82 FR 44118 - Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

FEDERAL COMMUNICATIONS COMMISSION

Federal Register Volume 82, Issue 182 (September 21, 2017)

Under the Congressional Review Act, Congress has passed, and the President has signed, Public Law 115-22, a resolution of disapproval of the rule that the Federal Communications Commission (FCC) submitted pursuant to such Act relating to ``Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.'' By operation of the Congressional Review Act, the rule submitted by the FCC shall be treated as if it had never taken effect. However, because the Congressional Review Act does not direct the Office of the Federal Register to remove the voided regulatory text and reissue the pre-existing regulatory text, the FCC issues this document to effect the removal of any amendments, deletions, or other modifications made by the nullified rule, and the reversion to the text of the regulations in effect immediately prior to the effect date of the Report and Order relating to ``Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.''

[Federal Register Volume 82, Number 182 (Thursday, September 21, 2017)]
[Rules and Regulations]
[Pages 44118-44123]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2017-20137]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[WC Docket No. 16-106; FCC 16-148]


Protecting the Privacy of Customers of Broadband and Other 
Telecommunications Services

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: Under the Congressional Review Act, Congress has passed, and 
the President has signed, Public Law 115-22, a resolution of 
disapproval of the rule that the Federal Communications Commission 
(FCC) submitted pursuant to such Act relating to ``Protecting the 
Privacy of Customers of Broadband and Other Telecommunications 
Services.'' By operation of the Congressional Review Act, the rule 
submitted by the FCC shall be treated as if it had never taken effect. 
However, because the Congressional Review Act does not direct the 
Office of the Federal Register to remove the voided regulatory text and 
reissue the pre-existing regulatory text, the FCC issues this document 
to effect the removal of any amendments, deletions, or other 
modifications made by the nullified rule, and the reversion to the text 
of the regulations in effect immediately prior to the effect date of 
the Report and Order relating to ``Protecting the Privacy of Customers 
of Broadband and Other Telecommunications Services.''

DATES: This action is effective September 21, 2017.

FOR FURTHER INFORMATION CONTACT: For further information about this 
proceeding, please contact Melissa Kirkel, FCC Wireline Competition 
Bureau, Competition Policy Division, 445 12th St. SW., Washington, DC 
20554, (202) 418-1580.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report 
and Order, adopted on October 27, 2016 in WC Docket No. 16-106, FCC 16-
148, which amended the rules under 47 CFR part 64, subpart U. It 
published a summary of the Report and Order on December 2, 2016 (81 FR 
87274), and thereafter submitted it to Congress pursuant to the 
Congressional Review Act, 5 U.S.C. 801(a)(1)(A). On March 23, 2017, the 
Senate passed a resolution of disapproval (S.J. Res. 34) of the Report 
and Order under the Congressional Review Act. The House of 
Representatives then passed S.J. Res. 34 on March 28, 2017. President 
Trump signed the resolution into law as Public Law 115-22 on April 3, 
2017. Therefore, under the terms of the Congressional Review Act, the 
Report and Order shall be ``treated as though such a rule had never 
taken effect.'' 5 U.S.C. 801(f).
    However, because the CRA does not include direction regarding the 
removal, by the Office of the Federal Register or otherwise, of the 
voided language from the Code of Federal Regulations, the FCC must 
publish this document to effect the removal of the voided text. This 
document will enable the Office of the Federal Register to effectuate 
congressional intent to remove the voided text of the rules adopted in 
the Report and Order as if it had never taken effect, and to restore 
the previous language in 47 CFR part 64, subpart U and prior state of 
the Code of Federal Regulations.
    This action is not an exercise of the FCC's rulemaking authority 
under the Administrative Procedure Act, because

[[Page 44119]]

the Commission is not ``formulating, amending, or repealing a rule'' 
under 5 U.S.C. 551(5). Rather, the FCC is effectuating changes to the 
Code of Federal Regulations to reflect what congressional action has 
already accomplished--namely, the nullification of any changes 
purported to have been made to the CFR by the Report and Order and the 
reversion to the regulatory text in effect immediately prior to 
adoption of the Report and Order. Accordingly, the FCC is not 
soliciting comments on this action. Moreover, this action is not a 
final agency action subject to judicial review.

