two broad economic census categories of Paging
267
and Cellular and Other
Wireless Telecommunications.
268
Under both SBA categories, a wireless business is small if it has 1,500
or fewer employees. For the census category of Paging, Census Bureau data for 2002 show that there
were 807 firms in this category that operated for the entire year.
269
Of this total, 804 firms had
employment of 999 or fewer employees, and three firms had employment of 1,000 employees or more.
270
Thus, under this category and associated small business size standard, the majority of firms can be
considered small. For the census category of Cellular and Other Wireless Telecommunications, Census
Bureau data for 2002 show that there were 1,397 firms in this category that operated for the entire year.
271
Of this total, 1,378 firms had employment of 999 or fewer employees, and 19 firms had employment of
1,000 employees or more.
272
Thus, under this second category and size standard, the majority of firms
can, again, be considered small.
111. Cellular Licensees. The SBA has developed a small business size standard for wireless
firms within the broad economic census category Cellular and Other Wireless Telecommunications.
273
Under this SBA category, a wireless business is small if it has 1,500 or fewer employees. For the census
category of Cellular and Other Wireless Telecommunications, Census Bureau data for 2002 show that
there were 1,397 firms in this category that operated for the entire year.
274
Of this total, 1,378 firms had
employment of 999 or fewer employees, and 19 firms had employment of 1,000 employees or more.
275
Thus, under this category and size standard, the great majority of firms can be considered small. Also,
according to Commission data, 437 carriers reported that they were engaged in the provision of cellular
service, Personal Communications Service (PCS), or Specialized Mobile Radio (SMR) Telephony
services, which are placed together in the data.
276
We have estimated that 260 of these are small, under
the SBA small business size standard.
277
267
13 C.F.R. § 121.201, NAICS code 513321 (changed to 517211 in October 2002).
268
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
269
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517211 (issued November 2005).
270
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
271
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517212 (issued November 2005).
272
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
273
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
274
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517212 (issued November 2005).
275
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
276
Trends in Telephone Serviceat Table 5.3.
277
Id.
Federal Communications Commission FCC 07-22
61
112. Common Carrier Paging. The SBA has developed a small business size standard for
wireless firms within the broad economic census category, Cellular and Other Wireless
Telecommunications.
278
Under this SBA category, a wireless business is small if it has 1,500 or fewer
employees. For the census category of Paging, Census Bureau data for 2002 show that there were 807
firms in this category that operated for the entire year.
279
Of this total, 804 firms had employment of 999
or fewer employees, and three firms had employment of 1,000 employees or more.
280
Thus, under this
category and associated small business size standard, the majority of firms can be considered small. In
the Paging Third Report and Order, we developed a small business size standard for small businesses
and very small businessesfor purposes of determining their eligibility for special provisions such as
bidding credits and installment payments.
281
A small businessis an entity that, together with its
affiliates and controlling principals, has average gross revenues not exceeding $15 million for the
preceding three years. Additionally, a very small businessis an entity that, together with its affiliates
and controlling principals, has average gross revenues that are not more than $3 million for the preceding
three years.
282
The SBA has approved these small business size standards.
283
An auction of Metropolitan
Economic Area licenses commenced on February 24, 2000, and closed on March 2, 2000.
284
Of the 985
licenses auctioned, 440 were sold. Fifty-seven companies claiming small business status won. Also,
according to Commission data, 375 carriers reported that they were engaged in the provision of paging
and messaging services.
285
Of those, we estimate that 370 are small, under the SBA-approved small
business size standard.
286
113. Wireless Communications Services. This service can be used for fixed, mobile,
radiolocation, and digital audio broadcasting satellite uses. The Commission established small business
size standards for the wireless communications services (WCS) auction. A “small business” is an entity
with average gross revenues of $40 million for each of the three preceding years, and a “very small
business” is an entity with average gross revenues of $15 million for each of the three preceding years.
The SBA has approved these small business size standards.
287
The Commission auctioned geographic
area licenses in the WCS service. In the auction, there were seven winning bidders that qualified as “very
small business” entities, and one that qualified as a “small business” entity.
114. Wireless Telephony. Wireless telephony includes cellular, personal communications
services (PCS), and specialized mobile radio (SMR) telephony carriers. As noted earlier, the SBA has
278
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
279
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517211 (issued November 2005).
280
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
281
Amendment of Part 90 of the Commissions Rules to Provide for the Use of the 220-222 MHz Band by the Private
Land Mobile Radio Service, PR Docket No. 89-552, Third Report and Order and Fifth Notice of Proposed
Rulemaking, 12 FCC Rcd 10943, 11068-70, paras. 291-295, 62 FR 16004 (Apr. 3, 1997).
282
See Letter to Amy Zoslov, Chief, Auctions and Industry Analysis Division, Wireless Telecommunications
Bureau, FCC, from A. Alvarez, Administrator, SBA (Dec. 2, 1998) (SBA Dec. 2, 1998 Letter).
283
Revision of Part 22 and Part 90 of the Commissions Rules to Facilitate Future Development of Paging Systems,
Memorandum Opinion and Order on Reconsideration and Third Report and Order, 14 FCC Rcd 10030, paras. 98-
107 (1999).
284
Id. at 10085, para. 98.
285
Trends in Telephone Serviceat Table 5.3.
286
Id.
287
SBA Dec. 2, 1998 letter.
Federal Communications Commission FCC 07-22
62
developed a small business size standard for Cellular and Other Wireless Telecommunications
services.
288
Under that SBA small business size standard, a business is small if it has 1,500 or fewer
employees.
289
According to Commission data, 445 carriers reported that they were engaged in the
provision of wireless telephony.
290
We have estimated that 245 of these are small under the SBA small
business size standard.
115. Broadband Personal Communications Service. The broadband Personal
Communications Service (PCS) spectrum is divided into six frequency blocks designated A through F,
and the Commission has held auctions for each block. The Commission defined small entityfor Blocks
C and F as an entity that has average gross revenues of $40 million or less in the three previous calendar
years.
291
For Block F, an additional classification for very small businesswas added and is defined as
an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the
preceding three calendar years.
292
These standards defining small entityin the context of broadband
PCS auctions have been approved by the SBA.
293
No small businesses, within the SBA-approved small
business size standards bid successfully for licenses in Blocks A and B. There were 90 winning bidders
that qualified as small entities in the Block C auctions. A total of 93 small and very small business
bidders won approximately 40 percent of the 1,479 licenses for Blocks D, E, and F.
294
On March 23,
1999, the Commission re-auctioned 347 C, D, E, and F Block licenses. There were 48 small business
winning bidders. On January 26, 2001, the Commission completed the auction of 422 C and F
Broadband PCS licenses in Auction No. 35. Of the 35 winning bidders in this auction, 29 qualified as
smallor very small businesses. Subsequent events, concerning Auction 35, including judicial and
agency determinations, resulted in a total of 163 C and F Block licenses being available for grant.
116. Narrowband Personal Communications Services. To date, two auctions of narrowband
personal communications services (PCS) licenses have been conducted. For purposes of the two auctions
that have already been held, small businesseswere entities with average gross revenues for the prior
three calendar years of $40 million or less. Through these auctions, the Commission has awarded a total
of 41 licenses, out of which 11 were obtained by small businesses. To ensure meaningful participation of
small business entities in future auctions, the Commission has adopted a two-tiered small business size
standard in the Narrowband PCS Second Report and Order.
295
A small businessis an entity that,
together with affiliates and controlling interests, has average gross revenues for the three preceding years
of not more than $40 million. A very small businessis an entity that, together with affiliates and
288
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
289
Id.
290
Trends in Telephone Serviceat Table 5.3.
291
See Amendment of Parts 20 and 24 of the Commissions Rules Broadband PCS Competitive Bidding and the
Commercial Mobile Radio Service Spectrum Cap, WT Docket No. 96-59, Report and Order, 11 FCC Rcd 7824, 61
FR 33859 (July 1, 1996) (PCS Order); see also 47 C.F.R. § 24.720(b).
292
See PCS Order, 11 FCC Rcd 7824.
293
See, e.g., Implementation of Section 309(j) of the Communications Act Competitive Bidding, PP Docket No. 93-
253, Fifth Report and Order, 9 FCC Rcd 5332, 59 FR 37566 (July 22, 1994).
294
FCC News, Broadband PCS, D, E and F Block Auction Closes, No. 71744 (rel. Jan. 14, 1997); see also
Amendment of the Commission’s Rules Regarding Installment Payment Financing for Personal Communications
Services (PCS) Licenses, WT Docket No. 97-82, Second Report and Order, 12 FCC Rcd 16436, 62 FR 55348 (Oct.
24, 1997).
295
Amendment of the Commissions Rules to Establish New Personal Communications Services, Narrowband PCS,
Docket No. ET 92-100, Docket No. PP 93-253, Second Report and Order and Second Further Notice of Proposed
Rulemaking, 15 FCC Rcd 10456, 65 FR 35875 (June 6, 2000).
Federal Communications Commission FCC 07-22
63
controlling interests, has average gross revenues for the three preceding years of not more than $15
million. The SBA has approved these small business size standards.
296
In the future, the Commission
will auction 459 licenses to serve Metropolitan Trading Areas (MTAs) and 408 response channel licenses.
There is also one megahertz of narrowband PCS spectrum that has been held in reserve and that the
Commission has not yet decided to release for licensing. The Commission cannot predict accurately the
number of licenses that will be awarded to small entities in future auctions. However, four of the 16
winning bidders in the two previous narrowband PCS auctions were small businesses, as that term was
defined. The Commission assumes, for purposes of this analysis that a large portion of the remaining
narrowband PCS licenses will be awarded to small entities. The Commission also assumes that at least
some small businesses will acquire narrowband PCS licenses by means of the Commissions partitioning
and disaggregation rules.
117. 220 MHz Radio Service Phase I Licensees. The 220 MHz service has both Phase I and
Phase II licenses. Phase I licensing was conducted by lotteries in 1992 and 1993. There are
approximately 1,515 such non-nationwide licensees and four nationwide licensees currently authorized to
operate in the 220 MHz band. The Commission has not developed a small business size standard for
small entities specifically applicable to such incumbent 220 MHz Phase I licensees. To estimate the
number of such licensees that are small businesses, we apply the small business size standard under the
SBA rules applicable to “Cellular and Other Wireless Telecommunications” companies. This category
provides that a small business is a wireless company employing no more than 1,500 persons.
297
For the
census category Cellular and Other Wireless Telecommunications, Census Bureau data for 1997 show
that there were 977 firms in this category, total, that operated for the entire year.
298
Of this total, 965
firms had employment of 999 or fewer employees, and an additional 12 firms had employment of 1,000
employees or more.
299
Thus, under this second category and size standard, the majority of firms can,
again, be considered small. Assuming this general ratio continues in the context of Phase I 220 MHz
licensees, the Commission estimates that nearly all such licensees are small businesses under the SBA’s
small business size standard. In addition, limited preliminary census data for 2002 indicate that the total
number of cellular and other wireless telecommunications carriers increased approximately 321 percent
from 1997 to 2002.
300
118. 220 MHz Radio Service Phase II Licensees. The 220 MHz service has both Phase I and
Phase II licenses. The Phase II 220 MHz service is a new service, and is subject to spectrum auctions. In
the 220 MHz Third Report and Order, we adopted a small business size standard for “small” and “very
small” businesses for purposes of determining their eligibility for special provisions such as bidding
credits and installment payments.
301
This small business size standard indicates that a “small business” is
an entity that, together with its affiliates and controlling principals, has average gross revenues not
296
See SBA Dec. 2, 1998 Letter.
297
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
298
U.S. Census Bureau, 1997 Economic Census, Subject Series: “Information,” Table 5, Employment Size of Firms
Subject to Federal Income Tax: 1997, NAICS code 513322 (issued October 2000).
299
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is “Firms with 1000 employees or more.”
300
See U.S. Census Bureau, 2002 Economic Census, Industry Series: “Information,” Table 2, Comparative
Statistics for the United States (1997 NAICS Basis): 2002 and 1997, NAICS code 513322 (issued Nov. 2004). The
preliminary data indicate that the total number of “establishments” increased from 2,959 to 9,511. In this context,
the number of establishments is a less helpful indicator of small business prevalence than is the number of “firms,”
because the latter number takes into account the concept of common ownership or control. The more helpful 2002
census data on firms, including employment and receipts numbers, will be issued in late 2005.
301
220 MHz Third Report and Order, 12 FCC Rcd 10943, 11068-70, paras. 291-295 (1997).
Federal Communications Commission FCC 07-22
64
exceeding $15 million for the preceding three years.
302
A “very small business” is an entity that, together
with its affiliates and controlling principals, has average gross revenues that do not exceed $3 million for
the preceding three years. The SBA has approved these small business size standards.
303
Auctions of
Phase II licenses commenced on September 15, 1998, and closed on October 22, 1998.
304
In the first
auction, 908 licenses were auctioned in three different-sized geographic areas: three nationwide licenses,
30 Regional Economic Area Group (EAG) Licenses, and 875 Economic Area (EA) Licenses. Of the 908
licenses auctioned, 693 were sold.
305
Thirty-nine small businesses won licenses in the first 220 MHz
auction. The second auction included 225 licenses: 216 EA licenses and 9 EAG licenses. Fourteen
companies claiming small business status won 158 licenses.
306
119. 800 MHz and 900 MHz Specialized Mobile Radio Licenses. The Commission awards
“small entity” and “very small entity” bidding credits in auctions for Specialized Mobile Radio (SMR)
geographic area licenses in the 800 MHz and 900 MHz bands to firms that had revenues of no more than
$15 million in each of the three previous calendar years, or that had revenues of no more than $3 million
in each of the previous calendar years, respectively.
307
These bidding credits apply to SMR providers in
the 800 MHz and 900 MHz bands that either hold geographic area licenses or have obtained extended
implementation authorizations. The Commission does not know how many firms provide 800 MHz or
900 MHz geographic area SMR service pursuant to extended implementation authorizations, nor how
many of these providers have annual revenues of no more than $15 million. One firm has over $15
million in revenues. The Commission assumes, for purposes here, that all of the remaining existing
extended implementation authorizations are held by small entities, as that term is defined by the SBA.
The Commission has held auctions for geographic area licenses in the 800 MHz and 900 MHz SMR
bands. There were 60 winning bidders that qualified as small or very small entities in the 900 MHz SMR
auctions. Of the 1,020 licenses won in the 900 MHz auction, bidders qualifying as small or very small
entities won 263 licenses. In the 800 MHz auction, 38 of the 524 licenses won were won by small and
very small entities.
