82 FR 44118 - Protecting the Privacy of Customers of Broadband and Other Telecommunications Services
FEDERAL COMMUNICATIONS COMMISSION Federal Register Volume 82, Issue 182 (September 21, 2017)
Federal Register Volume 82, Issue 182 (September 21, 2017)
| Page Range | 44118-44123 | |
| FR Document | 2017-20137 |
[Federal Register Volume 82, Number 182 (Thursday, September 21, 2017)] [Rules and Regulations] [Pages 44118-44123] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-20137] ======================================================================= ----------------------------------------------------------------------- FEDERAL COMMUNICATIONS COMMISSION 47 CFR Part 64 [WC Docket No. 16-106; FCC 16-148] Protecting the Privacy of Customers of Broadband and Other Telecommunications Services AGENCY: Federal Communications Commission. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: Under the Congressional Review Act, Congress has passed, and the President has signed, Public Law 115-22, a resolution of disapproval of the rule that the Federal Communications Commission (FCC) submitted pursuant to such Act relating to ``Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.'' By operation of the Congressional Review Act, the rule submitted by the FCC shall be treated as if it had never taken effect. However, because the Congressional Review Act does not direct the Office of the Federal Register to remove the voided regulatory text and reissue the pre-existing regulatory text, the FCC issues this document to effect the removal of any amendments, deletions, or other modifications made by the nullified rule, and the reversion to the text of the regulations in effect immediately prior to the effect date of the Report and Order relating to ``Protecting the Privacy of Customers of Broadband and Other Telecommunications Services.'' DATES: This action is effective September 21, 2017. FOR FURTHER INFORMATION CONTACT: For further information about this proceeding, please contact Melissa Kirkel, FCC Wireline Competition Bureau, Competition Policy Division, 445 12th St. SW., Washington, DC 20554, (202) 418-1580. SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report and Order, adopted on October 27, 2016 in WC Docket No. 16-106, FCC 16- 148, which amended the rules under 47 CFR part 64, subpart U. It published a summary of the Report and Order on December 2, 2016 (81 FR 87274), and thereafter submitted it to Congress pursuant to the Congressional Review Act, 5 U.S.C. 801(a)(1)(A). On March 23, 2017, the Senate passed a resolution of disapproval (S.J. Res. 34) of the Report and Order under the Congressional Review Act. The House of Representatives then passed S.J. Res. 34 on March 28, 2017. President Trump signed the resolution into law as Public Law 115-22 on April 3, 2017. Therefore, under the terms of the Congressional Review Act, the Report and Order shall be ``treated as though such a rule had never taken effect.'' 5 U.S.C. 801(f). However, because the CRA does not include direction regarding the removal, by the Office of the Federal Register or otherwise, of the voided language from the Code of Federal Regulations, the FCC must publish this document to effect the removal of the voided text. This document will enable the Office of the Federal Register to effectuate congressional intent to remove the voided text of the rules adopted in the Report and Order as if it had never taken effect, and to restore the previous language in 47 CFR part 64, subpart U and prior state of the Code of Federal Regulations. This action is not an exercise of the FCC's rulemaking authority under the Administrative Procedure Act, because [[Page 44119]] the Commission is not ``formulating, amending, or repealing a rule'' under 5 U.S.C. 551(5). Rather, the FCC is effectuating changes to the Code of Federal Regulations to reflect what congressional action has already accomplished--namely, the nullification of any changes purported to have been made to the CFR by the Report and Order and the reversion to the regulatory text in effect immediately prior to adoption of the Report and Order. Accordingly, the FCC is not soliciting comments on this action. Moreover, this action is not a final agency action subject to judicial review. List of Subjects in 47 CFR Part 64 Claims, Communications common carriers, Computer technology, Credit, Foreign relations, Individuals with disabilities, Political candidates, Radio, Reporting and recordkeeping requirements, Telecommunications, Telegraph, Telephone. Federal Communications Commission. Marlene H. Dortch, Secretary. Final Rules For the reasons discussed in the preamble, the Federal Communications Commission amends 47 CFR part 64 as follows: PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS 0 1. The authority citation for part 64 is revised to read as follows: Authority: 47 U.S.C. 154, 254(k), 403(b)(2)(B), (c), Pub. L. 104-104, 110 Stat. 56. Interpret or apply 47 U.S.C. 201, 218, 222, 225, 226, 227, 228, 254(k), 276, 616, 620, and the Middle Class Tax Relief and Job Creation Act of 2012, Pub. L. 112-96, unless otherwise noted. 