List of Subjects in 47 CFR Part 64

    Claims, Communications common carriers, Computer technology, 
Credit, Foreign relations, Individuals with disabilities, Political 
candidates, Radio, Reporting and recordkeeping requirements, 
Telecommunications, Telegraph, Telephone.

Federal Communications Commission.
Marlene H. Dortch,
Secretary.

Final Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission amends 47 CFR part 64 as follows:

PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

0
1. The authority citation for part 64 is revised to read as follows:

    Authority:  47 U.S.C. 154, 254(k), 403(b)(2)(B), (c), Pub. L. 
104-104, 110 Stat. 56. Interpret or apply 47 U.S.C. 201, 218, 222, 
225, 226, 227, 228, 254(k), 276, 616, 620, and the Middle Class Tax 
Relief and Job Creation Act of 2012, Pub. L. 112-96, unless 
otherwise noted.

0
2. In part 64, revise subpart U to read as follows:
Subpart U--Customer Proprietary Network Information
Sec.
64.2001 Basis and purpose.
64.2003 Definitions.
64.2005 Use of customer proprietary network information without 
customer approval.
64.2007 Approval required for use of customer proprietary network 
information.
64.2008 Notice required for use of customer proprietary network 
information.
64.2009 Safeguards required for use of customer proprietary network 
information.
64.2010 Safeguards on the disclosure of customer proprietary network 
information.
64.2011 Notification of customer proprietary network information 
security breaches.

Subpart U--Customer Proprietary Network Information


Sec.  64.2001  Basis and purpose.

    (a) Basis. The rules in this subpart are issued pursuant to the 
Communications Act of 1934, as amended.
    (b) Purpose. The purpose of the rules in this subpart is to 
implement section 222 of the Communications Act of 1934, as amended, 47 
U.S.C. 222.


Sec.  64.2003   Definitions.

    (a) Account information. ``Account information'' is information 
that is specifically connected to the customer's service relationship 
with the carrier, including such things as an account number or any 
component thereof, the telephone number associated with the account, or 
the bill's amount.
    (b) Address of record. An ``address of record,'' whether postal or 
electronic, is an address that the carrier has associated with the 
customer's account for at least 30 days.
    (c) Affiliate. The term ``affiliate'' has the same meaning given 
such term in section 3(1) of the Communications Act of 1934, as 
amended, 47 U.S.C. 153(1).
    (d) Call detail information. Any information that pertains to the 
transmission of specific telephone calls, including, for outbound 
calls, the number called, and the time, location, or duration of any 
call and, for inbound calls, the number from which the call was placed, 
and the time, location, or duration of any call.
    (e) Communications-related services. The term ``communications-
related services'' means telecommunications services, information 
services typically provided by telecommunications carriers, and 
services related to the provision or maintenance of customer premises 
equipment.
    (f) Customer. A customer of a telecommunications carrier is a 
person or entity to which the telecommunications carrier is currently 
providing service.
    (g) Customer proprietary network information (CPNI). The term 
``customer proprietary network information (CPNI)'' has the same 
meaning given to such term in section 222(h)(1) of the Communications 
Act of 1934, as amended, 47 U.S.C. 222(h)(1).
    (h) Customer premises equipment (CPE). The term ``customer premises 
equipment (CPE)'' has the same meaning given to such term in section 
3(14) of the Communications Act of 1934, as amended, 47 U.S.C. 153(14).
    (i) Information services typically provided by telecommunications 
carriers. The phrase ``information services typically provided by 
telecommunications carriers'' means only those information services (as 
defined in section 3(20) of the Communication Act of 1934, as amended, 
47 U.S.C. 153(20)) that are typically provided by telecommunications 
carriers, such as Internet access or voice mail services. Such phrase 
``information services typically provided by telecommunications 
carriers,'' as used in this subpart, shall not include retail consumer 
services provided using Internet Web sites (such as travel reservation 
services or mortgage lending services), whether or not such services 
may otherwise be considered to be information services.
    (j) Local exchange carrier (LEC). The term ``local exchange carrier 
(LEC)'' has the same meaning given to such term in section 3(26) of the 
Communications Act of 1934, as amended, 47 U.S.C. 153(26).
    (k) Opt-in approval. The term ``opt-in approval'' refers to a 
method for obtaining customer consent to use, disclose, or permit 
access to the customer's CPNI. This approval method requires that the 
carrier obtain from the customer affirmative, express consent allowing 
the requested CPNI usage, disclosure, or access after the customer is 
provided appropriate notification of the carrier's request consistent 
with the requirements set forth in this subpart.
    (l) Opt-out approval. The term ``opt-out approval'' refers to a 
method for obtaining customer consent to use, disclose, or permit 
access to the customer's CPNI. Under this approval method, a customer 
is deemed to have consented to the use, disclosure, or access to the 
customer's CPNI if the customer has failed to object thereto within the 
waiting period described in Sec.  64.2008(d)(1) after the customer is 
provided appropriate notification of the carrier's request for consent 
consistent with the rules in this subpart.
    (m) Readily available biographical information. ``Readily available 
biographical information'' is information drawn from the customer's 
life history and includes such things as the customer's social security 
number, or the last four digits of that number; mother's maiden name; 
home address; or date of birth.
    (n) Subscriber list information (SLI). The term ``subscriber list 
information (SLI)'' has the same meaning given to such term in section 
222(h)(3) of the Communications Act of 1934, as amended, 47 U.S.C. 
222(h)(3).
    (o) Telecommunications carrier or carrier. The terms 
``telecommunications carrier'' or ``carrier'' shall have the same 
meaning as set forth in section 3(44) of