120. 700 MHz Guard Band Licensees. In the 700 MHz Guard Band Order, we adopted a
small business size standard for “small businesses” and “very small businesses” for purposes of
determining their eligibility for special provisions such as bidding credits and installment payments.
308
A
“small business” as an entity that, together with its affiliates and controlling principals, has average gross
revenues not exceeding $15 million for the preceding three years. Additionally, a “very small business”
is an entity that, together with its affiliates and controlling principals, has average gross revenues that are
not more than $3 million for the preceding three years. An auction of 52 Major Economic Area (MEA)
licenses commenced on September 6, 2000, and closed on September 21, 2000.
309
Of the 104 licenses
auctioned, 96 licenses were sold to nine bidders. Five of these bidders were small businesses that won a
total of 26 licenses. A second auction of 700 MHz Guard Band licenses commenced on February 13,
302
Id. at 11068, para. 291.
303
See Letter to D. Phythyon, Chief, Wireless Telecommunications Bureau, Federal Communications Commission,
from A. Alvarez, Administrator, Small Business Administration (Jan. 6, 1998).
304
See generally Public Notice, “220 MHz Service Auction Closes,” 14 FCC Rcd 605 (1998).
305
See, e.g., Public Notice, “FCC Announces It is Prepared to Grant 654 Phase II 220 MHz Licenses After Final
Payment is Made,” 14 FCC Rcd 1085 (1999).
306
Public Notice, “Phase II 220 MHz Service Spectrum Auction Closes,” 14 FCC Rcd 11218 (1999).
307
47 C.F.R. § 90.814(b)(1).
308
See Service Rules for the 746-764 MHz Bands, and Revisions to part 27 of the Commission’s Rules, WT Docket
No. 99-168, Second Report and Order, 65 FR 17599 (Apr. 4, 2000).
309
See generally Public Notice, “220 MHz Service Auction Closes,” Report No. WT 98-36 (Oct. 23, 1998).
Federal Communications Commission FCC 07-22
65
2001 and closed on February 21, 2001. All eight of the licenses auctioned were sold to three bidders.
One of these bidders was a small business that won a total of two licenses.
310
121. Rural Radiotelephone Service. The Commission has not adopted a size standard for
small businesses specific to the Rural Radiotelephone Service.
311
A significant subset of the Rural
Radiotelephone Service is the Basic Exchange Telephone Radio System (BETRS).
312
The Commission
uses the SBAs small business size standard applicable to Cellular and Other Wireless
Telecommunications,i.e., an entity employing no more than 1,500 persons.
313
There are approximately
1,000 licensees in the Rural Radiotelephone Service, and the Commission estimates that there are 1,000
or fewer small entity licensees in the Rural Radiotelephone Service that may be affected by the rules and
policies adopted herein.
122. Air-Ground Radiotelephone Service. The Commission has not adopted a small business
size standard specific to the Air-Ground Radiotelephone Service.
314
We will use SBAs small business
size standard applicable to Cellular and Other Wireless Telecommunications, i.e., an entity employing
no more than 1,500 persons.
315
There are approximately 100 licensees in the Air-Ground Radiotelephone
Service, and we estimate that almost all of them qualify as small under the SBA small business size
standard.
123. Aviation and Marine Radio Services. Small businesses in the aviation and marine radio
services use a very high frequency (VHF) marine or aircraft radio and, as appropriate, an emergency
position-indicating radio beacon (and/or radar) or an emergency locator transmitter. The Commission has
not developed a small business size standard specifically applicable to these small businesses. For
purposes of this analysis, the Commission uses the SBA small business size standard for the category
“Cellular and Other Telecommunications,” which is 1,500 or fewer employees.
316
Most applicants for
recreational licenses are individuals. Approximately 581,000 ship station licensees and 131,000 aircraft
station licensees operate domestically and are not subject to the radio carriage requirements of any statute
or treaty. For purposes of our evaluations in this analysis, we estimate that there are up to approximately
712,000 licensees that are small businesses (or individuals) under the SBA standard. In addition, between
December 3, 1998 and December 14, 1998, the Commission held an auction of 42 VHF Public Coast
licenses in the 157.1875-157.4500 MHz (ship transmit) and 161.775-162.0125 MHz (coast transmit)
bands. For purposes of the auction, the Commission defined a “small” business as an entity that, together
with controlling interests and affiliates, has average gross revenues for the preceding three years not to
exceed $15 million dollars. In addition, a “very small” business is one that, together with controlling
interests and affiliates, has average gross revenues for the preceding three years not to exceed $3 million
dollars.
317
There are approximately 10,672 licensees in the Marine Coast Service, and the Commission
estimates that almost all of them qualify as “small” businesses under the above special small business size
standards.
310
Public Notice, “700 MHz Guard Band Auction Closes,” DA 01-478 (rel. Feb. 22, 2001).
311
The service is defined in section 22.99 of the Commissions Rules, 47 C.F.R. § 22.99.
312
BETRS is defined in sections 22.757 and 22.759 of the Commissions Rules, 47 C.F.R. §§ 22.757 and 22.759.
313
13 C.F.R. § 121.201, NAICS code 517212.
314
The service is defined in section 22.99 of the Commissions Rules, 47 C.F.R. § 22.99.
315
13 C.F.R. § 121.201, NAICS codes 517212.
316
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
317
Amendment of the Commission’s Rules Concerning Maritime Communications, PR Docket No. 92-257, Third
Report and Order and Memorandum Opinion and Order, 13 FCC Rcd 19853 (1998).
Federal Communications Commission FCC 07-22
66
124. Offshore Radiotelephone Service. This service operates on several UHF television
broadcast channels that are not used for television broadcasting in the coastal areas of states bordering the
Gulf of Mexico.
318
There are presently approximately 55 licensees in this service. We are unable to
estimate at this time the number of licensees that would qualify as small under the SBAs small business
size standard for Cellular and Other Wireless Telecommunicationsservices.
319
Under that SBA small
business size standard, a business is small if it has 1,500 or fewer employees.
320
125. 39 GHz Service. The Commission created a special small business size standard for 39
GHz licenses an entity that has average gross revenues of $40 million or less in the three previous
calendar years.
321
An additional size standard for “very small business” is: an entity that, together with
affiliates, has average gross revenues of not more than $15 million for the preceding three calendar
years.
322
The SBA has approved these small business size standards.
323
The auction of the 2,173 39 GHz
licenses began on April 12, 2000 and closed on May 8, 2000. The 18 bidders who claimed small business
status won 849 licenses. Consequently, the Commission estimates that 18 or fewer 39 GHz licensees are
small entities that may be affected by the rules and polices adopted herein.
126. Multipoint Distribution Service, Multichannel Multipoint Distribution Service, and ITFS.
Multichannel Multipoint Distribution Service (MMDS) systems, often referred to as “wireless cable,”
transmit video programming to subscribers using the microwave frequencies of the Multipoint
Distribution Service (MDS) and Instructional Television Fixed Service (ITFS).
324
In connection with the
1996 MDS auction, the Commission established a small business size standard as an entity that had
annual average gross revenues of less than $40 million in the previous three calendar years.
325
The MDS
auctions resulted in 67 successful bidders obtaining licensing opportunities for 493 Basic Trading Areas
(BTAs). Of the 67 auction winners, 61 met the definition of a small business. MDS also includes
licensees of stations authorized prior to the auction. In addition, the SBA has developed a small business
size standard for Cable and Other Program Distribution, which includes all such companies generating
$12.5 million or less in annual receipts.
326
According to Census Bureau data for 1997, there were a total
of 1,311 firms in this category, total, that had operated for the entire year.
327
Of this total, 1,180 firms had
annual receipts of under $10 million and an additional 52 firms had receipts of $10 million or more but
less than $25 million. Consequently, we estimate that the majority of providers in this service category
are small businesses that may be affected by the rules and policies adopted herein. This SBA small
business size standard also appears applicable to ITFS. There are presently 2,032 ITFS licensees. All but
318
This service is governed by Subpart I of Part 22 of the Commissions rules. See 47 C.F.R. §§ 22.1001-22.1037.
319
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
320
Id.
321
See Amendment of the Commission’s Rules Regarding the 37.0-38.6 GHz and 38.6-40.0 GHz Bands, ET Docket
No. 95-183, Report and Order, 63 Fed. Reg. 6079 (Feb. 6, 1998).
322
Id.
323
See Letter to Kathleen O’Brien Ham, Chief, Auctions and Industry Analysis Division, Wireless
Telecommunications Bureau, FCC, from Aida Alvarez, Administrator, SBA (Feb. 4, 1998).
324
Amendment of Parts 21 and 74 of the Commission’s Rules with Regard to Filing Procedures in the Multipoint
Distribution Service and in the Instructional Television Fixed Service and Implementation of Section 309(j) of the
Communications Act Competitive Bidding, MM Docket No. 94-131 and PP Docket No. 93-253, Report and Order,
10 FCC Rcd 9589, 9593, para. 7 (1995).
325
47 C.F.R. § 21.961(b)(1).
326
13 C.F.R. § 121.201, NAICS code 513220 (changed to 517510 in October 2002).
327
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, “Establishment and Firm Size
(Including Legal Form of Organization)”, Table 4, NAICS code 513220 (issued October 2000).
Federal Communications Commission FCC 07-22
67
100 of these licenses are held by educational institutions. Educational institutions are included in this
analysis as small entities.
328
Thus, we tentatively conclude that at least 1,932 licensees are small
businesses.
127. Local Multipoint Distribution Service. Local Multipoint Distribution Service (LMDS) is
a fixed broadband point-to-multipoint microwave service that provides for two-way video
telecommunications.
329
The auction of the 1,030 Local Multipoint Distribution Service (LMDS) licenses
began on February 18, 1998 and closed on March 25, 1998. The Commission established a small
business size standard for LMDS licenses as an entity that has average gross revenues of less than $40
million in the three previous calendar years.
330
An additional small business size standard for “very small
business” was added as an entity that, together with its affiliates, has average gross revenues of not more
than $15 million for the preceding three calendar years.
331
The SBA has approved these small business
size standards in the context of LMDS auctions.
332
There were 93 winning bidders that qualified as small
entities in the LMDS auctions. A total of 93 small and very small business bidders won approximately
277 A Block licenses and 387 B Block licenses. On March 27, 1999, the Commission re-auctioned 161
licenses; there were 40 winning bidders. Based on this information, we conclude that the number of small
LMDS licenses consists of the 93 winning bidders in the first auction and the 40 winning bidders in the
re-auction, for a total of 133 small entity LMDS providers.
128. 218-219 MHz Service. The first auction of 218-219 MHz spectrum resulted in 170
entities winning licenses for 594 Metropolitan Statistical Area (MSA) licenses. Of the 594 licenses, 557
were won by entities qualifying as a small business. For that auction, the small business size standard
was an entity that, together with its affiliates, has no more than a $6 million net worth and, after federal
income taxes (excluding any carry over losses), has no more than $2 million in annual profits each year
for the previous two years.
333
In the 218-219 MHz Report and Order and Memorandum Opinion and
Order, we established a small business size standard for a “small business” as an entity that, together with
its affiliates and persons or entities that hold interests in such an entity and their affiliates, has average
annual gross revenues not to exceed $15 million for the preceding three years.
334
A “very small business”
is defined as an entity that, together with its affiliates and persons or entities that hold interests in such an
entity and its affiliates, has average annual gross revenues not to exceed $3 million for the preceding three
years.
335
We cannot estimate, however, the number of licenses that will be won by entities qualifying as
small or very small businesses under our rules in future auctions of 218-219 MHz spectrum.
328
In addition, the term “small entity” within SBREFA applies to small organizations (nonprofits) and to small
governmental jurisdictions (cities, counties, towns, townships, villages, school districts, and special districts with
populations of less than 50,000). 5 U.S.C. §§ 601(4)-(6). We do not collect annual revenue data on ITFS licensees.
329
See Local Multipoint Distribution Service, Second Report and Order, 12 FCC Rcd 12545 (1997).
330
Id.
331
See id.
332
See Letter to Dan Phythyon, Chief, Wireless Telecommunications Bureau, FCC, from Aida Alvarez,
Administrator, SBA (Jan. 6, 1998).
333
Implementation of Section 309(j) of the Communications Act Competitive Bidding, PP Docket No. 93-253,
Fourth Report and Order, 59 Fed. Reg. 24947 (May 13, 1994).
334
Amendment of Part 95 of the Commission’s Rules to Provide Regulatory Flexibility in the 218-219 MHz Service,
WT Docket No. 98-169, Report and Order and Memorandum Opinion and Order, 64 Fed. Reg. 59656 (Nov. 3,
1999).
335
Amendment of Part 95 of the Commission’s Rules to Provide Regulatory Flexibility in the 218-219 MHz Service,
WT Docket No. 98-169, Report and Order and Memorandum Opinion and Order, 64 Fed. Reg. 59656 (Nov. 3,
1999).
Federal Communications Commission FCC 07-22
68
129. 24 GHz Incumbent Licensees. This analysis may affect incumbent licensees who were
relocated to the 24 GHz band from the 18 GHz band, and applicants who wish to provide services in the
24 GHz band. The applicable SBA small business size standard is that of “Cellular and Other Wireless
Telecommunications” companies. This category provides that such a company is small if it employs no
more than 1,500 persons.
336
According to Census Bureau data for 1997, there were 977 firms in this
category, total, that operated for the entire year.
337
Of this total, 965 firms had employment of 999 or
fewer employees, and an additional 12 firms had employment of 1,000 employees or more.
338
Thus,
under this size standard, the great majority of firms can be considered small. These broader census data
notwithstanding, we believe that there are only two licensees in the 24 GHz band that were relocated from
the 18 GHz band, Teligent
339
and TRW, Inc. It is our understanding that Teligent and its related
companies have less than 1,500 employees, though this may change in the future. TRW is not a small
entity. Thus, only one incumbent licensee in the 24 GHz band is a small business entity.
130. 24 GHz Future Licensees. With respect to new applicants in the 24 GHz band, the
small business size standard for “small business” is an entity that, together with controlling interests and
affiliates, has average annual gross revenues for the three preceding years not in excess of $15 million.
340
“Very small business” in the 24 GHz band is an entity that, together with controlling interests and
affiliates, has average gross revenues not exceeding $3 million for the preceding three years.
341
The SBA
has approved these small business size standards.
342
These size standards will apply to the future auction,
if held.
2. Cable and OVS Operators
131. Cable and Other Program Distribution. This category includes cable systems operators,
closed circuit television services, direct broadcast satellite services, multipoint distribution systems,
satellite master antenna systems, and subscription television services. The SBA has developed small
business size standard for this census category, which includes all such companies generating $12.5
million or less in revenue annually.