0 2. In part 64, revise subpart U to read as follows: Subpart U--Customer Proprietary Network Information Sec. 64.2001 Basis and purpose. 64.2003 Definitions. 64.2005 Use of customer proprietary network information without customer approval. 64.2007 Approval required for use of customer proprietary network information. 64.2008 Notice required for use of customer proprietary network information. 64.2009 Safeguards required for use of customer proprietary network information. 64.2010 Safeguards on the disclosure of customer proprietary network information. 64.2011 Notification of customer proprietary network information security breaches. Subpart U--Customer Proprietary Network Information Sec. 64.2001 Basis and purpose. (a) Basis. The rules in this subpart are issued pursuant to the Communications Act of 1934, as amended. (b) Purpose. The purpose of the rules in this subpart is to implement section 222 of the Communications Act of 1934, as amended, 47 U.S.C. 222. Sec. 64.2003 Definitions. (a) Account information. ``Account information'' is information that is specifically connected to the customer's service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill's amount. (b) Address of record. An ``address of record,'' whether postal or electronic, is an address that the carrier has associated with the customer's account for at least 30 days. (c) Affiliate. The term ``affiliate'' has the same meaning given such term in section 3(1) of the Communications Act of 1934, as amended, 47 U.S.C. 153(1). (d) Call detail information. Any information that pertains to the transmission of specific telephone calls, including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call. (e) Communications-related services. The term ``communications- related services'' means telecommunications services, information services typically provided by telecommunications carriers, and services related to the provision or maintenance of customer premises equipment. (f) Customer. A customer of a telecommunications carrier is a person or entity to which the telecommunications carrier is currently providing service. (g) Customer proprietary network information (CPNI). The term ``customer proprietary network information (CPNI)'' has the same meaning given to such term in section 222(h)(1) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(1). (h) Customer premises equipment (CPE). The term ``customer premises equipment (CPE)'' has the same meaning given to such term in section 3(14) of the Communications Act of 1934, as amended, 47 U.S.C. 153(14). (i) Information services typically provided by telecommunications carriers. The phrase ``information services typically provided by telecommunications carriers'' means only those information services (as defined in section 3(20) of the Communication Act of 1934, as amended, 47 U.S.C. 153(20)) that are typically provided by telecommunications carriers, such as Internet access or voice mail services. Such phrase ``information services typically provided by telecommunications carriers,'' as used in this subpart, shall not include retail consumer services provided using Internet Web sites (such as travel reservation services or mortgage lending services), whether or not such services may otherwise be considered to be information services. (j) Local exchange carrier (LEC). The term ``local exchange carrier (LEC)'' has the same meaning given to such term in section 3(26) of the Communications Act of 1934, as amended, 47 U.S.C. 153(26). (k) Opt-in approval. The term ``opt-in approval'' refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart. (l) Opt-out approval. The term ``opt-out approval'' refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in Sec. 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart. (m) Readily available biographical information. ``Readily available biographical information'' is information drawn from the customer's life history and includes such things as the customer's social security number, or the last four digits of that number; mother's maiden name; home address; or date of birth. (n) Subscriber list information (SLI). The term ``subscriber list information (SLI)'' has the same meaning given to such term in section 222(h)(3) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(3). (o) Telecommunications carrier or carrier. The terms ``telecommunications carrier'' or ``carrier'' shall have the same meaning as set forth in section 3(44) of [[Page 44120]] the Communications Act of 1934, as amended, 47 U.S.C. 153(44). For the purposes of this subpart, the term ``telecommunications carrier'' or ``carrier'' shall include an entity that provides interconnected VoIP service, as that term is defined in section 9.3 of these rules. (p) Telecommunications service. The term ``telecommunications service'' has the same meaning given to such term in section 3(46) of the Communications Act of 1934, as amended, 47 U.S.C. 153(46). (q) Telephone number of record. The telephone number associated with the underlying service, not the telephone number supplied as a customer's ``contact information.'' (r) Valid photo ID. A ``valid