[[Page 44120]]

the Communications Act of 1934, as amended, 47 U.S.C. 153(44). For the 
purposes of this subpart, the term ``telecommunications carrier'' or 
``carrier'' shall include an entity that provides interconnected VoIP 
service, as that term is defined in section 9.3 of these rules.
    (p) Telecommunications service. The term ``telecommunications 
service'' has the same meaning given to such term in section 3(46) of 
the Communications Act of 1934, as amended, 47 U.S.C. 153(46).
    (q) Telephone number of record. The telephone number associated 
with the underlying service, not the telephone number supplied as a 
customer's ``contact information.''
    (r) Valid photo ID. A ``valid photo ID'' is a government-issued 
means of personal identification with a photograph such as a driver's 
license, passport, or comparable ID that is not expired.


Sec.  64.2005   Use of customer proprietary network information without 
customer approval.

    (a) Any telecommunications carrier may use, disclose, or permit 
access to CPNI for the purpose of providing or marketing service 
offerings among the categories of service (i.e., local, interexchange, 
and CMRS) to which the customer already subscribes from the same 
carrier, without customer approval.
    (1) If a telecommunications carrier provides different categories 
of service, and a customer subscribes to more than one category of 
service offered by the carrier, the carrier is permitted to share CPNI 
among the carrier's affiliated entities that provide a service offering 
to the customer.
    (2) If a telecommunications carrier provides different categories 
of service, but a customer does not subscribe to more than one offering 
by the carrier, the carrier is not permitted to share CPNI with its 
affiliates, except as provided in Sec.  64.2007(b).
    (b) A telecommunications carrier may not use, disclose, or permit 
access to CPNI to market to a customer service offerings that are 
within a category of service to which the subscriber does not already 
subscribe from that carrier, unless that carrier has customer approval 
to do so, except as described in paragraph (c) of this section.
    (1) A wireless provider may use, disclose, or permit access to CPNI 
derived from its provision of CMRS, without customer approval, for the 
provision of CPE and information service(s). A wireline carrier may 
use, disclose or permit access to CPNI derived from its provision of 
local exchange service or interexchange service, without customer 
approval, for the provision of CPE and call answering, voice mail or 
messaging, voice storage and retrieval services, fax store and forward, 
and protocol conversion.
    (2) A telecommunications carrier may not use, disclose or permit 
access to CPNI to identify or track customers that call competing 
service providers. For example, a local exchange carrier may not use 
local service CPNI to track all customers that call local service 
competitors.
    (c) A telecommunications carrier may use, disclose, or permit 
access to CPNI, without customer approval, as described in this 
paragraph (c).
    (1) A telecommunications carrier may use, disclose, or permit 
access to CPNI, without customer approval, in its provision of inside 
wiring installation, maintenance, and repair services.
    (2) CMRS providers may use, disclose, or permit access to CPNI for 
the purpose of conducting research on the health effects of CMRS.
    (3) LECs, CMRS providers, and entities that provide interconnected 
VoIP service as that term is defined in Sec.  9.3 of this chapter, may 
use CPNI, without customer approval, to market services formerly known 
as adjunct-to-basic services, such as, but not limited to, speed 
dialing, computer-provided directory assistance, call monitoring, call 
tracing, call blocking, call return, repeat dialing, call tracking, 
call waiting, caller I.D., call forwarding, and certain centrex 
features.
    (d) A telecommunications carrier may use, disclose, or permit 
access to CPNI to protect the rights or property of the carrier, or to 
protect users of those services and other carriers from fraudulent, 
abusive, or unlawful use of, or subscription to, such services.