343
According to Census Bureau data for 2002, there were a total of
1,191 firms in this category that operated for the entire year.
344
Of this total, 1,087 firms had annual
receipts of under $10 million, and 43 firms had receipts of $10 million or more but less than $25
336
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
337
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, “Employment Size of Firms Subject
to Federal Income Tax: 1997,” Table 5, NAICS code 513322 (issued Oct. 2000).
338
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is “Firms with 1,000 employees or more.”
339
Teligent acquired the DEMS licenses of FirstMark, the only licensee other than TRW in the 24 GHz band whose
license has been modified to require relocation to the 24 GHz band.
340
Amendments to Parts 1,2, 87 and 101 of the Commission’s Rules to License Fixed Services at 24 GHz, Report
and Order, 15 FCC Rcd 16934, 16967 (2000); see also 47 C.F.R. § 101.538(a)(2).
341
Amendments to Parts 1,2, 87 and 101 of the Commission’s Rules to License Fixed Services at 24 GHz, Report
and Order, 15 FCC Rcd 16934, 16967 (2000); see also 47 C.F.R. § 101.538(a)(1).
342
See Letter to Margaret W. Wiener, Deputy Chief, Auctions and Industry Analysis Division, Wireless
Telecommunications Bureau, FCC, from Gary M. Jackson, Assistant Administrator, SBA (July 28, 2000).
343
13 C.F.R. § 121.201, North American Industry Classification System (NAICS) code 513220 (changed to 517510
in October 2002).
344
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Table 4, Receipts Size of Firms for the
United States: 2002, NAICS code 517510 (issued November 2005).
Federal Communications Commission FCC 07-22
69
million.
345
Consequently, the Commission estimates that the majority of providers in this service
category are small businesses that may be affected by the rules and policies adopted herein.
132. Cable System Operators. The Commission has developed its own small business size
standards for cable system operators, for purposes of rate regulation. Under the Commissions rules, a
small cable companyis one serving fewer than 400,000 subscribers nationwide.
346
In addition, a small
system” is a system serving 15,000 or fewer subscribers.
347
133. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as
amended, also contains a size standard for small cable system operators, which is a cable operator that,
directly or through an affiliate, serves in the aggregate fewer than 1 percent of all subscribers in the
United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate
exceed $250,000,000.
348
The Commission has determined that there are approximately 67,700,000
subscribers in the United States.
349
Therefore, an operator serving fewer than 677,000 subscribers shall
be deemed a small operator, if its annual revenues, when combined with the total annual revenues of all
its affiliates, do not exceed $250 million in the aggregate.
350
Based on available data, the Commission
estimates that the number of cable operators serving 677,000 subscribers or fewer, totals 1,450. The
Commission neither requests nor collects information on whether cable system operators are affiliated
with entities whose gross annual revenues exceed $250 million,
351
and therefore is unable, at this time, to
estimate more accurately the number of cable system operators that would qualify as small cable
operators under the size standard contained in the Communications Act of 1934.
134. Open Video Services. Open Video Service (OVS) systems provide subscription
services.
352
The SBA has created a small business size standard for Cable and Other Program
Distribution.
353
This standard provides that a small entity is one with $12.5 million or less in annual
receipts. The Commission has certified approximately 25 OVS operators to serve 75 areas, and some of
these are currently providing service.
354
Affiliates of Residential Communications Network, Inc. (RCN)
received approval to operate OVS systems in New York City, Boston, Washington, D.C., and other areas.
RCN has sufficient revenues to assure that they do not qualify as a small business entity. Little financial
information is available for the other entities that are authorized to provide OVS and are not yet
operational. Given that some entities authorized to provide OVS service have not yet begun to generate
345
Id. An additional 61 firms had annual receipts of $25 million or more.
346
47 C.F.R. § 76.901(e). The Commission determined that this size standard equates approximately to a size
standard of $100 million or less in annual revenues. Implementation of Sections of the 1992 Cable Act: Rate
Regulation, Sixth Report and Order and Eleventh Order on Reconsideration, 10 FCC Rcd 7393, 7408 (1995).
347
47 C.F.R. § 76.901(c).
348
47 U.S.C. § 543(m)(2); see 47 C.F.R. § 76.901(f) & nn. 1-3.
349
See Public Notice, FCC Announces New Subscriber Count for the Definition of Small Cable Operator, DA
01-158 (Cable Services Bureau, Jan. 24, 2001).
350
47 C.F.R. § 76.901(f).
351
The Commission does receive such information on a case-by-case basis if a cable operator appeals a local
franchise authoritys finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of
the Commissions rules. See 47 C.F.R. § 76.909(b).
352
See 47 U.S.C. § 573.
353
13 C.F.R. § 121.201, NAICS code 513220 (changed to 517510 in October 2002).
354
See <http://www.fcc.gov/csb/ovs/csovscer.html> (current as of March 2002).
Federal Communications Commission FCC 07-22
70
revenues, the Commission concludes that up to 24 OVS operators (those remaining) might qualify as
small businesses that may be affected by the rules and policies adopted herein.
3. Internet Service Providers
135. Internet Service Providers. The SBA has developed a small business size standard for
Internet Service Providers (ISPs). ISPs provide clients access to the Internet and generally provide
related services such as web hosting, web page designing, and hardware or software consulting related to
Internet connectivity.
355
Under the SBA size standard, such a business is small if it has average annual
receipts of $21 million or less.
356
According to Census Bureau data for 2002, there were 2,529 firms in
this category that operated for the entire year.
357
Of these, 2,437 firms had annual receipts of under $10
million, and 47 firms had receipts of $10 million or more but less then $25 million.
358
Consequently, we
estimate that the majority of these firms are small entities that may be affected by our action.
4. Other Internet-Related Entities
136. Web Search Portals. Our action pertains to interconnected VoIP services, which could
be provided by entities that provide other services such as email, online gaming, web browsing, video
conferencing, instant messaging, and other, similar IP-enabled services. The Commission has not
adopted a size standard for entities that create or provide these types of services or applications.
However, the census bureau has identified firms that “operate web sites that use a search engine to
generate and maintain extensive databases of Internet addresses and content in an easily searchable
format. Web search portals often provide additional Internet services, such as e-mail, connections to
other web sites, auctions, news, and other limited content, and serve as a home base for Internet users.”
359
The SBA has developed a small business size standard for this category; that size standard is $6 million
or less in average annual receipts.
360
According to Census Bureau data for 1997, there were 195 firms in
this category that operated for the entire year.
361
Of these, 172 had annual receipts of under $5 million,
and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, we
estimate that the majority of these firms are small entities that may be affected by our action.
137. Data Processing, Hosting, and Related Services. Entities in this category “primarily …
provid[e] infrastructure for hosting or data processing services.”
362
The SBA has developed a small
business size standard for this category; that size standard is $21 million or less in average annual
355
U.S. Census Bureau, 2002 NAICS Definitions: 518111 Internet Service Providers(Feb. 2004)
<www.census.gov>.
356
13 C.F.R. § 121.201, NAICS code 518111 (changed from previous code 514191, On-Line Information
Services,in Oct. 2002).
357
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Table 4, Receipts Size of Firms for
the United States: 2002, NAICS code 518111 (issued November 2005).
358
Id. An additional 45 firms had annual receipts of $25 million or more.
359
U.S. Census Bureau, “2002 NAICS Definitions: 518112 Web Search Portals” (Feb. 2004) <www.census.gov>.
360
13 C.F.R. § 121.201, NAICS code 518112 (changed from 514199 in Oct. 2002).
361
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, “Establishment and Firm Size
(Including Legal Form of Organization),” Table 4, NAICS code 514199 (issued Oct. 2000). This category was
created for the 2002 Economic Census by taking a portion of the superseded 1997 category, “All Other Information
Services,” NAICS code 514199. The data cited in the text above are derived from the superseded category.
362
U.S. Census Bureau, “2002 NAICS Definitions: 518210 Data Processing, Hosting, and Related Services” (Feb.
2004) <www.census.gov>.
Federal Communications Commission FCC 07-22
71
receipts.
363
According to Census Bureau data for 1997, there were 3,700 firms in this category that
operated for the entire year.
364
Of these, 3,477 had annual receipts of under $10 million, and an additional
108 firms had receipts of between $10 million and $24,999,999. Consequently, we estimate that the
majority of these firms are small entities that may be affected by our action.
138. All Other Information Services. “This industry comprises establishments primarily
engaged in providing other information services (except new syndicates and libraries and archives).
365
Our action pertains to interconnected VoIP services, which could be provided by entities that provide
other services such as email, online gaming, web browsing, video conferencing, instant messaging, and
other, similar IP-enabled services. The SBA has developed a small business size standard for this
category; that size standard is $6 million or less in average annual receipts.
366
According to Census
Bureau data for 1997, there were 195 firms in this category that operated for the entire year.
367
Of these,
172 had annual receipts of under $5 million, and an additional nine firms had receipts of between $5
million and $9,999,999. Consequently, we estimate that the majority of these firms are small entities that
may be affected by our action.
139. Internet Publishing and Broadcasting. “This industry comprises establishments engaged
in publishing and/or broadcasting content on the Internet exclusively. These establishments do not
provide traditional (non-Internet) versions of the content that they publish or broadcast.”
368
The SBA has
developed a small business size standard for this new (2002) census category; that size standard is 500 or
fewer employees.
369
To assess the prevalence of small entities in this category, we will use 1997 Census
Bureau data for a relevant, now-superseded census category, “All Other Information Services.” The SBA
small business size standard for that prior category was $6 million or less in average annual receipts.
According to Census Bureau data for 1997, there were 195 firms in the prior category that operated for
the entire year.
370
Of these, 172 had annual receipts of under $5 million, and an additional nine firms had
receipts of between $5 million and $9,999,999. Consequently, we estimate that the majority of the firms
in this current category are small entities that may be affected by our action.
140. Software Publishers. These companies may design, develop or publish software and may
provide other support services to software purchasers, such as providing documentation or assisting in
installation. The companies may also design software to meet the needs of specific users. The SBA has
developed a small business size standard of $21 million or less in average annual receipts for all of the
363
13 C.F.R. § 121.201, NAICS code 518210 (changed from 514210 in Oct. 2002).
364
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, “Establishment and Firm Size
(Including Legal Form of Organization),” Table 4, NAICS code 514210 (issued Oct. 2000).
365
U.S. Census Bureau, 2002 NAICS Definitions: 519190 All Other Information Services(Feb. 2004)
<www.census.gov>.
366
13 C.F.R. § 121.201, NAICS code 519190 (changed from 514199 in Oct. 2002).
367
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, Establishment and Firm Size
(Including Legal Form of Organization),Table 4, NAICS code 514199 (issued Oct. 2000). This category was
created for the 2002 Economic Census by taking a portion of the superseded 1997 category, All Other Information
Services,NAICS code 514199. The data cited in the text above are derived from the superseded category.
368
U.S. Census Bureau, “2002 NAICS Definitions: 516110 Internet Publishing and Broadcasting” (Feb. 2004)
<www.census.gov>.
369
13 C.F.R. § 121.201, NAICS code 516110 (derived from 514199 and other 1997 codes).
370
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, “Establishment and Firm Size
(Including Legal Form of Organization),” Table 4, NAICS code 514199 (issued Oct. 2000). This category was
created for the 2002 Economic Census by taking portions of numerous 1997 categories.
Federal Communications Commission FCC 07-22
72
following pertinent categories: Software Publishers, Custom Computer Programming Services, and Other
Computer Related Services.
371
For Software Publishers, Census Bureau data for 1997 indicate that there
were 8,188 firms in the category that operated for the entire year.
372
Of these, 7,633 had annual receipts
under $10 million, and an additional 289 firms had receipts of between $10 million and $24, 999,999.
For providers of Custom Computer Programming Services, the Census Bureau data indicate that there
were 19,334 firms that operated for the entire year.
373
Of these, 18,786 had annual receipts of under $10
million, and an additional 352 firms had receipts of between $10 million and $24,999,999. For providers
of Other Computer Related Services, the Census Bureau data indicate that there were 5,524 firms that
operated for the entire year.
374
Of these, 5,484 had annual receipts of under $10 million, and an additional
28 firms had receipts of between $10 million and $24,999,999. Consequently, we estimate that the
majority of the firms in each of these three categories are small entities that may be affected by our action.
5. Equipment Manufacturers
141. The equipment manufacturers described in this section are merely indirectly affected by
our current action, and therefore are not formally a part of this RFA analysis. We have included them,
however, to broaden the record in this proceeding and to alert them to our decisions.
142. Wireless Communications Equipment Manufacturers. The SBA has established a small
business size standard for Radio and Television Broadcasting and Wireless Communications Equipment
Manufacturing. Examples of products in this category include “transmitting and receiving antennas,
cable television equipment, GPS equipment, pagers, cellular phones, mobile communications equipment,
and radio and television studio and broadcasting equipment”
375
and may include other devices that
transmit and receive IP-enabled services, such as personal digital assistants (PDAs). Under the SBA size
standard, firms are considered small if they have 750 or fewer employees.
376
According to Census
Bureau data for 1997, there were 1,215 establishments
377
in this category that operated for the entire
year.
378
Of those, there were 1,150 that had employment of under 500, and an additional 37 that had
employment of 500 to 999. The percentage of wireless equipment manufacturers in this category was
371
13 C.F.R. § 121.201, NAICS codes 511210, 541511, and 541519.
372
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, “Establishment and Firm Size
(Including Legal Form of Organization),” Table 4, NAICS code 511210 (issued Oct. 2000).
373
U.S. Census Bureau, 1997 Economic Census, Subject Series: Professional, Scientific, and Technical Services,
“Establishment and Firm Size (Including Legal Form of Organization),” Table 4a, NAICS code 541511 (issued Oct.
2000).
374
U.S. Census Bureau, 1997 Economic Census, Subject Series: Professional, Scientific, and Technical Services,
“Establishment and Firm Size (Including Legal Form of Organization),” Table 4a, NAICS code 541519 (issued Oct.
2000).
375
Office of Management and Budget, North American Industry Classification System 308-09 (1997) (NAICS code
334220).
376
13 C.F.R. § 121.201, NAICS code 334220.
377
The number of “establishments” is a less helpful indicator of small business prevalence in this context than would
be the number of “firms” or “companies,” because the latter take into account the concept of common ownership or
control. Any single physical location for an entity is an establishment, even though that location may be owned by a
different establishment. Thus, the numbers given may reflect inflated numbers of businesses in this category,
including the numbers of small businesses. In this category, the Census breaks-out data for firms or companies only
to give the total number of such entities for 1997, which were 1,089.