photo ID'' is a government-issued means of personal identification with a photograph such as a driver's license, passport, or comparable ID that is not expired. Sec. 64.2005 Use of customer proprietary network information without customer approval. (a) Any telecommunications carrier may use, disclose, or permit access to CPNI for the purpose of providing or marketing service offerings among the categories of service (i.e., local, interexchange, and CMRS) to which the customer already subscribes from the same carrier, without customer approval. (1) If a telecommunications carrier provides different categories of service, and a customer subscribes to more than one category of service offered by the carrier, the carrier is permitted to share CPNI among the carrier's affiliated entities that provide a service offering to the customer. (2) If a telecommunications carrier provides different categories of service, but a customer does not subscribe to more than one offering by the carrier, the carrier is not permitted to share CPNI with its affiliates, except as provided in Sec. 64.2007(b). (b) A telecommunications carrier may not use, disclose, or permit access to CPNI to market to a customer service offerings that are within a category of service to which the subscriber does not already subscribe from that carrier, unless that carrier has customer approval to do so, except as described in paragraph (c) of this section. (1) A wireless provider may use, disclose, or permit access to CPNI derived from its provision of CMRS, without customer approval, for the provision of CPE and information service(s). A wireline carrier may use, disclose or permit access to CPNI derived from its provision of local exchange service or interexchange service, without customer approval, for the provision of CPE and call answering, voice mail or messaging, voice storage and retrieval services, fax store and forward, and protocol conversion. (2) A telecommunications carrier may not use, disclose or permit access to CPNI to identify or track customers that call competing service providers. For example, a local exchange carrier may not use local service CPNI to track all customers that call local service competitors. (c) A telecommunications carrier may use, disclose, or permit access to CPNI, without customer approval, as described in this paragraph (c). (1) A telecommunications carrier may use, disclose, or permit access to CPNI, without customer approval, in its provision of inside wiring installation, maintenance, and repair services. (2) CMRS providers may use, disclose, or permit access to CPNI for the purpose of conducting research on the health effects of CMRS. (3) LECs, CMRS providers, and entities that provide interconnected VoIP service as that term is defined in Sec. 9.3 of this chapter, may use CPNI, without customer approval, to market services formerly known as adjunct-to-basic services, such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex features. (d) A telecommunications carrier may use, disclose, or permit access to CPNI to protect the rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services. Sec. 64.2007 Approval required for use of customer proprietary network information. (a) A telecommunications carrier may obtain approval through written, oral or electronic methods. (1) A telecommunications carrier relying on oral approval shall bear the burden of demonstrating that such approval has been given in compliance with the Commission's rules in this part. (2) Approval or disapproval to use, disclose, or permit access to a customer's CPNI obtained by a telecommunications carrier must remain in effect until the customer revokes or limits such approval or disapproval. (3) A telecommunications carrier must maintain records of approval, whether oral, written or electronic, for at least one year. (b) Use of opt-out and opt-in approval processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications- related services. A telecommunications carrier may also permit such persons or entities to obtain access to such CPNI for such purposes. Except for use and disclosure of CPNI that is permitted without customer approval under Sec. 64.2005, or that is described in this paragraph, or as otherwise provided in section 222 of the Communications Act of 1934, as amended, a telecommunications carrier may only use, disclose, or permit access to its customer's individually identifiable CPNI subject to opt-in approval. Sec. 64.2008 Notice required for use of customer proprietary network information. (a) Notification, generally. (1) Prior to any solicitation for customer approval, a telecommunications carrier must provide notification to the customer of the customer's right to restrict use of, disclosure of, and access to that customer's CPNI. (2) A telecommunications carrier must maintain records of notification, whether oral, written or electronic, for at least one year. (b) Individual notice to customers must be provided when soliciting approval to use, disclose, or permit access to customers' CPNI. (c) Content of notice. Customer notification must provide sufficient