Sec.  64.2007   Approval required for use of customer proprietary 
network information.

    (a) A telecommunications carrier may obtain approval through 
written, oral or electronic methods.
    (1) A telecommunications carrier relying on oral approval shall 
bear the burden of demonstrating that such approval has been given in 
compliance with the Commission's rules in this part.
    (2) Approval or disapproval to use, disclose, or permit access to a 
customer's CPNI obtained by a telecommunications carrier must remain in 
effect until the customer revokes or limits such approval or 
disapproval.
    (3) A telecommunications carrier must maintain records of approval, 
whether oral, written or electronic, for at least one year.
    (b) Use of opt-out and opt-in approval processes. A 
telecommunications carrier may, subject to opt-out approval or opt-in 
approval, use its customer's individually identifiable CPNI for the 
purpose of marketing communications-related services to that customer. 
A telecommunications carrier may, subject to opt-out approval or opt-in 
approval, disclose its customer's individually identifiable CPNI, for 
the purpose of marketing communications-related services to that 
customer, to its agents and its affiliates that provide communications-
related services. A telecommunications carrier may also permit such 
persons or entities to obtain access to such CPNI for such purposes. 
Except for use and disclosure of CPNI that is permitted without 
customer approval under Sec.  64.2005, or that is described in this 
paragraph, or as otherwise provided in section 222 of the 
Communications Act of 1934, as amended, a telecommunications carrier 
may only use, disclose, or permit access to its customer's individually 
identifiable CPNI subject to opt-in approval.


Sec.  64.2008   Notice required for use of customer proprietary network 
information.

    (a) Notification, generally. (1) Prior to any solicitation for 
customer approval, a telecommunications carrier must provide 
notification to the customer of the customer's right to restrict use 
of, disclosure of, and access to that customer's CPNI.
    (2) A telecommunications carrier must maintain records of 
notification, whether oral, written or electronic, for at least one 
year.
    (b) Individual notice to customers must be provided when soliciting 
approval to use, disclose, or permit access to customers' CPNI.
    (c) Content of notice. Customer notification must provide 
sufficient information to enable the customer to make an informed 
decision as to whether to permit a carrier to use, disclose, or permit 
access to, the customer's CPNI.
    (1) The notification must state that the customer has a right, and 
the carrier has a duty, under federal law, to protect the 
confidentiality of CPNI.
    (2) The notification must specify the types of information that 
constitute CPNI and the specific entities that will receive the CPNI, 
describe the purposes for which CPNI will be used, and inform the 
customer of his or her right to disapprove those uses, and deny or 
withdraw access to CPNI at any time.

[[Page 44121]]