378
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Industry Statistics by
Employment Size,” Table 4, NAICS code 334220 (issued Aug. 1999).
Federal Communications Commission FCC 07-22
73
approximately 61.35%,
379
so we estimate that the number of wireless equipment manufacturers with
employment of under 500 was actually closer to 706, with an additional 23 establishments having
employment of between 500 and 999. Consequently, we estimate that the majority of wireless
communications equipment manufacturers are small entities that may be affected by our action.
143. Telephone Apparatus Manufacturing. This category “comprises establishments primarily
engaged primarily in manufacturing wire telephone and data communications equipment.”
380
Examples
of pertinent products are “central office switching equipment, cordless telephones (except cellular), PBX
equipment, telephones, telephone answering machines, and data communications equipment, such as
bridges, routers, and gateways.”
381
The SBA has developed a small business size standard for this
category of manufacturing; that size standard is 1,000 or fewer employees.
382
According to Census
Bureau data for 1997, there were 598 establishments in this category that operated for the entire year.
383
Of these, 574 had employment of under 1,000, and an additional 17 establishments had employment of
1,000 to 2,499. Consequently, we estimate that the majority of these establishments are small entities that
may be affected by our action.
144. Electronic Computer Manufacturing. This category “comprises establishments primarily
engaged in manufacturing and/or assembling electronic computers, such as mainframes, personal
computers, workstations, laptops, and computer servers.”
384
The SBA has developed a small business
size standard for this category of manufacturing; that size standard is 1,000 or fewer employees.
385
According to Census Bureau data for 1997, there were 563 establishments in this category that operated
for the entire year.
386
Of these, 544 had employment of under 1,000, and an additional 11 establishments
had employment of 1,000 to 2,499. Consequently, we estimate that the majority of these establishments
are small entities that may be affected by our action.
145. Computer Terminal Manufacturing. “Computer terminals are input/output devices that
connect with a central computer for processing.”
387
The SBA has developed a small business size
standard for this category of manufacturing; that size standard is 1,000 or fewer employees.
388
According
to Census Bureau data for 1997, there were 142 establishments in this category that operated for the entire
379
Id. at Table 5.
380
Office of Management and Budget, North American Industry Classification System 308 (1997) (NAICS code
334210).
381
Id.
382
13 C.F.R. § 121.201, NAICS code 334210.
383
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Telephone Apparatus
Manufacturing,” Table 4, NAICS code 334210 (issued Sept. 1999).
384
Office of Management and Budget, North American Industry Classification System 306 (1997) (NAICS code
334111).
385
13 C.F.R. § 121.201, NAICS code 334111.
386
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Electronic Computer
Manufacturing,” Table 4, NAICS code 334111 (issued Aug. 1999).
387
Office of Management and Budget, North American Industry Classification System 307 (1997) (NAICS code
334113).
388
13 C.F.R. § 121.201, NAICS code 334113.
Federal Communications Commission FCC 07-22
74
year, and all of the establishments had employment of under 1,000.
389
Consequently, we estimate that the
majority or all of these establishments are small entities that may be affected by our action.
146. Other Computer Peripheral Equipment Manufacturing. Examples of peripheral
equipment in this category include keyboards, mouse devices, monitors, and scanners.
390
The SBA has
developed a small business size standard for this category of manufacturing; that size standard is 1,000 or
fewer employees.
391
According to Census Bureau data for 1997, there were 1061 establishments in this
category that operated for the entire year.
392
Of these, 1,046 had employment of under 1,000, and an
additional six establishments had employment of 1,000 to 2,499. Consequently, we estimate that the
majority of these establishments are small entities that may be affected by our action.
147. Fiber Optic Cable Manufacturing. These establishments manufacture “insulated fiber-
optic cable from purchased fiber-optic strand.”
393
The SBA has developed a small business size standard
for this category of manufacturing; that size standard is 1,000 or fewer employees.
394
According to
Census Bureau data for 1997, there were 38 establishments in this category that operated for the entire
year.
395
Of these, 37 had employment of under 1,000, and one establishment had employment of 1,000 to
2,499. Consequently, we estimate that the majority of these establishments are small entities that may be
affected by our action.
148. Other Communication and Energy Wire Manufacturing. These establishments
manufacture “insulated wire and cable of nonferrous metals from purchased wire.”
396
The SBA has
developed a small business size standard for this category of manufacturing; that size standard is 1,000 or
fewer employees.
397
According to Census Bureau data for 1997, there were 275 establishments in this
category that operated for the entire year.
398
Of these, 271 had employment of under 1,000, and four
establishments had employment of 1,000 to 2,499. Consequently, we estimate that the majority or all of
these establishments are small entities that may be affected by our action.
149. Audio and Video Equipment Manufacturing. These establishments manufacture
“electronic audio and video equipment for home entertainment, motor vehicle, public address and musical
389
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Computer Terminal
Manufacturing,” Table 4, NAICS code 334113 (issued Aug. 1999).
390
Office of Management and Budget, North American Industry Classification System 307-08 (1997) (NAICS code
334119).
391
13 C.F.R. § 121.201, NAICS code 334119.
392
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Other Computer Peripheral
Equipment Manufacturing,” Table 4, NAICS code 334119 (issued Aug. 1999).
393
Office of Management and Budget, North American Industry Classification System 330 (1997) (NAICS code
335921).
394
13 C.F.R. § 121.201, NAICS code 335921.
395
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Fiber Optic Cable
Manufacturing,” Table 4, NAICS code 335921 (issued Nov. 1999).
396
Office of Management and Budget, North American Industry Classification System 331 (1997) (NAICS code
335929).
397
13 C.F.R. § 121.201, NAICS code 335929.
398
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Other Communication and
Energy Wire Manufacturing,” Table 4, NAICS code 335929 (issued Nov. 1999).
Federal Communications Commission FCC 07-22
75
instrument amplifications.”
399
The SBA has developed a small business size standard for this category of
manufacturing; that size standard is 750 or fewer employees.
400
According to Census Bureau data for
1997, there were 554 establishments in this category that operated for the entire year.
401
Of these, 542
had employment of under 500, and nine establishments had employment of 500 to 999. Consequently,
we estimate that the majority of these establishments are small entities that may be affected by our action.
150. Electron Tube Manufacturing. These establishments are “primarily engaged in
manufacturing electron tubes and parts (except glass blanks).”
402
The SBA has developed a small
business size standard for this category of manufacturing; that size standard is 750 or fewer employees.
403
According to Census Bureau data for 1997, there were 158 establishments in this category that operated
for the entire year.
404
Of these, 148 had employment of under 500, and three establishments had
employment of 500 to 999. Consequently, we estimate that the majority of these establishments are small
entities that may be affected by our action.
151. Bare Printed Circuit Board Manufacturing. These establishments are “primarily
engaged in manufacturing bare (i.e., rigid or flexible) printed circuit boards without mounted electronic
components.”
405
The SBA has developed a small business size standard for this category of
manufacturing; that size standard is 500 or fewer employees.
406
According to Census Bureau data for
1997, there were 1,389 establishments in this category that operated for the entire year.
407
Of these, 1,369
had employment of under 500, and 16 establishments had employment of 500 to 999. Consequently, we
estimate that the majority of these establishments are small entities that may be affected by our action.
152. Semiconductor and Related Device Manufacturing. These establishments manufacture
“computer storage devices that allow the storage and retrieval of data from a phase change, magnetic,
optical, or magnetic/optical media.”
408
The SBA has developed a small business size standard for this
category of manufacturing; that size standard is 500 or fewer employees.
409
According to Census Bureau
399
U.S. Census Bureau, “2002 NAICS Definitions: 334310 Audio and Video Equipment Manufacturing” (Feb.
2004) <www.census.gov>.
400
13 C.F.R. § 121.201, NAICS code 334310.
401
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Audio and Video Equipment
Manufacturing,” Table 4, NAICS code 334310 (issued Aug. 1999).
402
U.S. Census Bureau, “2002 NAICS Definitions: 334411 Electron Tube Manufacturing” (Feb. 2004)
<www.census.gov>.
403
13 C.F.R. § 121.201, NAICS code 334411.
404
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Electron Tube Manufacturing,”
Table 4, NAICS code 334411 (issued July 1999).
405
U.S. Census Bureau, “2002 NAICS Definitions: 334412 Bare Printed Circuit Board Manufacturing” (Feb. 2004)
<www.census.gov>.
406
13 C.F.R. § 121.201, NAICS code 334412.
407
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Bare Printed Circuit Board
Manufacturing,” Table 4, NAICS code 334412 (issued Aug. 1999).
408
U.S. Census Bureau, “2002 NAICS Definitions: 334413 Semiconductor and Related Device Manufacturing”
(Feb. 2004) <www.census.gov>.
409
13 C.F.R. § 121.201, NAICS code 334413.
Federal Communications Commission FCC 07-22
76
data for 1997, there were 1,082 establishments in this category that operated for the entire year.
410
Of
these, 987 had employment of under 500, and 52 establishments had employment of 500 to 999.
153. Electronic Capacitor Manufacturing. These establishments manufacture “electronic
fixed and variable capacitors and condensers.”
411
The SBA has developed a small business size standard
for this category of manufacturing; that size standard is 500 or fewer employees.
412
According to Census
Bureau data for 1997, there were 128 establishments in this category that operated for the entire year.
413
Of these, 121 had employment of under 500, and four establishments had employment of 500 to 999.
154. Electronic Resistor Manufacturing. These establishments manufacture “electronic
resistors, such as fixed and variable resistors, resistor networks, thermistors, and varistors.”
414
The SBA
has developed a small business size standard for this category of manufacturing; that size standard is 500
or fewer employees.
415
According to Census Bureau data for 1997, there were 118 establishments in this
category that operated for the entire year.
416
Of these, 113 had employment of under 500, and 5
establishments had employment of 500 to 999.
155. Electronic Coil, Transformer, and Other Inductor Manufacturing. These establishments
manufacture “electronic inductors, such as coils and transformers.”
417
The SBA has developed a small
business size standard for this category of manufacturing; that size standard is 500 or fewer employees.
418
According to Census Bureau data for 1997, there were 448 establishments in this category that operated
for the entire year.
419
Of these, 446 had employment of under 500, and two establishments had
employment of 500 to 999.
156. Electronic Connector Manufacturing. These establishments manufacture “electronic
connectors, such as coaxial, cylindrical, rack and panel, pin and sleeve, printed circuit and fiber optic.”
420
The SBA has developed a small business size standard for this category of manufacturing; that size
standard is 500 or fewer employees.
421
According to Census Bureau data for 1997, there were 347
410
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Semiconductor and Related
Device Manufacturing ,” Table 4, NAICS code 334413 (issued July 1999).
411
U.S. Census Bureau, “2002 NAICS Definitions: 334414 Electronic Capacitor Manufacturing” (Feb. 2004)
<www.census.gov>.
412
13 C.F.R. § 121.201, NAICS code 334414.
413
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Electronic Capacitor
Manufacturing,” Table 4, NAICS code 334414 (issued July 1999).
414
U.S. Census Bureau, “2002 NAICS Definitions: 334415 Electronic Resistor Manufacturing” (Feb. 2004)
<www.census.gov>.
415
13 C.F.R. § 121.201, NAICS code 334415.
416
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Electronic Resistor
Manufacturing,” Table 4, NAICS code 334415 (issued Aug. 1999).
417
U.S. Census Bureau, “2002 NAICS Definitions: 334416 Electronic Coil, Transformer, and Other Inductor
Manufacturing” (Feb. 2004) <www.census.gov>.
418
13 C.F.R. § 121.201, NAICS code 334416.
419
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Electronic Coil, Transformer,
and Other Inductor Manufacturing,” Table 4, NAICS code 334416 (issued Aug. 1999).
420
U.S. Census Bureau, “2002 NAICS Definitions: 334417 Electronic Connector Manufacturing” (Feb. 2004)
<www.census.gov>.
421
13 C.F.R. § 121.201, NAICS code 334417.
Federal Communications Commission FCC 07-22
77
establishments in this category that operated for the entire year.
422
Of these, 332 had employment of
under 500, and 12 establishments had employment of 500 to 999.
157. Printed Circuit Assembly (Electronic Assembly) Manufacturing. These are
establishments “primarily engaged in loading components onto printed circuit boards or who manufacture
and ship loaded printed circuit boards.”
423
The SBA has developed a small business size standard for this
category of manufacturing; that size standard is 500 or fewer employees.
424
According to Census Bureau
data for 1997, there were 714 establishments in this category that operated for the entire year.
425
Of these,
673 had employment of under 500, and 24 establishments had employment of 500 to 999.
158. Other Electronic Component Manufacturing. These are establishments “primarily
engaged in loading components onto printed circuit boards or who manufacture and ship loaded printed
circuit boards.”
426
The SBA has developed a small business size standard for this category of
manufacturing; that size standard is 500 or fewer employees.
427
According to Census Bureau data for
1997, there were 1,835 establishments in this category that operated for the entire year.
428
Of these, 1,814
had employment of under 500, and 18 establishments had employment of 500 to 999.
159. Computer Storage Device Manufacturing. These establishments manufacture “computer
storage devices that allow the storage and retrieval of data from a phase change, magnetic, optical, or
magnetic/optical media.”
429
The SBA has developed a small business size standard for this category of
manufacturing; that size standard is 1,000 or fewer employees.
430
According to Census Bureau data for
1997, there were 209 establishments in this category that operated for the entire year.
431
Of these, 197
had employment of under 500, and eight establishments had employment of 500 to 999.
D. Description of Projected Reporting, Recordkeeping and Other Compliance
Requirements
160. We are requiring telecommunications carriers and providers of interconnected VoIP
service to collect certain information and take other actions to comply with our rules regarding the use of
CPNI. For example, carriers must have an officer, as an agent of the carrier, sign and file with the
Commission a compliance certificate on an annual basis stating that the officer has personal knowledge
422
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Electronic Connector
Manufacturing,” Table 4, NAICS code 334417 (issued July 1999).
423
U.S. Census Bureau, “2002 NAICS Definitions: 334418 Printed Circuit Assembly (Electronic Assembly)
Manufacturing” (Feb. 2004) <www.census.gov>.
424
13 C.F.R. § 121.201, NAICS code 334418.
425
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Printed Circuit Assembly
(Electronic Assembly) Manufacturing,” Table 4, NAICS code 334418 (issued Sept. 1999).
426
U.S. Census Bureau, “2002 NAICS Definitions: 334419 Other Electronic Component Manufacturing” (Feb.
2004) <www.census.gov>.
