FCC Imposes 20M CPNI Fine, New Deadlines for Video Providers, and Robocalls Effective Date Announced
FCC Reminds Companies to Comply with CPNI Rules by Imposing a $20 Million Penalty for Violating Authentication Requirements
The FCC recently issued a Notice of Apparent Liability for Forfeiture (NAL) proposing to impose a $20 million penalty on two companies for failing to comply with Customer Propriety Network Information (CPNI) authentication rules. In the NAL and related News Release, the FCC warned that “protecting customers’ data should be their highest priority” and that they “will use our authorities to ensure that they comply with their obligations to do so.”
Under the CPNI authentication requirements, providers of voice services must ensure they do not disclose sensitive customer data to unauthorized third parties by “authenticating” that the individual is indeed the customer before disclosing call detail information. When customer data is accessible online, providers must establish authentication processes that require the customer to enter a password. Also, any “backup” questions that can be used in case the customer forgets or loses the password cannot use account or biographical information.
In imposing the hefty fine, the FCC explained that the agency began investigating whether the companies violated CPNI rules when it was reported that confidential customer information may have been made public due to a security flaw the companies’ app that customers use to access their account information. As a result of this investigation, the FCC found that the companies violated CPNI rules by failing to take “reasonable measures” to discover and protect against attempts to gain unauthorized access to CPNI.” The FCC noted that this responsibility to protect customer data is “an overarching responsibility that applies to each carrier and that is separate and independent from the more specific requirements in the CPNI rules regarding customer authentication.”
The FCC then used the fine to remind all voice providers of the consequences of failing to protect customer data by issuing a News Release in which FCC Chairwoman Jessica Rosenworcel announced the creation of a newly established Privacy and Data Protection Task Force. In the release, Chairwoman Rosenworcel emphasized the importance of the task force as an “important step in our commitment to protect the privacy and security of consumer information” and highlighted that “consumers rely on their carriers to keep their personal information secure, and the Commission must effectively use our tools for enforcing privacy protections.”
Accordingly, we remind clients of their obligation to ensure that they secure customer data, including data available online, maintain regularly updated Privacy and CPNI policies and procedures, and train staff who strictly adhere to CPNI and other policies and rules protecting confidential customer information.
JSI’s team is here to help including assistance in crafting CPNI and Privacy policies and procedures, conducting CPNI and Red Flag Rule training session, and consult on authentication requirements and breach notifications. JSI also offers assistance in filing your annual CPNI certification.
If you have any questions or would like assistance, please contact Leslie Ellis or by calling 301-459-7590.
New Deadlines for Video Providers – EEO Form 396-C Filing Now Due Oct 2
EEO Filing – The FCC’s Media Bureau has extended the 2023 deadline for video/cable TV providers to file FCC Form 396-C, Cable Equal Employment Opportunity (EEO) Annual Report, to October 2. The Form must be filed via the EEO filing portal in the Cable Operations and Licensing System (COALS). The FCC also released the names of those cable operators selected to complete the Supplemental Investigation Sheet (SIS), which requires additional information.
If you have six or more full-time cable employees (those who spend at least 30 hours per week on cable operations), you must file the Form 396-C by the October 2 deadline.
If you have fewer than six full-time cable employees and have in the past filed a Form 396-C to indicate you are under that threshold, no further filing is needed. If you have initiated cable service within the last year and have never filed this form, JSI recommends that you file the form once to establish that you have fewer than six full-time cable employees.
For additional information or questions concerning the FCC Form 396-C, please contact Kim Waldvogel or call 301-459-7590.
Emergency Alert System (EAS) Nationwide Tests Scheduled for Oct 4
On August 3, 2023, the FCC released a Public Notice announcing Nationwide Tests of the EAS and Wireless Emergency Alerts (WEA) systems. The Federal Emergency Management Agency (FEMA) in conjunction with the FCC scheduled the WEA test for October 4, 2023 at 2:18 pm (EDT). FEMA will then transmit the nationwide EAS test at 2:20 pm (ETD), using the Integrated Public Alert and Warning System (IPAWS). If testing cannot be completed at that time, an alternate date has been scheduled for October 11, 2023.
After the tests are performed, all EAS participants must file Form Two reflecting “day of test” data in the FCC’s EAS Test Reporting System (ETRS), on or before October 5, 2023. EAS participants must then also complete Form Three with the detailed post-test data within ETRS which is due by November 20, 2023. By now, all EAS participants should have completed their Form One filing reflecting carrier EAS demographics that was due on February 28, 2023 in the ETRS.
For additional information or questions concerning the EAS and WEA Nationwide Tests, please contact Kim Waldvogel or call 301-459-7590.
New Robocall Rule Takes Effect December 31, 2023
In the FCC’s Sixth Report and Order, the FCC mandated a new obligation for unauthenticated Session Initiated Protocol (SIP) calls. Effective December 31, 2023, the first non-gateway intermediate provider (e.g., tandem switch providers, transit providers, and wholesale carriers) in the call path must authenticate any unauthenticated SIP call received directly from an originating provider.
The FCC defines an intermediate provider as any entity that carries or processes traffic that traverses or will traverse the public switched telephone network at any point and that entity neither originates nor terminates that traffic. Non-gateway traffic refers to traffic that is only routed over networks within the United States.
The December 31, 2023, deadline allows non-gateway intermediate providers time to comply with the new requirements by:
- Deploying any technical capabilities necessary to authenticate calls not authenticated by the upstream carrier. or
- Amend contracts with upstream providers, or the carriers from which they receive traffic, to state that their network will only accept and route authenticated SIP calls.
Contact Bridget Alexander White or call 301-459-7590 with any questions regarding the new rules or if your company needs help amending its contracts or agreements.