    (3) The notification must advise the customer of the precise steps 
the customer must take in order to grant or deny access to CPNI, and 
must clearly state that a denial of approval will not affect the 
provision of any services to which the customer subscribes. However, 
carriers may provide a brief statement, in clear and neutral language, 
describing consequences directly resulting from the lack of access to 
CPNI.
    (4) The notification must be comprehensible and must not be 
misleading.
    (5) If written notification is provided, the notice must be clearly 
legible, use sufficiently large type, and be placed in an area so as to 
be readily apparent to a customer.
    (6) If any portion of a notification is translated into another 
language, then all portions of the notification must be translated into 
that language.
    (7) A carrier may state in the notification that the customer's 
approval to use CPNI may enhance the carrier's ability to offer 
products and services tailored to the customer's needs. A carrier also 
may state in the notification that it may be compelled to disclose CPNI 
to any person upon affirmative written request by the customer.
    (8) A carrier may not include in the notification any statement 
attempting to encourage a customer to freeze third-party access to 
CPNI.
    (9) The notification must state that any approval, or denial of 
approval for the use of CPNI outside of the service to which the 
customer already subscribes from that carrier is valid until the 
customer affirmatively revokes or limits such approval or denial.
    (10) A telecommunications carrier's solicitation for approval must 
be proximate to the notification of a customer's CPNI rights.
    (d) Notice requirements specific to opt-out. A telecommunications 
carrier must provide notification to obtain opt out approval through 
electronic or written methods, but not by oral communication (except as 
provided in paragraph (f) of this section). The contents of any such 
notification must comply with the requirements of paragraph (c) of this 
section.
    (1) Carriers must wait a 30-day minimum period of time after giving 
customers notice and an opportunity to opt-out before assuming customer 
approval to use, disclose, or permit access to CPNI. A carrier may, in 
its discretion, provide for a longer period. Carriers must notify 
customers as to the applicable waiting period for a response before 
approval is assumed.
    (i) In the case of an electronic form of notification, the waiting 
period shall begin to run from the date on which the notification was 
sent; and
    (ii) In the case of notification by mail, the waiting period shall 
begin to run on the third day following the date that the notification 
was mailed.
    (2) Carriers using the opt-out mechanism must provide notices to 
their customers every two years.
    (3) Telecommunications carriers that use email to provide opt-out 
notices must comply with the following requirements in addition to the 
requirements generally applicable to notification:
    (i) Carriers must obtain express, verifiable, prior approval from 
consumers to send notices via email regarding their service in general, 
or CPNI in particular;
    (ii) Carriers must allow customers to reply directly to emails 
containing CPNI notices in order to opt-out;
    (iii) Opt-out email notices that are returned to the carrier as 
undeliverable must be sent to the customer in another form before 
carriers may consider the customer to have received notice;
    (iv) Carriers that use email to send CPNI notices must ensure that 
the subject line of the message clearly and accurately identifies the 
subject matter of the email; and
    (v) Telecommunications carriers must make available to every 
customer a method to opt-out that is of no additional cost to the 
customer and that is available 24 hours a day, seven days a week. 
Carriers may satisfy this requirement through a combination of methods, 
so long as all customers have the ability to opt-out at no cost and are 
able to effectuate that choice whenever they choose.
    (e) Notice requirements specific to opt-in. A telecommunications 
carrier may provide notification to obtain opt-in approval through 
oral, written, or electronic methods. The contents of any such 
notification must comply with the requirements of paragraph (c) of this 
section.
    (f) Notice requirements specific to one-time use of CPNI. (1) 
Carriers may use oral notice to obtain limited, one-time use of CPNI 
for inbound and outbound customer telephone contacts for the duration 
of the call, regardless of whether carriers use opt-out or opt-in 
approval based on the nature of the contact.
    (2) The contents of any such notification must comply with the 
requirements of paragraph (c) of this section, except that 
telecommunications carriers may omit any of the following notice 
provisions if not relevant to the limited use for which the carrier 
seeks CPNI:
    (i) Carriers need not advise customers that if they have opted-out 
previously, no action is needed to maintain the opt-out election;
    (ii) Carriers need not advise customers that they may share CPNI 
with their affiliates or third parties and need not name those 
entities, if the limited CPNI usage will not result in use by, or 
disclosure to, an affiliate or third party;
    (iii) Carriers need not disclose the means by which a customer can 
deny or withdraw future access to CPNI, so long as carriers explain to 
customers that the scope of the approval the carrier seeks is limited 
to one-time use; and
    (iv) Carriers may omit disclosure of the precise steps a customer 
must take in order to grant or deny access to CPNI, as long as the 
carrier clearly communicates that the customer can deny access to his 
CPNI for the call.


Sec.  64.2009   Safeguards required for use of customer proprietary 
network information.