427
13 C.F.R. § 121.201, NAICS code 334419.
428
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Other Electronic Component
Manufacturing,” Table 4, NAICS code 334419 (issued Aug. 1999).
429
U.S. Census Bureau, “2002 NAICS Definitions: 334112 Computer Storage Device Manufacturing” (Feb. 2004)
<www.census.gov>.
430
13 C.F.R. § 121.201, NAICS code 334112.
431
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Computer Storage Device
Manufacturing,” Table 4, NAICS code 334112 (issued July 1999).
Federal Communications Commission FCC 07-22
78
that the carrier has established procedures that are adequate to ensure compliance with the CPNI rules.
432
The carrier must also provide a statement accompanying the certificate explaining how its operating
procedures ensure that it is or is not in compliance with the CPNI rules.
433
Further, the carrier must
include an explanation of any actions taken against data brokers and a summary of all consumer
complaints received in the past year concerning the unauthorized release of CPNI.
434
Additionally,
carriers must obtain opt-in approval before sharing CPNI with their joint venture partners or independent
contractors for the purposes of marketing communications-related services to customers.
435
Also, carriers
are required to maintain a record of any discovered breaches, notifications to the United States Secret
Service (USSS) and the Federal Bureau of Investigation (FBI) regarding those breaches, as well as the
USSS and FBI response to those notifications for a period of at least two years.
436
161. We also impose other requirements on telecommunications carriers and providers of
interconnected VoIP service. Specifically, the Order prohibits carriers from releasing call detail
information over the phone during customer-initiated telephone calls except by those methods provided
for in the Order.
437
The Order also requires, with the exception of carriers that are small businesses, that a
carrier not permit customers to gain access to an online account without first properly authenticating the
customer and, for subsequent access, without a customer password or response to a back-up
authentication method for lost or forgotten passwords, neither of which may be based on a carrier prompt
for readily available biographical information, or account information.
438
For the rules pertaining to
online carrier authentication, we provide carriers that satisfy the definition of a “small entity” or a “small
business concern” under the RFA or SBA an additional six months to implement these rules.
439
162. The Order also requires that carriers notify customers through a carrier-originated
voicemail or text message to the telephone number of record, or by mail or email to the address of record
whenever a password, customer response to a back-up means of authentication for lost or forgotten
passwords, online account, or address of record is created or changed.
440
Further, the Order requires that
carriers notify the USSS and the FBI no later than seven days after a reasonable determination of a CPNI
breach.
441
E. Steps Taken to Minimize Significant Economic Impact on Small Entities, and
Significant Alternatives Considered
163. The RFA requires an agency to describe any significant alternatives that it has considered
in reaching its proposed approach, which may include (among others) the following four alternatives:
(1) the establishment of differing compliance or reporting requirements or timetables that take into
account the resources available to small entities; (2) the clarification, consolidation, or simplification of
compliance or reporting requirements under the rule for small entities; (3) the use of performance, rather
432
See Order at paras. 51-53.
433
See id. at para. 51.
434
See id.
435
See id. at paras. 37-50.
436
See id. at paras. 26-32.
437
See id. at paras. 13-23.
438
See id. at paras. 20-22.
439
See id. at para. 61.
440
See id. at para. 24.
441
See id. at paras. 26-26.
Federal Communications Commission FCC 07-22
79
than design, standards; and (4) an exemption from coverage of the rule, or any part thereof, for small
entities.
442
164. The notices invited comment on a number of issues related to small entities. For
example, the Commission sought comment on the effect the various proposals described in the EPIC
CPNI Notice will have on small entities, and on what effect alternative rules would have on those
entities.
443
Additionally, the Commission invited comment on ways in which the Commission can
achieve its goal of protecting consumers while at the same time impose minimal burdens on small
telecommunications service providers.
444
With respect to any of the Commission consumer protection
regulations already in place, the Commission sought comment on whether it has adopted any provisions
for small entities that the Commission should similarly consider in this proceeding? Specifically, it
invited comment on whether the problems identified by EPIC were better or worse at smaller carriers.
445
The Commission invited comment on whether small carriers should be exempt from password-related
security procedures to protect CPNI.
446
The Commission invited comment on the benefits and burdens of
recording audit trails for the disclosure of CPNI on small carriers.
447
The Commission invited comment
on whether requiring a small carrier to encrypt its stored data would be unduly burdensome.
448
The
Commission solicited comment on the cost to a small carrier of notifying a customer upon release of
CPNI.
449
The Commission sought comment on whether the Commission should amend its rules to
require carriers to file annual certifications concerning CPNI and whether this requirement should extend
to only telecommunications carriers that are not small telephone companies as defined by the Small
Business Administration, and whether small carriers should be subject to different CPNI-related
obligations.
450
165. The Commission has considered each of the alternatives described above, and in today’s
Order, imposes minimal regulation on small entities to the extent consistent with its goal of ensuring that
carriers and providers of interconnected VoIP service protect against the unauthorized release of CPNI.
Specifically, the Commission extended the implementation date for the rules pertaining to online
authentication by six months so that small businesses will have additional time to come into compliance
with the Order’s rules.
451
166. However, as stated above, we must assess the interests of small businesses in light of the
overriding public interest of protecting against the unlawful release of CPNI. The Order discusses that
CPNI is made up of very personal data.
452
Therefore, the Commission concluded that it was important for
all telecommunications carriers and providers of interconnected VoIP service, including small businesses,
to comply with the rules the Commission adopts in this Order six months after the Order’s effective date
or on receipt of OMB approval, as required by the Paperwork Reduction Act, whichever is later. For
442
5 U.S.C. § 603(c).
443
See Notice, 21 FCC Rcd at 1787-89, 1790-91, 1793, paras. 11, 12, 16, 18, 19, 23, 29, 30.
444
See id. at 1793, para. 30.
445
See id. at 1787-88, para. 11.
446
See id. at 1789, para. 16.
447
See id. at 1790, para. 18.
448
See id. at 1790, para. 19.
449
See id. at 1791, para. 23.
450
See id. at 1793, paras. 29-30.
451
See Order at para. 61.
452
See, e.g., id. at para. 5.
Federal Communications Commission FCC 07-22
80
example, the Commission concluded that carriers and providers of interconnected VoIP service must stop
releasing call detail information based on customer-initiated telephone calls except by those methods
provided for in the Order. Additionally, the Commission concluded that it was important for all
telecommunications carriers and providers of interconnected VoIP service to report breaches of CPNI
data to law enforcement. The Commission therefore rejected solutions that would exempt small
businesses. The record indicated that exempting small carriers from these regulations would compromise
the Commission’s goal of protecting all Americans from the unauthorized release of CPNI.
167. Report to Congress: The Commission will send a copy of the Order, including this
FRFA, in a report to be sent to Congress and the Government Accountability Office pursuant to the
Congressional Review Act.
453
In addition, the Commission will send a copy of the Order, including this
FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Order and FRFA (or summaries
thereof) will also be published in the Federal Register.
454
453
See 5 U.S.C. § 801(a)(1)(A).
454
See 5 U.S.C. § 604(b).
Federal Communications Commission FCC 07-22
81
Appendix D
Initial Regulatory Flexibility Analysis
168. As required by the Regulatory Flexibility Act of 1980, as amended (RFA),
455
the
Commission has prepared the present Initial Regulatory Flexibility Analysis (IRFA) of the possible
significant economic impact on small entities that might result from this Further Notice. Written public
comments are requested on this IRFA. Comments must be identified as responses to the IRFA and must
be filed by the deadlines for comments on the Further Notice provided above. The Commission will send
a copy of the Further Notice, including this IRFA, to the Chief Counsel for Advocacy of the Small
Business Administration.
456
In addition, the Further Notice and the IRFA (or summaries thereof) will be
published in the Federal Register.
457
A. Need for, and Objectives of, the Proposed Rules
169. In the Further Notice, we seek comment on what steps the Commission should take, if
any, to expand its CPNI rules further, and whether it should expand the consumer protections to ensure
that customer information and CPNI are protected in the context of mobile communications devices. In
particular, we seek comment on whether the Commission should adopt any further carrier requirements to
protect CPNI, including password protection, audit trails, physical security, and limits on data
retention.
458
Further, we seek comment on what methods carriers currently use, if any, for erasing
customer information on mobile equipment prior to refurbishing the equipment, and the extent to which
carriers enable customers to permanently erase their personal information prior to discarding the
device.
459
We also seek comment on whether the Commission should require carriers or manufacturers to
permanently erase, or allow customers to permanently erase, customer information in such
circumstances.
460
For each of these issues, we seek comment on the burdens, including those placed on
small carriers, associated with corresponding Commission rules related to each issue.
461
B. Legal Basis
170. The legal basis for any action that may be taken pursuant to this Further Notice is
contained in sections 1, 4(i), 4(j), and 222 of the Communications Act of 1934, as amended, 47 U.S.C. §§
151, 154(i)-(j), 222.
C. Description and Estimate of the Number of Small Entities to Which the Proposed
Rules May Apply
171. The RFA directs agencies to provide a description of and, where feasible, an estimate of
the number of small entities that may be affected by the proposed rules.
462
The RFA generally defines the
455
See 5 U.S.C. § 603. The RFA, see 5 U.S.C. §§ 601-12, has been amended by the Small Business Regulatory
Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996).
456
See 5 U.S.C. § 603(a).
457
See 5 U.S.C. § 603(a).
458
See Further Notice at paras. 68-70.
459
See id. at para.72.
460
See id.
461
See id. at paras. 68-72.
462
5 U.S.C. §§ 603(b)(3), 604(a)(3).
Federal Communications Commission FCC 07-22
82
term small entityas having the same meaning as the terms small business,” “small organization, and
small governmental jurisdiction.
463
In addition, the term small businesshas the same meaning as the
term small business concernunder the Small Business Act.
464
A small business concern is one which:
(1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any
additional criteria established by the Small Business Administration (SBA).
465
172. Small Businesses. Nationwide, there are a total of approximately 22.4 million small
businesses, according to SBA data.
466
173. Small Organizations. Nationwide, there are approximately 1.6 million small
organizations.
467
174. Small Governmental Jurisdictions. The term small governmental jurisdictionis
defined generally as governments of cities, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.
468
Census Bureau data for 2002 indicate that there
were 87,525 local governmental jurisdictions in the United States.
469
We estimate that, of this total,
84,377 entities were small governmental jurisdictions.
470
Thus, we estimate that most governmental
jurisdictions are small.
1. Telecommunications Service Entities
a. Wireline Carriers and Service Providers
175. We have included small incumbent local exchange carriers in this present RFA analysis.
As noted above, a small businessunder the RFA is one that, inter alia, meets the pertinent small
business size standard (e.g., a telephone communications business having 1,500 or fewer employees), and
is not dominant in its field of operation.
471
The SBAs Office of Advocacy contends that, for RFA
purposes, small incumbent local exchange carriers are not dominant in their field of operation because
any such dominance is not nationalin scope.
472
We have therefore included small incumbent local
463
5 U.S.C. § 601(6).
464
5 U.S.C. § 601(3) (incorporating by reference the definition of small business concernin the Small Business
Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies unless an
agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity
for public comment, establishes one or more definitions of such terms which are appropriate to the activities of the
agency and publishes such definitions(s) in the Federal Register.
465
15 U.S.C. § 632.
466
See SBA, Programs and Services, SBA Pamphlet No. CO-0028, at page 40 (July 2002).
467
Independent Sector, The New Nonprofit Almanac & Desk Reference (2002).
468
5 U.S.C. § 601(5).
469
U.S. Census Bureau, Statistical Abstract of the United States: 2006, Section 8, page 272, Table 415.
470
We assume that the villages, school districts, and special districts are small, and total 48,558. See U.S. Census
Bureau, Statistical Abstract of the United States: 2006, section 8, page 273, Table 417. For 2002, Census Bureau
data indicate that the total number of county, municipal, and township governments nationwide was 38,967, of
which 35,819 were small. Id.
471
15 U.S.C. § 632.
472
Letter from Jere W. Glover, Chief Counsel for Advocacy, SBA, to William E. Kennard, Chairman, FCC (May
27, 1999). The Small Business Act contains a definition of small-business concern,which the RFA incorporates
into its own definition of small business.See 15 U.S.C. § 632(a) (Small Business Act); 5 U.S.C. § 601(3) (RFA).
(continued....)
Federal Communications Commission FCC 07-22
83
exchange carriers in this RFA analysis, although we emphasize that this RFA action has no effect on
Commission analyses and determinations in other, non-RFA contexts.
176. Incumbent Local Exchange Carriers (LECs). Neither the Commission nor the SBA has
developed a small business size standard specifically for incumbent local exchange services. The
appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under
that size standard, such a business is small if it has 1,500 or fewer employees.
473
According to
Commission data,
474
1,303 carriers have reported that they are engaged in the provision of incumbent
local exchange services. Of these 1,303 carriers, an estimated 1,020 have 1,500 or fewer employees and
283 have more than 1,500 employees. Consequently, the Commission estimates that most providers of
incumbent local exchange service are small businesses that may be affected by our action.
177. Competitive Local Exchange Carriers, Competitive Access Providers (CAPs), “Shared-
Tenant Service Providers,” and “Other Local Service Providers.” Neither the Commission nor the SBA
has developed a small business size standard specifically for these service providers. The appropriate size
standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
475
According to Commission
data,
476
769 carriers have reported that they are engaged in the provision of either competitive access
provider services or competitive local exchange carrier services. Of these 769 carriers, an estimated 676
have 1,500 or fewer employees and 93 have more than 1,500 employees. In addition, 12 carriers have
reported that they are Shared-Tenant Service Providers,and all 12 are estimated to have 1,500 or fewer
employees. In addition, 39 carriers have reported that they are Other Local Service Providers. Of the
39, an estimated 38 have 1,500 or fewer employees and one has more than 1,500 employees.
Consequently, the Commission estimates that most providers of competitive local exchange service,
competitive access providers, Shared-Tenant Service Providers,and “Other Local Service Providers
are small entities that may be affected by our action.
178. Local Resellers. The SBA has developed a small business size standard for the category
of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or
fewer employees.
477
According to Commission data,
478
143 carriers have reported that they are engaged
in the provision of local resale services. Of these, an estimated 141 have 1,500 or fewer employees and
two have more than 1,500 employees. Consequently, the Commission estimates that the majority of local
resellers are small entities that may be affected by our action.
179. Toll Resellers. The SBA has developed a small business size standard for the category of
Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer
employees.
479
According to Commission data,
480
770 carriers have reported that they are engaged in the
(...continued from previous page)
SBA regulations interpret small business concernto include the concept of dominance on a national basis. See 13
C.F.R. § 121.102(b).
