The Federal Communications Commission has issued its 2014 Enforcement Advisory reminding telecommunications carriers and interconnected VoIP providers that they must file their annual CPNI certifications by March 1st. The Advisory notes that in prior years many companies failed to file or filed certificates that violated the FCC’s rules in material respects. Accordingly, providers are reminded that failure to comply with the CPNI rules, including the annual certification requirement, may subject them to enforcement action, including monetary forfeitures of up to $160,000 for each violation or each day of a continuing violation, up to a maximum of $1,575,000. Additionally, false statements or misrepresentations to the Commission may be punishable by fine or imprisonment under Title 18 of the U.S. Code.
The FCC requires that all telecommunications carriers and interconnected VoIP providers file an individualized CPNI compliance certificate and statement on an annual basis. The certification must: (1) be signed by an officer with personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the FCC's CPNI rules; (2) be accompanied by a statement explaining how the carrier's operating procedures ensure that it is or is not in compliance with the rules; (3) include an explanation of any actions taken against data brokers; and (4) include a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. The data in the certificate must pertain to the previous calendar year.
The FCC’s CPNI rules cover areas such as use of CPNI for marketing purposes, access to call detail over the telephone, online access to CPNI, in-store (retail) access to CPNI, customer notification of certain changes to their account, and notification of CPNI breaches. The rules require carriers to adopt safeguards against the unauthorized use of CPNI and to implement employee training and other measures to protect against unauthorized disclosure of CPNI.
The content of the annual statement will depend upon the choices each company makes regarding use of CPNI for marketing purposes, and the circumstances, if any, under which it will provide customer access to call detail and CPNI either over the telephone or online. In addition, each carrier must describe the internal safeguards and employee training programs in place to prevent unauthorized disclosure of CPNI.
The FCC has set a base forfeiture amount of $20,000 for the failure to comply with the with the annual CPNI certification filing requirement. In the past, the FCC has assessed penalties as high as $100,000 for failure to file, or for filing incomplete, CPNI certifications.
 Section 222 of the Communications Act defines CPNI as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.” CPNI includes personal information such as the phone numbers of calls made and received, the frequency, duration, and timing of such calls, and any services purchased by the consumer, such as call waiting and voice mail.