    (a) Telecommunications carriers must implement a system by which 
the status of a customer's CPNI approval can be clearly established 
prior to the use of CPNI.
    (b) Telecommunications carriers must train their personnel as to 
when they are and are not authorized to use CPNI, and carriers must 
have an express disciplinary process in place.
    (c) All carriers shall maintain a record, electronically or in some 
other manner, of their own and their affiliates' sales and marketing 
campaigns that use their customers' CPNI. All carriers shall maintain a 
record of all instances where CPNI was disclosed or provided to third 
parties, or where third parties were allowed access to CPNI. The record 
must include a description of each campaign, the specific CPNI that was 
used in the campaign, and what products and services were offered as a 
part of the campaign. Carriers shall retain the record for a minimum of 
one year.
    (d) Telecommunications carriers must establish a supervisory review 
process regarding carrier compliance with the rules in this subpart for 
outbound marketing situations and maintain records of carrier 
compliance for a minimum period of one year. Specifically, sales 
personnel must obtain supervisory approval of any proposed outbound 
marketing request for customer approval.
    (e) A telecommunications carrier must have an officer, as an agent 
of the carrier, sign and file with the Commission a compliance 
certificate on an annual basis. The officer must state

[[Page 44122]]

in the certification that he or she has personal knowledge that the 
company has established operating procedures that are adequate to 
ensure compliance with the rules in this subpart. The carrier must 
provide a statement accompanying the certificate explaining how its 
operating procedures ensure that it is or is not in compliance with the 
rules in this subpart. In addition, the carrier must include an 
explanation of any actions taken against data brokers and a summary of 
all customer complaints received in the past year concerning the 
unauthorized release of CPNI. This filing must be made annually with 
the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for 
data pertaining to the previous calendar year.
    (f) Carriers must provide written notice within five business days 
to the Commission of any instance where the opt-out mechanisms do not 
work properly, to such a degree that consumers' inability to opt-out is 
more than an anomaly.
    (1) The notice shall be in the form of a letter, and shall include 
the carrier's name, a description of the opt-out mechanism(s) used, the 
problem(s) experienced, the remedy proposed and when it will be/was 
implemented, whether the relevant state commission(s) has been notified 
and whether it has taken any action, a copy of the notice provided to 
customers, and contact information.
    (2) Such notice must be submitted even if the carrier offers other 
methods by which consumers may opt-out.


Sec.  64.2010   Safeguards on the disclosure of customer proprietary 
network information.

    (a) Safeguarding CPNI. Telecommunications carriers must take 
reasonable measures to discover and protect against attempts to gain 
unauthorized access to CPNI. Telecommunications carriers must properly 
authenticate a customer prior to disclosing CPNI based on customer-
initiated telephone contact, online account access, or an in-store 
visit.
    (b) Telephone access to CPNI. Telecommunications carriers may only 
disclose call detail information over the telephone, based on customer-
initiated telephone contact, if the customer first provides the carrier 
with a password, as described in paragraph (e) of this section, that is 
not prompted by the carrier asking for readily available biographical 
information, or account information. If the customer does not provide a 
password, the telecommunications carrier may only disclose call detail 
information by sending it to the customer's address of record, or by 
calling the customer at the telephone number of record. If the customer 
is able to provide call detail information to the telecommunications 
carrier during a customer-initiated call without the telecommunications 
carrier's assistance, then the telecommunications carrier is permitted 
to discuss the call detail information provided by the customer.
    (c) Online access to CPNI. A telecommunications carrier must 
authenticate a customer without the use of readily available 
biographical information, or account information, prior to allowing the 
customer online access to CPNI related to a telecommunications service 
account. Once authenticated, the customer may only obtain online access 
to CPNI related to a telecommunications service account through a 
password, as described in paragraph (e) of this section, that is not 
prompted by the carrier asking for readily available biographical 
information, or account information.
    (d) In-store access to CPNI. A telecommunications carrier may 
disclose CPNI to a customer who, at a carrier's retail location, first 
presents to the telecommunications carrier or its agent a valid photo 
ID matching the customer's account information.
    (e) Establishment of a password and back-up authentication methods 
for lost or forgotten passwords. To establish a password, a 
telecommunications carrier must authenticate the customer without the 
use of readily available biographical information, or account 
information. Telecommunications carriers may create a back-up customer 
authentication method in the event of a lost or forgotten password, but 
such back-up customer authentication method may not prompt the customer 
for readily available biographical information, or account information. 
If a customer cannot provide the correct password or the correct 
response for the back-up customer authentication method, the customer 
must establish a new password as described in this paragraph.
    (f) Notification of account changes. Telecommunications carriers 
must notify customers immediately whenever a password, customer 
response to a back-up means of authentication for lost or forgotten 
passwords, online account, or address of record is created or changed. 
This notification is not required when the customer initiates service, 
including the selection of a password at service initiation. This 
notification may be through a carrier-originated voicemail or text 
message to the telephone number of record, or by mail to the address of 
record, and must not reveal the changed information or be sent to the 
new account information.
    (g) Business customer exemption. Telecommunications carriers may 
bind themselves contractually to authentication regimes other than 
those described in this section for services they provide to their 
business customers that have both a dedicated account representative 
and a contract that specifically addresses the carriers' protection of 
CPNI.