473
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
474
FCC, Wireline Competition Bureau, Industry Analysis and Technology Division, Trends in Telephone Service
at Table 5.3, page 5-5 (April 2005) (Trends in Telephone Service). This source uses data that are current as of
October 1, 2004.
475
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
476
Trends in Telephone Serviceat Table 5.3.
477
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
478
Trends in Telephone Serviceat Table 5.3.
479
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
Federal Communications Commission FCC 07-22
84
provision of toll resale services. Of these, an estimated 747 have 1,500 or fewer employees and 23 have
more than 1,500 employees. Consequently, the Commission estimates that the majority of toll resellers
are small entities that may be affected by our action.
180. Payphone Service Providers (PSPs). Neither the Commission nor the SBA has
developed a small business size standard specifically for payphone services providers. The appropriate
size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
481
According to Commission
data,
482
613 carriers have reported that they are engaged in the provision of payphone services. Of these,
an estimated 609 have 1,500 or fewer employees and four have more than 1,500 employees.
Consequently, the Commission estimates that the majority of payphone service providers are small
entities that may be affected by our action.
181. Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a
small business size standard specifically for providers of interexchange services. The appropriate size
standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
483
According to Commission
data,
484
316 carriers have reported that they are engaged in the provision of interexchange service. Of
these, an estimated 292 have 1,500 or fewer employees and 24 have more than 1,500 employees.
Consequently, the Commission estimates that the majority of IXCs are small entities that may be affected
by our action.
182. Operator Service Providers (OSPs). Neither the Commission nor the SBA has developed
a small business size standard specifically for operator service providers. The appropriate size standard
under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a
business is small if it has 1,500 or fewer employees.
485
According to Commission data,
486
23 carriers
have reported that they are engaged in the provision of operator services. Of these, an estimated 20 have
1,500 or fewer employees and three have more than 1,500 employees. Consequently, the Commission
estimates that the majority of OSPs are small entities that may be affected by our action.
183. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a
small business size standard specifically for prepaid calling card providers. The appropriate size standard
under SBA rules is for the category Telecommunications Resellers. Under that size standard, such a
business is small if it has 1,500 or fewer employees.
487
According to Commission data,
488
89 carriers
have reported that they are engaged in the provision of prepaid calling cards. Of these, 88 are estimated
to have 1,500 or fewer employees and one has more than 1,500 employees. Consequently, the
(...continued from previous page)
480
Trends in Telephone Serviceat Table 5.3.
481
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
482
Trends in Telephone Serviceat Table 5.3.
483
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
484
Trends in Telephone Serviceat Table 5.3.
485
13 C.F.R. § 121.201, NAICS code 517110 (changed from 513310 in Oct. 2002).
486
Trends in Telephone Serviceat Table 5.3.
487
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
488
Trends in Telephone Serviceat Table 5.3.
Federal Communications Commission FCC 07-22
85
Commission estimates that all or the majority of prepaid calling card providers are small entities that may
be affected by our action.
184. 800 and 800-Like Service Subscribers.
489
Neither the Commission nor the SBA has
developed a small business size standard specifically for 800 and 800-like service (toll free)
subscribers. The appropriate size standard under SBA rules is for the category Telecommunications
Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees.
490
The
most reliable source of information regarding the number of these service subscribers appears to be data
the Commission collects on the 800, 888, and 877 numbers in use.
491
According to our data, at the end of
January, 1999, the number of 800 numbers assigned was 7,692,955; the number of 888 numbers assigned
was 7,706,393; and the number of 877 numbers assigned was 1,946,538. We do not have data specifying
the number of these subscribers that are not independently owned and operated or have more than 1,500
employees, and thus are unable at this time to estimate with greater precision the number of toll free
subscribers that would qualify as small businesses under the SBA size standard. Consequently, we
estimate that there are 7,692,955 or fewer small entity 800 subscribers; 7,706,393 or fewer small entity
888 subscribers; and 1,946,538 or fewer small entity 877 subscribers.
b. International Service Providers
185. The Commission has not developed a small business size standard specifically for
providers of international service. The appropriate size standards under SBA rules are for the two broad
census categories of Satellite Telecommunicationsand Other Telecommunications. Under both
categories, such a business is small if it has $12.5 million or less in average annual receipts.
492
186. The first category of Satellite Telecommunications comprises establishments primarily
engaged in providing point-to-point telecommunications services to other establishments in the
telecommunications and broadcasting industries by forwarding and receiving communications signals via
a system of satellites or reselling satellite telecommunications.
493
For this category, Census Bureau data
for 2002 show that there were a total of 371 firms that operated for the entire year.
494
Of this total, 307
firms had annual receipts of under $10 million, and 26 firms had receipts of $10 million to
$24,999,999.
495
Consequently, we estimate that the majority of Satellite Telecommunications firms are
small entities that might be affected by our action.
187. The second category of Other Telecommunications comprises establishments primarily
engaged in (1) providing specialized telecommunications applications, such as satellite tracking,
communications telemetry, and radar station operations; or (2) providing satellite terminal stations and
associated facilities operationally connected with one or more terrestrial communications systems and
489
We include all toll-free number subscribers in this category, including those for 888 numbers.
490
13 C.F.R. § 121.201, NAICS code 517310 (changed from 513330 in Oct. 2002).
491
See FCC, Common Carrier Bureau, Industry Analysis Division, Study on Telephone Trends, Tables 21.2, 21.3,
and 21.4 (Feb. 1999).
492
13 C.F.R. § 121.201, NAICS codes 517410 and 517910.
493
U.S. Census Bureau, 2002 NAICS Definitions: 517410 Satellite Telecommunications” (www.census.gov.,
visited Feb. 2006).
494
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Establishment and Firm Size
(Including Legal Form of Organization),Table 4, NAICS code 517410 (issued Nov. 2005).
495
Id. An additional 38 firms had annual receipts of $25 million or more.
Federal Communications Commission FCC 07-22
86
capable of transmitting telecommunications to or receiving telecommunications from satellite systems.
496
For this category, Census Bureau data for 2002 show that there were a total of 332 firms that operated for
the entire year.
497
Of this total, 259 firms had annual receipts of under $10 million and 15 firms had
annual receipts of $10 million to $24,999,999.
498
Consequently, we estimate that the majority of Other
Telecommunications firms are small entities that might be affected by our action.
c. Wireless Telecommunications Service Providers
188. Below, for those services subject to auctions, we note that, as a general matter, the
number of winning bidders that qualify as small businesses at the close of an auction does not necessarily
represent the number of small businesses currently in service. Also, the Commission does not generally
track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues
are implicated.
189. Wireless Service Providers. The SBA has developed a small business size standard for
wireless firms within the two broad economic census categories of Paging
499
and Cellular and Other
Wireless Telecommunications.
500
Under both SBA categories, a wireless business is small if it has 1,500
or fewer employees. For the census category of Paging, Census Bureau data for 2002 show that there
were 807 firms in this category that operated for the entire year.
501
Of this total, 804 firms had
employment of 999 or fewer employees, and three firms had employment of 1,000 employees or more.
502
Thus, under this category and associated small business size standard, the majority of firms can be
considered small. For the census category of Cellular and Other Wireless Telecommunications, Census
Bureau data for 2002 show that there were 1,397 firms in this category that operated for the entire year.
503
Of this total, 1,378 firms had employment of 999 or fewer employees, and 19 firms had employment of
1,000 employees or more.
504
Thus, under this second category and size standard, the majority of firms
can, again, be considered small.
190. Cellular Licensees. The SBA has developed a small business size standard for wireless
firms within the broad economic census category Cellular and Other Wireless Telecommunications.
505
Under this SBA category, a wireless business is small if it has 1,500 or fewer employees. For the census
category of Cellular and Other Wireless Telecommunications, Census Bureau data for 2002 show that
496
U.S. Census Bureau, 2002 NAICS Definitions: 517910 Other Telecommunications” (www.census.gov, visited
Feb. 2006).
497
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Establishment and Firm Size
(Including Legal Form of Organization),Table 4, NAICS code 517910 (issued Nov. 2005).
498
Id. An additional 14 firms had annual receipts of $25 million or more.
499
13 C.F.R. § 121.201, NAICS code 513321 (changed to 517211 in October 2002).
500
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
501
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517211 (issued November 2005).
502
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
503
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517212 (issued November 2005).
504
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
505
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
Federal Communications Commission FCC 07-22
87
there were 1,397 firms in this category that operated for the entire year.
506
Of this total, 1,378 firms had
employment of 999 or fewer employees, and 19 firms had employment of 1,000 employees or more.
507
Thus, under this category and size standard, the great majority of firms can be considered small. Also,
according to Commission data, 437 carriers reported that they were engaged in the provision of cellular
service, Personal Communications Service (PCS), or Specialized Mobile Radio (SMR) Telephony
services, which are placed together in the data.
508
We have estimated that 260 of these are small, under
the SBA small business size standard.
509
191. Common Carrier Paging. The SBA has developed a small business size standard for
wireless firms within the broad economic census category, Cellular and Other Wireless
Telecommunications.
510
Under this SBA category, a wireless business is small if it has 1,500 or fewer
employees. For the census category of Paging, Census Bureau data for 2002 show that there were 807
firms in this category that operated for the entire year.
511
Of this total, 804 firms had employment of 999
or fewer employees, and three firms had employment of 1,000 employees or more.
512
Thus, under this
category and associated small business size standard, the majority of firms can be considered small. In
the Paging Third Report and Order, we developed a small business size standard for small businesses
and very small businessesfor purposes of determining their eligibility for special provisions such as
bidding credits and installment payments.
513
A small businessis an entity that, together with its
affiliates and controlling principals, has average gross revenues not exceeding $15 million for the
preceding three years. Additionally, a very small businessis an entity that, together with its affiliates
and controlling principals, has average gross revenues that are not more than $3 million for the preceding
three years.
514
The SBA has approved these small business size standards.
515
An auction of Metropolitan
Economic Area licenses commenced on February 24, 2000, and closed on March 2, 2000.
516
Of the 985
licenses auctioned, 440 were sold. Fifty-seven companies claiming small business status won. Also,
according to Commission data, 375 carriers reported that they were engaged in the provision of paging
506
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517212 (issued November 2005).
507
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
508
Trends in Telephone Serviceat Table 5.3.
509
Id.
510
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
511
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information,Table 5, Employment Size of Firms
for the United States: 2002, NAICS code 517211 (issued November 2005).
512
Id. The census data do not provide a more precise estimate of the number of firms that have employment of
1,500 or fewer employees; the largest category provided is firms with 1000 employees or more.
513
Amendment of Part 90 of the Commissions Rules to Provide for the Use of the 220-222 MHz Band by the Private
Land Mobile Radio Service, PR Docket No. 89-552, Third Report and Order and Fifth Notice of Proposed
Rulemaking, 12 FCC Rcd 10943, 11068-70, paras. 291-295, 62 FR 16004 (Apr. 3, 1997).
514
See Letter to Amy Zoslov, Chief, Auctions and Industry Analysis Division, Wireless Telecommunications
Bureau, FCC, from A. Alvarez, Administrator, SBA (Dec. 2, 1998) (SBA Dec. 2, 1998 Letter).
515
Revision of Part 22 and Part 90 of the Commissions Rules to Facilitate Future Development of Paging Systems,
Memorandum Opinion and Order on Reconsideration and Third Report and Order, 14 FCC Rcd 10030, paras. 98-
107 (1999).
516
Id. at 10085, para. 98.
Federal Communications Commission FCC 07-22
88
and messaging services.
517
Of those, we estimate that 370 are small, under the SBA-approved small
business size standard.
518
192. Wireless Telephony. Wireless telephony includes cellular, personal communications
services (PCS), and specialized mobile radio (SMR) telephony carriers. As noted earlier, the SBA has
developed a small business size standard for Cellular and Other Wireless Telecommunications
services.
519
Under that SBA small business size standard, a business is small if it has 1,500 or fewer
employees.
520
According to Commission data, 445 carriers reported that they were engaged in the
provision of wireless telephony.
521
We have estimated that 245 of these are small under the SBA small
business size standard.
193. Broadband Personal Communications Service. The broadband Personal
Communications Service (PCS) spectrum is divided into six frequency blocks designated A through F,
and the Commission has held auctions for each block. The Commission defined small entityfor Blocks
C and F as an entity that has average gross revenues of $40 million or less in the three previous calendar
years.
522
For Block F, an additional classification for very small business” was added and is defined as
an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the
preceding three calendar years.
523
These standards defining small entityin the context of broadband
PCS auctions have been approved by the SBA.
524
No small businesses, within the SBA-approved small
business size standards bid successfully for licenses in Blocks A and B. There were 90 winning bidders
that qualified as small entities in the Block C auctions. A total of 93 small and very small business
bidders won approximately 40 percent of the 1,479 licenses for Blocks D, E, and F.
525
On March 23,
1999, the Commission re-auctioned 347 C, D, E, and F Block licenses. There were 48 small business
winning bidders. On January 26, 2001, the Commission completed the auction of 422 C and F
Broadband PCS licenses in Auction No. 35. Of the 35 winning bidders in this auction, 29 qualified as
small” or very smallbusinesses. Subsequent events, concerning Auction 35, including judicial and
agency determinations, resulted in a total of 163 C and F Block licenses being available for grant.
194. Narrowband Personal Communications Services. To date, two auctions of narrowband
personal communications services (PCS) licenses have been conducted. For purposes of the two auctions
that have already been held, small businesseswere entities with average gross revenues for the prior
three calendar years of $40 million or less. Through these auctions, the Commission has awarded a total
of 41 licenses, out of which 11 were obtained by small businesses. To ensure meaningful participation of
517
Trends in Telephone Serviceat Table 5.3.
518
Id.
519
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
520
Id.
521
Trends in Telephone Serviceat Table 5.3.
522
See Amendment of Parts 20 and 24 of the Commissions Rules Broadband PCS Competitive Bidding and the
Commercial Mobile Radio Service Spectrum Cap, WT Docket No. 96-59, Report and Order, 11 FCC Rcd 7824, 61
FR 33859 (July 1, 1996) (PCS Order); see also 47 C.F.R. § 24.720(b).
523
See PCS Order, 11 FCC Rcd 7824.
524
See, e.g., Implementation of Section 309(j) of the Communications Act Competitive Bidding, PP Docket No. 93-
253, Fifth Report and Order, 9 FCC Rcd 5332, 59 FR 37566 (July 22, 1994).
