Photo of Wesley Wright

Tomorrow, March 1, 2019, telecommunications carriers and interconnected VOIP providers (“Filers”) will have filed their annual certification confirming they complied with the FCC’s Customer Proprietary Network Information (“CPNI”) rules.

The FCC’s CPNI rules require Filers to establish and maintain systems designed to ensure they adequately protect their subscribers’ CPNI.   Consumer data protected by the CPNI rules includes account information, call detail information (including what numbers are called and when), and other sensitive information.

In addition to safeguarding this information, the FCC’s rules also require Filers to submit an annual certification – due March 1st of each year – documenting their compliance with the rules and detailing any complaints they received against data brokers.  A template of the CPNI filing is available on the FCC’s website (here).

The CPNI deadline filing kicks off the FCC’s “Spring Filing Season.”  On March 8th, facilities-based broadband providers must file data with the Commission on its Form 477 identifying where they offer Internet access service at speeds exceeding 200 kbps in at least one direction, as of December 31, 2018.  The filing deadline typically is March 1st, but this was recently extended for an additional week by the Commission.

The Form 477 requires fixed broadband providers to identify the census blocks in which “a provider does, or could, without an extraordinary commitment of resources, provide service.”  Mobile broadband providers file maps of their coverage areas for each broadband technology.  The Form 477 reporting portal is available here.

On April 1st, the FCC requires service providers and equipment manufacturers that are subject to the Commission’s rules implementing the 21st Century Communications and Video Accessibility Act (“CVAA”) to file annual recordkeeping certifications.  This certification confirms that the filer has taken steps to ensure its services and products are accessible by people with disabilities and that it maintains records detailing these accessibility considerations.  The Commission’s CVAA filing portal is available here.

Also on April 1st, telecommunications providers and many VoIP providers must file their annual FCC Forms 499-A with USAC, summarizing their 2018 revenues and USF contributions and making adjustments to their 2018 contributions based on the estimates in their 2018 quarterly filings.  Some states have established funds for universal service which  require contributions based on revenues from certain services and impose reporting obligations.

It can be challenging to track these deadlines and determine which obligations apply to your company or the specific services it offers.  Please contact us with questions about these – and other – ongoing compliance requirements.

Photo of Douglas Jarrett

For years, the carriers have rejected commitments related to the security of customers’ voice and data communications traversing their networks.  This entry focuses on how this position undermines the carriers’ interests in offering or partnering in the provision of data center and cloud computing services in which carriers must compete with established players or tech-savvy start-ups that understand data security is central to the value of these non-transport offerings.

Carriers’ Longstanding Positions on Customer Data.  The carriers have systematically rejected responsibility for customer data in connection with their transport services, maintaining customers can address these concerns by encrypting their communications. In regard to toll fraud, the carriers’ persistent position is that toll fraud is the customer’s problem.  On customer proprietary network information, the carriers strive to extract the customer’s consent allowing the carrier to share CPNI with affiliates and agents and require the customer to affirmatively revoke the consent after contract signing, contrary to the spirit and intent of 47 USC § 222. The confidentiality provision in carrier agreements exists principally to limit disclosure of the terms and conditions in the agreement.

The Challenge for Carriers in Non-Transport Services.  This aversion to reasonable commitments regarding the integrity of customer communications is a challenge for carriers looking to upsell firewall, intrusion detection and other network security offerings and data center and cloud computing services for which customer data and network security are paramount concerns.  The carriers’ longstanding position on customer data security is not responsive in the current legal environment in which enterprises find themselves.  Companies must comply with state laws and foreign directives on data privacy and breach notification obligations, industry-specific laws and regulations, such as the HIPPA Privacy, Security and Breach Notification rules, and industry-specific standards, such as the Payment Card Industry standards (collectively referred to as “Data Privacy Laws and Standards”).

The value proposition for data center services requires providers to assume control and responsibility for the integrity and security of their data center operations.  Specific provisions obligating the site operator to deploy fire suppression technologies, electrical power back-up systems, physically diverse paths for connectivity to and from the facility, temperature controls and physical security are standard provisions.  If the operation of the data center implicates customers’ obligations under Data Privacy Laws and Standards, the customer reasonably expects the data center provider to indemnify the customer for the costs, expenses and fines triggered by the services providers’ actions.  Similarly, customers reasonably expect that their data reside in designated data centers and not re-located or transferred to physical facilities in other areas that trigger additional obligations under Data Privacy Laws and Standards.

These and related considerations over the loss of trade secrets and proprietary information are even more compelling in connection with cloud computing services.  Customers reasonably expect that providers of network security services and data center and cloud computing services will conduct SOC 2 and SOC 3 reviews and even share the results of the service organization’s SOC 3 audits.

The major so-called “public cloud providers” may well resist provisions on data privacy and security, maintaining their offerings are highly standardized and available only under standard terms and conditions.  On the other hand, other cloud services providers including those partnering with the major carriers are among those expected to respond in a reasonable fashion to the data security interests of enterprise customers.  Telecommunications carriers would be well-served to abandon their intransience regarding customer expectations on data security and integrity if they expect to compete in the rapidly growing markets for these services.