Sec.  64.2011   Notification of customer proprietary network 
information security breaches.

    (a) A telecommunications carrier shall notify law enforcement of a 
breach of its customers' CPNI as provided in this section. The carrier 
shall not notify its customers or disclose the breach publicly, whether 
voluntarily or under state or local law or these rules, until it has 
completed the process of notifying law enforcement pursuant to 
paragraph (b) of this section.
    (b) As soon as practicable, and in no event later than seven (7) 
business days, after reasonable determination of the breach, the 
telecommunications carrier shall electronically notify the United 
States Secret Service (USSS) and the Federal Bureau of Investigation 
(FBI) through a central reporting facility. The Commission will 
maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni.
    (1) Notwithstanding any state law to the contrary, the carrier 
shall not notify customers or disclose the breach to the public until 7 
full business days have passed after notification to the USSS and the 
FBI except as provided in paragraphs (b)(2) and (b)(3) of this section.
    (2) If the carrier believes that there is an extraordinarily urgent 
need to notify any class of affected customers sooner than otherwise 
allowed under paragraph (b)(1) of this section, in order to avoid 
immediate and irreparable harm, it shall so indicate in its 
notification and may proceed to immediately notify its affected 
customers only after consultation with the relevant investigating 
agency. The carrier shall cooperate with the relevant investigating 
agency's request to minimize any adverse effects of such customer 
notification.
    (3) If the relevant investigating agency determines that public 
disclosure or notice to customers would impede or compromise an ongoing 
or potential criminal investigation or national security, such agency 
may direct the carrier not to so disclose or notify for an initial 
period of up to 30 days. Such

[[Page 44123]]

period may be extended by the agency as reasonably necessary in the 
judgment of the agency. If such direction is given, the agency shall 
notify the carrier when it appears that public disclosure or notice to 
affected customers will no longer impede or compromise a criminal 
investigation or national security. The agency shall provide in writing 
its initial direction to the carrier, any subsequent extension, and any 
notification that notice will no longer impede or compromise a criminal 
investigation or national security and such writings shall be 
contemporaneously logged on the same reporting facility that contains 
records of notifications filed by carriers.
    (c) Customer notification. After a telecommunications carrier has 
completed the process of notifying law enforcement pursuant to 
paragraph (b) of this section, it shall notify its customers of a 
breach of those customers' CPNI.
    (d) Recordkeeping. All carriers shall maintain a record, 
electronically or in some other manner, of any breaches discovered, 
notifications made to the USSS and the FBI pursuant to paragraph (b) of 
this section, and notifications made to customers. The record must 
include, if available, dates of discovery and notification, a detailed 
description of the CPNI that was the subject of the breach, and the 
circumstances of the breach. Carriers shall retain the record for a 
minimum of 2 years.
    (e) Definitions. As used in this section, a ``breach'' has occurred 
when a person, without authorization or exceeding authorization, has 
intentionally gained access to, used, or disclosed CPNI.
    (f) This section does not supersede any statute, regulation, order, 
or interpretation in any State, except to the extent that such statute, 
regulation, order, or interpretation is inconsistent with the 
provisions of this section, and then only to the extent of the 
inconsistency.

[FR Doc. 2017-20137 Filed 9-20-17; 8:45 am]
 BILLING CODE 6712-01-P