525
FCC News, Broadband PCS, D, E and F Block Auction Closes, No. 71744 (rel. Jan. 14, 1997); see also
Amendment of the Commissions Rules Regarding Installment Payment Financing for Personal Communications
Services (PCS) Licenses, WT Docket No. 97-82, Second Report and Order, 12 FCC Rcd 16436, 62 FR 55348 (Oct.
24, 1997).
Federal Communications Commission FCC 07-22
89
small business entities in future auctions, the Commission has adopted a two-tiered small business size
standard in the Narrowband PCS Second Report and Order.
526
A small businessis an entity that,
together with affiliates and controlling interests, has average gross revenues for the three preceding years
of not more than $40 million. A very small businessis an entity that, together with affiliates and
controlling interests, has average gross revenues for the three preceding years of not more than $15
million. The SBA has approved these small business size standards.
527
In the future, the Commission
will auction 459 licenses to serve Metropolitan Trading Areas (MTAs) and 408 response channel licenses.
There is also one megahertz of narrowband PCS spectrum that has been held in reserve and that the
Commission has not yet decided to release for licensing. The Commission cannot predict accurately the
number of licenses that will be awarded to small entities in future auctions. However, four of the 16
winning bidders in the two previous narrowband PCS auctions were small businesses, as that term was
defined. The Commission assumes, for purposes of this analysis that a large portion of the remaining
narrowband PCS licenses will be awarded to small entities. The Commission also assumes that at least
some small businesses will acquire narrowband PCS licenses by means of the Commissions partitioning
and disaggregation rules.
195. Rural Radiotelephone Service. The Commission has not adopted a size standard for
small businesses specific to the Rural Radiotelephone Service.
528
A significant subset of the Rural
Radiotelephone Service is the Basic Exchange Telephone Radio System (BETRS).
529
The Commission
uses the SBAs small business size standard applicable to Cellular and Other Wireless
Telecommunications,i.e., an entity employing no more than 1,500 persons.
530
There are approximately
1,000 licensees in the Rural Radiotelephone Service, and the Commission estimates that there are 1,000
or fewer small entity licensees in the Rural Radiotelephone Service that may be affected by the rules and
policies adopted herein.
196. Air-Ground Radiotelephone Service. The Commission has not adopted a small business
size standard specific to the Air-Ground Radiotelephone Service.
531
We will use SBAs small business
size standard applicable to Cellular and Other Wireless Telecommunications, i.e., an entity employing
no more than 1,500 persons.
532
There are approximately 100 licensees in the Air-Ground Radiotelephone
Service, and we estimate that almost all of them qualify as small under the SBA small business size
standard.
197. Offshore Radiotelephone Service. This service operates on several UHF television
broadcast channels that are not used for television broadcasting in the coastal areas of states bordering the
Gulf of Mexico.
533
There are presently approximately 55 licensees in this service. We are unable to
estimate at this time the number of licensees that would qualify as small under the SBAs small business
526
Amendment of the Commissions Rules to Establish New Personal Communications Services, Narrowband PCS,
Docket No. ET 92-100, Docket No. PP 93-253, Second Report and Order and Second Further Notice of Proposed
Rulemaking, 15 FCC Rcd 10456, 65 FR 35875 (June 6, 2000).
527
See SBA Dec. 2, 1998 Letter.
528
The service is defined in section 22.99 of the Commissions Rules, 47 C.F.R. § 22.99.
529
BETRS is defined in sections 22.757 and 22.759 of the Commissions Rules, 47 C.F.R. §§ 22.757 and 22.759.
530
13 C.F.R. § 121.201, NAICS code 517212.
531
The service is defined in section 22.99 of the Commissions Rules, 47 C.F.R. § 22.99.
532
13 C.F.R. § 121.201, NAICS codes 517212.
533
This service is governed by Subpart I of Part 22 of the Commissions rules. See 47 C.F.R. §§ 22.1001-22.1037.
Federal Communications Commission FCC 07-22
90
size standard for Cellular and Other Wireless Telecommunicationsservices.
534
Under that SBA small
business size standard, a business is small if it has 1,500 or fewer employees.
535
2. Cable and OVS Operators
198. Cable and Other Program Distribution. This category includes cable systems operators,
closed circuit television services, direct broadcast satellite services, multipoint distribution systems,
satellite master antenna systems, and subscription television services. The SBA has developed small
business size standard for this census category, which includes all such companies generating $12.5
million or less in revenue annually.
536
According to Census Bureau data for 2002, there were a total of
1,191 firms in this category that operated for the entire year.
537
Of this total, 1,087 firms had annual
receipts of under $10 million, and 43 firms had receipts of $10 million or more but less than $25
million.
538
Consequently, the Commission estimates that the majority of providers in this service
category are small businesses that may be affected by the rules and policies adopted herein.
199. Cable System Operators. The Commission has developed its own small business size
standards for cable system operators, for purposes of rate regulation. Under the Commissions rules, a
small cable companyis one serving fewer than 400,000 subscribers nationwide.
539
In addition, a “small
system” is a system serving 15,000 or fewer subscribers.
540
200. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as
amended, also contains a size standard for small cable system operators, which is a cable operator that,
directly or through an affiliate, serves in the aggregate fewer than 1 percent of all subscribers in the
United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate
exceed $250,000,000.
541
The Commission has determined that there are approximately 67,700,000
subscribers in the United States.
542
Therefore, an operator serving fewer than 677,000 subscribers shall
be deemed a small operator, if its annual revenues, when combined with the total annual revenues of all
its affiliates, do not exceed $250 million in the aggregate.
543
Based on available data, the Commission
estimates that the number of cable operators serving 677,000 subscribers or fewer, totals 1,450. The
Commission neither requests nor collects information on whether cable system operators are affiliated
534
13 C.F.R. § 121.201, NAICS code 513322 (changed to 517212 in October 2002).
535
Id.
536
13 C.F.R. § 121.201, North American Industry Classification System (NAICS) code 513220 (changed to 517510
in October 2002).
537
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Table 4, Receipts Size of Firms for the
United States: 2002, NAICS code 517510 (issued November 2005).
538
Id. An additional 61 firms had annual receipts of $25 million or more.
539
47 C.F.R. § 76.901(e). The Commission determined that this size standard equates approximately to a size
standard of $100 million or less in annual revenues. Implementation of Sections of the 1992 Cable Act: Rate
Regulation, Sixth Report and Order and Eleventh Order on Reconsideration, 10 FCC Rcd 7393, 7408 (1995).
540
47 C.F.R. § 76.901(c).
541
47 U.S.C. § 543(m)(2); see 47 C.F.R. § 76.901(f) & nn. 1-3.
542
See Public Notice, FCC Announces New Subscriber Count for the Definition of Small Cable Operator, DA
01-158 (Cable Services Bureau, Jan. 24, 2001).
543
47 C.F.R. § 76.901(f).
Federal Communications Commission FCC 07-22
91
with entities whose gross annual revenues exceed $250 million,
544
and therefore is unable, at this time, to
estimate more accurately the number of cable system operators that would qualify as small cable
operators under the size standard contained in the Communications Act of 1934.
201. Open Video Services. Open Video Service (OVS) systems provide subscription
services.
545
The SBA has created a small business size standard for Cable and Other Program
Distribution.
546
This standard provides that a small entity is one with $12.5 million or less in annual
receipts. The Commission has certified approximately 25 OVS operators to serve 75 areas, and some of
these are currently providing service.
547
Affiliates of Residential Communications Network, Inc. (RCN)
received approval to operate OVS systems in New York City, Boston, Washington, D.C., and other areas.
RCN has sufficient revenues to assure that they do not qualify as a small business entity. Little financial
information is available for the other entities that are authorized to provide OVS and are not yet
operational. Given that some entities authorized to provide OVS service have not yet begun to generate
revenues, the Commission concludes that up to 24 OVS operators (those remaining) might qualify as
small businesses that may be affected by the rules and policies adopted herein.
3. Internet Service Providers
202. Internet Service Providers. The SBA has developed a small business size standard for
Internet Service Providers (ISPs). ISPs provide clients access to the Internet and generally provide
related services such as web hosting, web page designing, and hardware or software consulting related to
Internet connectivity.
548
Under the SBA size standard, such a business is small if it has average annual
receipts of $21 million or less.
549
According to Census Bureau data for 2002, there were 2,529 firms in
this category that operated for the entire year.
550
Of these, 2,437 firms had annual receipts of under $10
million, and 47 firms had receipts of $10 million or more but less then $25 million.
551
Consequently, we
estimate that the majority of these firms are small entities that may be affected by our action.
203. All Other Information Services. “This industry comprises establishments primarily
engaged in providing other information services (except new syndicates and libraries and archives).
552
The SBA has developed a small business size standard for this category; that size standard is $6 million
or less in average annual receipts.
553
According to Census Bureau data for 1997, there were 195 firms in
544
The Commission does receive such information on a case-by-case basis if a cable operator appeals a local
franchise authoritys finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of
the Commissions rules. See 47 C.F.R. § 76.909(b).
545
See 47 U.S.C. § 573.
546
13 C.F.R. § 121.201, NAICS code 513220 (changed to 517510 in October 2002).
547
See <http://www.fcc.gov/csb/ovs/csovscer.html> (current as of March 2002).
548
U.S. Census Bureau, 2002 NAICS Definitions: 518111 Internet Service Providers(Feb. 2004)
<www.census.gov>.
549
13 C.F.R. § 121.201, NAICS code 518111 (changed from previous code 514191, On-Line Information
Services,in Oct. 2002).
550
U.S. Census Bureau, 2002 Economic Census, Subject Series: Information, Table 4, Receipts Size of Firms for
the United States: 2002, NAICS code 518111 (issued November 2005).
551
Id. An additional 45 firms had annual receipts of $25 million or more.
552
U.S. Census Bureau, 2002 NAICS Definitions: 519190 All Other Information Services(Feb. 2004)
<www.census.gov>.
553
13 C.F.R. § 121.201, NAICS code 519190 (changed from 514199 in Oct. 2002).
Federal Communications Commission FCC 07-22
92
this category that operated for the entire year.
554
Of these, 172 had annual receipts of under $5 million,
and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, we
estimate that the majority of these firms are small entities that may be affected by our action.
4. Equipment Manufacturers
204. Wireless Communications Equipment Manufacturers. The SBA has established a small
business size standard for Radio and Television Broadcasting and Wireless Communications Equipment
Manufacturing. Examples of products in this category include “transmitting and receiving antennas,
cable television equipment, GPS equipment, pagers, cellular phones, mobile communications equipment,
and radio and television studio and broadcasting equipment”
555
and may include other devices that
transmit and receive IP-enabled services, such as personal digital assistants (PDAs). Under the SBA size
standard, firms are considered small if they have 750 or fewer employees.
556
According to Census
Bureau data for 1997, there were 1,215 establishments
557
in this category that operated for the entire
year.
558
Of those, there were 1,150 that had employment of under 500, and an additional 37 that had
employment of 500 to 999. The percentage of wireless equipment manufacturers in this category was
approximately 61.35%,
559
so we estimate that the number of wireless equipment manufacturers with
employment of under 500 was actually closer to 706, with and additional 23 establishments having
employment of between 500 and 999. Consequently, we estimate that the majority of wireless
communications equipment manufacturers are small entities that may be affected by our action.
205. Telephone Apparatus Manufacturing. This category comprises establishments primarily
engaged primarily in manufacturing wire telephone and data communications equipment.”
560
Examples
of pertinent products are “central office switching equipment, cordless telephones (except cellular), PBX
equipment, telephones, telephone answering machines, and data communications equipment, such as
bridges, routers, and gateways.”
561
The SBA has developed a small business size standard for this
category of manufacturing; that size standard is 1,000 or fewer employees.
562
According to Census
554
U.S. Census Bureau, 1997 Economic Census, Subject Series: Information, Establishment and Firm Size
(Including Legal Form of Organization),Table 4, NAICS code 514199 (issued Oct. 2000). This category was
created for the 2002 Economic Census by taking a portion of the superseded 1997 category, All Other Information
Services,NAICS code 514199. The data cited in the text above are derived from the superseded category.
555
Office of Management and Budget, North American Industry Classification System 308-09 (1997) (NAICS code
334220).
556
13 C.F.R. § 121.201, NAICS code 334220.
557
The number of “establishments” is a less helpful indicator of small business prevalence in this context than would
be the number of “firms” or “companies,” because the latter take into account the concept of common ownership or
control. Any single physical location for an entity is an establishment, even though that location may be owned by a
different establishment. Thus, the numbers given may reflect inflated numbers of businesses in this category,
including the numbers of small businesses. In this category, the Census breaks-out data for firms or companies only
to give the total number of such entities for 1997, which were 1,089.
558
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Industry Statistics by
Employment Size,” Table 4, NAICS code 334220 (issued Aug. 1999).
559
Id. Table 5.
560
Office of Management and Budget, North American Industry Classification System 308 (1997) (NAICS code
334210).
561
Id.
562
13 C.F.R. § 121.201, NAICS code 334210.
Federal Communications Commission FCC 07-22
93
Bureau data for 1997, there were 598 establishments in this category that operated for the entire year.
563
Of these, 574 had employment of under 1,000, and an additional 17 establishments had employment of
1,000 to 2,499. Consequently, we estimate that the majority of these establishments are small entities that
may be affected by our action.
206. Semiconductor and Related Device Manufacturing. These establishments manufacture
“computer storage devices that allow the storage and retrieval of data from a phase change, magnetic,
optical, or magnetic/optical media.”
564
The SBA has developed a small business size standard for this
category of manufacturing; that size standard is 500 or fewer employees.
565
According to Census Bureau
data for 1997, there were 1,082 establishments in this category that operated for the entire year.
566
Of
these, 987 had employment of under 500, and 52 establishments had employment of 500 to 999.
207. Computer Storage Device Manufacturing. These establishments manufacture “computer
storage devices that allow the storage and retrieval of data from a phase change, magnetic, optical, or
magnetic/optical media.”
567
The SBA has developed a small business size standard for this category of
manufacturing; that size standard is 1,000 or fewer employees.
568
According to Census Bureau data for
1997, there were 209 establishments in this category that operated for the entire year.
569
Of these, 197
had employment of under 500, and eight establishments had employment of 500 to 999.
D. Description of Projected Reporting, Recordkeeping and Other Compliance
Requirements
208. Should the Commission decide to adopt any further regulations to ensure that all
providers of telecommunication services meet consumer protection needs in regard to CPNI, including the
security of the privacy of customer information stored in mobile communications devices, the associated
rules potentially could modify the reporting and recordkeeping requirements of certain
telecommunications providers. We could, for instance, require that telecommunications providers require
further customer password-related security procedures to access CPNI data.
570
We could also require
telecommunications providers to track customer contact through the use of audit trails or to limit their
retention of data related to CPNI.
571
Additionally, we could require additional physical safeguards be
implemented to protect the transfer of CPNI.
572
Further, we could require telecommunications providers
and/or manufacturers to configure wireless devices so consumers can easily and permanently delete
563
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Telephone Apparatus
Manufacturing,” Table 4, NAICS code 334210 (issued Sept. 1999).
564
U.S. Census Bureau, “2002 NAICS Definitions: 334413 Semiconductor and Related Device Manufacturing”
(Feb. 2004) <www.census.gov>.
565
13 C.F.R. § 121.201, NAICS code 334413.
566
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Semiconductor and Related
Device Manufacturing ,” Table 4, NAICS code 334413 (issued July 1999).
567
U.S. Census Bureau, “2002 NAICS Definitions: 334112 Computer Storage Device Manufacturing” (Feb. 2004)
<www.census.gov>.
568
13 C.F.R. § 121.201, NAICS code 334112.
569
U.S. Census Bureau, 1997 Economic Census, Industry Series: Manufacturing, “Computer Storage Device
Manufacturing,” Table 4, NAICS code 334112 (issued July 1999).
570
See Further Notice at para. 68.
571
See Further Notice at paras. 69, 71.
572
See Further Notice at para. 70.
Federal Communications Commission FCC 07-22
94
personal information from mobile communications devices.
573
These proposals may impose additional
reporting and recordkeeping requirements on entities. Also, we seek comment on whether any of these
proposals places burdens on small entities.
574
Entities, especially small businesses, are encouraged to
quantify the costs and benefits or any reporting requirement that may be established in this proceeding.
E. Steps Taken to Minimize Significant Economic Impact on Small Entities, and
Significant Alternatives Considered
209. The RFA requires an agency to describe any significant alternatives that it has considered
in reaching its proposed approach, which may include (among others) the following four alternatives:
(1) the establishment of differing compliance or reporting requirements or timetables that take into
account the resources available to small entities; (2) the clarification, consolidation, or simplification of
compliance or reporting requirements under the rule for small entities; (3) the use of performance, rather
than design, standards; and (4) an exemption from coverage of the rule, or any part thereof, for small
entities.
575
210. The Commission’s primary objective is to secure the privacy of customer information
collected by telecommunications carriers and stored in mobile communications devices. We seek
comment on the burdens, including those placed on small carriers, associated with related Commission
rules and whether the Commission should adopt different requirements for small businesses.
576
F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules
211. None.
573
See Further Notice at para. 72.
574
See Further Notice at paras. 68-72.
575
5 U.S.C. § 603(c).
576
See Further Notice at paras. 68-72.
Federal Communications Commission FCC 07-22
95
STATEMENT OF
CHAIRMAN KEVIN J. MARTIN
Re: Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services,
Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115 and WC Docket
No. 04-36
The unauthorized disclosure of consumers’ private calling records is a significant privacy
invasion. Today, the Commission significantly strengthens the Commission’s existing safeguards and
takes a strong approach to protecting consumer privacy.
The Commission has taken numerous steps to combat these alarming breaches of the privacy of
consumers’ telephone records. We investigated so-called “data brokers” to determine how they are
obtaining this information, and levied forfeitures against companies that failed to respond to our
subpoenas and requests for information. We also investigated telecommunications carriers to determine
whether they had implemented appropriate safeguards, and issued Notices of Apparent Liability against
carriers that failed to comply with the Commission’s rules.
The Order we adopt prohibits carriers from releasing over the phone sensitive personal data, call
detail records, unless the customer provides a password, requires providers to notify customers
immediately when changes are made to a customers account and requires providers to notify their
customers in the event of a breach of confidentiality. Service providers also must annually certify their
compliance with these regulations, inform the Commission of any actions they have taken against data
brokers, and provide a summary of the complaints they receive regarding the unauthorized release of
CPNI. Today’s action also ensures that law enforcement will have necessary tools to investigate and
enforce illegal access to customer records.
While we work to create an environment in which market forces can thrive, the Commission must
also act to protect consumers. With its strong approach to safeguarding consumer privacy, this item does
just that. In particular, this item requires express consumer consent before a carrier may disclose a
customer’s phone records to joint venture partners or independent contractors for the purposes of
marketing communications services. The former “opt-out” approach to customer consent, whereby a
carrier may disclose a customer’s phone records provided that a customer does not expressly withhold
consent to such use, shifted too much of the burden to consumers, and has resulted in a much broader
dissemination of consumer phone records. The “opt-in” approach adopted in this Order clearly is
supported by the record, is consistent with applicable law, and directly advances our interest in protecting
customer privacy.
Compliance with our consumer protection regulations is not optional for any telephone service
provider. We need to take whatever actions are necessary to enforce these requirements to secure the
privacy of personal and confidential information of American customers.
Federal Communications Commission FCC 07-22
96
STATEMENT OF
COMMISSIONER MICHAEL J. COPPS
APPROVING IN PART, DISSENTING IN PART
Re: Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services,
Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115 and WC Docket
No. 04-36
Few rights are as fundamental as the right to privacy in our daily lives, but this cherished right
seems under almost constant attack. As recent abuses by unscrupulous data brokers and others illustrate,
the Commission’s existing customer proprietary network information (CPNI) rules have not adequately
protected individual privacy. Recognizing the seriousness of the threat, Congress recently made
pretexting a federal crime. Now it is time for the Commission to step up to the plate and update its rules
to protect consumers from the dangers that portend when personal information is turned over to telephone
carriers.
Today we take action to protect the privacy of American consumers by imposing additional
safeguards on how telephone carriers handle the vast amount of customers’ personal information that they
collect and hold. We require passwords before call detail information is released over the phone. We
require carriers to provide notice to customers when changes occur to their accounts. Very importantly,
we require carriers to obtain prior consent from their customers before providing personal information to
their joint venture partners and independent contractors. My personal preference remains that a
customer’s private information should never be shared by a carrier with any entity for marketing purposes
without a customer opting-in to the use of his or her personal information. But today’s order strikes an
acceptable balance a balance that will give consumers more confidence that their personal data will not
be shared with certain third parties with whom the carriers have attenuated oversight. In 2002 I disagreed
with the Commission’s decision not to implement opt-in requirements for the use of consumers’ personal
information. In light of recent and well-documented abuses of consumer privacy, this recalibration of our
rules is the least that we should do, and I very much appreciate the Chairman’s willingness to take these
important steps.
There is one aspect of this order, however, from which I must respectfully dissent. The
Commission adopts a process by which customers could be left totally uninformed of unauthorized access
to their CPNI for 14 days after a carrier reasonably determines there has been a records breach. Worse,
the FBI and the U.S. Secret Service would have the ability to keep victims of these unauthorized
disclosures in the dark even longer, perhaps indefinitely. As some have described it, it is akin to not
telling victims of a burglary that their home has been broken into because law enforcement needs to
continue dusting for fingerprints.
While I have always recognized the legitimate interests of law enforcement to be notified when
there has been unauthorized access to a customer’s CPNI, I also believe that consumers need to know
when their private information has been accessed. There may be circumstances in which a delayed
notification regime would be reasonable, for example, when an investigation of a large-scale breach of a
database might be compromised because mass notification via the media is required. The Commission,
however, adopts a rule that, in my opinion, is needlessly overbroad. It fails to distinguish those exigent
circumstances in which delayed notification is necessary from what I believe to be the majority of cases
in which immediate notification to a victim is appropriate. I continue to believe that notification to the
victim of unauthorized access to their personal information will often actually aid law enforcement
because the violator is frequently someone well known to the victim. If an unauthorized individual has
gained access to personal telephone records involving victims of stalking or spousal violence, it won’t be
Federal Communications Commission FCC 07-22
97
the carrier or the law enforcement agency but the victims who are in the best position to know when
and how harm may be heading toward them.
Given the scope of the procedures adopted here procedures which pre-empt state consumer
privacy protections to the extent that they require immediate notification to consumers when their privacy
has been violated the delayed notification proposal would have benefited from greater scrutiny and
analysis, particularly with respect to law enforcement’s apparent unfettered ability to extend the period of
non-notification. This seems especially important given the recent and troubling report by the Justice
Department’s own Inspector General raising serious questions as to whether the FBI properly followed
the law in obtaining access to the telephone records of thousands of consumers. Our approach here
requires more balance than the instant item provides.
Finally, while we make positive strides today, I look forward to taking prompt action on the
proposals in the Further Notice regarding additional passwords, audit trails and data retention limits.
When the stakes for misuse of our personal information are so high, the Commission must continue to be
extraordinarily vigilant to ensure that the privacy of consumers is protected.
Federal Communications Commission FCC 07-22
98
STATEMENT OF
COMMISSIONER JONATHAN S. ADELSTEIN
APPROVING IN PART, DISSENTING IN PART
Re: Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services,
Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115 and WC Docket
No. 04-36
Through this proceeding, we address an issue of immediate personal importance to American
consumers, the protection of sensitive information that telephone companies collect about their customers.
This information can include some of the most private personal information about an individual, and
failure to safeguard it can result in highly invasive intrusions into both the personal and professional lives
of consumers. When someone gets hold of who you are calling, and for how long, it is like letting
strangers pick your brain about your friends, plans or business dealings. So, I am pleased to support
much of this Order, which takes meaningful steps to shut off the information drain that has left so many
customers exasperated.
Congress recognized the sensitivity of this information in the Telecommunications Act of 1996
when it prohibited phone companies from using or disclosing customer proprietary network information
without the customer’s approval. It charged the Commission with enforcing this privacy protection and
the Commission previously adopted a set of rules designed to ensure that telephone companies have
effective safeguards in place.
Today’s action comes in response to the chorus of evidence detailing the need for greater privacy
measures. Indeed, this proceeding flows from a petition filed by a watchful public interest group, the
Electronic Privacy Information Center (EPIC), which alerted the FCC during the summer of 2005 to the
troubling trend of telephone call records being made available on the Internet without customers’
knowledge or consent. As EPIC then made clear to the Commission and as the record to this proceeding
has borne out, disclosure of these records is far more than a mere annoyance; indeed, it can lead to tragic
consequences.
So, our efforts here to strengthen our rules are critical and time sensitive. This Order takes
several important steps tighten our rules and provide greater security for sensitive consumer records.
Requiring more rigorous customer authentication, giving customers notice of account changes, and
applying a more consumer-friendly approach to sharing of customer data should all serve to improve
customers control over their private data. As documented by EPIC, the sheer volume of customer
information illegally available for public consumption made clear just how porous the existing firewalls
and safeguards have been. At the same time, the Commission strikes a balanced approach in this Order,
giving consumers greater ability to control their own information while also giving companies a degree of
flexibility in how they implement safeguards. In this regard, I would like to thank Chairman Martin and
the Wireline Competition Bureau for their attention to this item. Their extra work to fine tune the rules
we adopt here will surely improve their functioning for consumers and providers alike.
Although much of this Order does exactly what Congress contemplated putting the customer in
control there is one critical aspect where this Order falls short. Despite the Order’s conclusion that
customers should have notice of unauthorized disclosure of customer information, this Order set up a
process which can result in the unnecessary and even indefinite delay of consumer notification without
any accountability. Under these rules, the Commission gives the Federal Bureau of Investigation a
potentially open-ended ability to delay customer notification of security breaches. While I expect that the
FBI will work as quickly as possible to identify any investigative issues, I find no statutory basis in the
Act for granting the FBI a blank check to delay notice to customers. I can understand the need for delay
Federal Communications Commission FCC 07-22
99
in extraordinary circumstances identified by law enforcement, but automatic delays coupled with
unlimited and unchecked extensions are not appropriate. Particularly given that timely notice to
consumers may be essential for those customers to take protective action, I must dissent from this portion
of the Order.
Finally, even as we work here to improve our rules and as Congress considers additional
safeguards, we must also re-double our efforts to address abuses of this private information. Swift
enforcement action against companies that are violating our rules will be essential if we are to live up to
our duty under the Act to protect customers’ sensitive and private information.
Federal Communications Commission FCC 07-22
100
STATEMENT OF
COMMISSIONER DEBORAH TAYLOR TATE
Re: Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services,
Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115 and WC Docket
No. 04-36
I have said time and again that the brokerage of personal information whether it be personal
identity, financial records, or a list of phone calls is intolerable. “Pretexting” is nothing more than
stealing; robbing consumers in a variety of slick ways of their most personal information. Indeed the law
places a duty on telecommunications providers to protect this information and today, we take important
steps to better secure private customer telephone records.
While I generally prefer market-based solutions to government intervention, I agree with my
colleagues that the widespread actions of pretexters to obtain this type of personal customer information
from carriers, required this action on our part.
I fully support strict requirements governing treatment of this sensitive data. However, I hope
that the broad scope of our actions will not impact the ability of both companies and consumers to benefit
from marketing information which may lead to lower prices or competitive bundled packages. An
approach limiting the very strict “opt-in” obligations only to call detail records may have cured the
problem at hand in a less burdensome manner.
In the end, however, customer privacy must take precedence. I am pleased that the rules we
adopt today will go a long way towards closing off the avenues that information snatchers have
repeatedly used to violate the privacy of consumer phone records.
Federal Communications Commission FCC 07-22
101
STATEMENT OF
COMMISSIONER ROBERT M. McDOWELL
Re: Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of
Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services,
Report and Order and Further Notice of Proposed Rulemaking, CC Docket No. 96-115 and WC Docket
No. 04-36
Pretexting has become the biggest threat to consumer security in the Information Age. Today’s
action further enhances the Commission’s ability to protect consumers from these advanced fraudulent
practices by strengthening our existing rules. Among the new requirements imposed on carriers, the
decision prohibits carriers from releasing call detail information during customer-initiated telephone calls
except when the customer provides a password. It also precludes carriers from disclosing CPNI to
independent contractors and joint venture partners without the customer’s specific consent, and requires
carriers to notify customers of all account changes and unauthorized disclosures of CPNI.
We must take all necessary steps to protect unauthorized disclosure of this sensitive data, keeping
in mind that pretexters are constantly trying new techniques to defraud consumers. In view of the
pretexters’ malevolent intent, the Commission will vigilantly pressure carriers to take precautions to stay
ahead of the pretexters. However, our rules should strike a careful balance and should also guard against
imposing over-reaching and unnecessary requirements that could cause unjustified burdens and costs on
carriers. In the spirit of finding that balance, the Further Notice seeks comment on possible additional
protections against unauthorized disclosure of CPNI. I look forward to reviewing the comments on those
proposals.