information to enable the customer to make an informed decision as to whether to permit a carrier to use, disclose, or permit access to, the customer's CPNI. (1) The notification must state that the customer has a right, and the carrier has a duty, under federal law, to protect the confidentiality of CPNI. (2) The notification must specify the types of information that constitute CPNI and the specific entities that will receive the CPNI, describe the purposes for which CPNI will be used, and inform the customer of his or her right to disapprove those uses, and deny or withdraw access to CPNI at any time. [[Page 44121]] (3) The notification must advise the customer of the precise steps the customer must take in order to grant or deny access to CPNI, and must clearly state that a denial of approval will not affect the provision of any services to which the customer subscribes. However, carriers may provide a brief statement, in clear and neutral language, describing consequences directly resulting from the lack of access to CPNI. (4) The notification must be comprehensible and must not be misleading. (5) If written notification is provided, the notice must be clearly legible, use sufficiently large type, and be placed in an area so as to be readily apparent to a customer. (6) If any portion of a notification is translated into another language, then all portions of the notification must be translated into that language. (7) A carrier may state in the notification that the customer's approval to use CPNI may enhance the carrier's ability to offer products and services tailored to the customer's needs. A carrier also may state in the notification that it may be compelled to disclose CPNI to any person upon affirmative written request by the customer. (8) A carrier may not include in the notification any statement attempting to encourage a customer to freeze third-party access to CPNI. (9) The notification must state that any approval, or denial of approval for the use of CPNI outside of the service to which the customer already subscribes from that carrier is valid until the customer affirmatively revokes or limits such approval or denial. (10) A telecommunications carrier's solicitation for approval must be proximate to the notification of a customer's CPNI rights. (d) Notice requirements specific to opt-out. A telecommunications carrier must provide notification to obtain opt out approval through electronic or written methods, but not by oral communication (except as provided in paragraph (f) of this section). The contents of any such notification must comply with the requirements of paragraph (c) of this section. (1) Carriers must wait a 30-day minimum period of time after giving customers notice and an opportunity to opt-out before assuming customer approval to use, disclose, or permit access to CPNI. A carrier may, in its discretion, provide for a longer period. Carriers must notify customers as to the applicable waiting period for a response before approval is assumed. (i) In the case of an electronic form of notification, the waiting period shall begin to run from the date on which the notification was sent; and (ii) In the case of notification by mail, the waiting period shall begin to run on the third day following the date that the notification was mailed. (2) Carriers using the opt-out mechanism must provide notices to their customers every two years. (3) Telecommunications carriers that use email to provide opt-out notices must comply with the following requirements in addition to the requirements generally applicable to notification: (i) Carriers must obtain express, verifiable, prior approval from consumers to send notices via email regarding their service in general, or CPNI in particular; (ii) Carriers must allow customers to reply directly to emails containing CPNI notices in order to opt-out; (iii) Opt-out email notices that are returned to the carrier as undeliverable must be sent to the customer in another form before carriers may consider the customer to have received notice; (iv) Carriers that use email to send CPNI notices must ensure that the subject line of the message clearly and accurately identifies the subject matter of the email; and (v) Telecommunications carriers must make available to every customer a method to opt-out that is of no additional cost to the customer and that is available 24 hours a day, seven days a week. Carriers may satisfy this requirement through a combination of methods, so long as all customers have the ability to opt-out at no cost and are able to effectuate that choice whenever they choose. (e) Notice requirements specific to opt-in. A telecommunications carrier may provide notification to obtain opt-in approval through oral, written, or electronic methods. The contents of any such notification must comply with the requirements of paragraph (c) of this section. (f) Notice requirements specific to one-time use of CPNI. (1) Carriers may use oral notice to obtain limited, one-time use of CPNI for inbound and outbound customer telephone contacts for the duration of the call, regardless of whether carriers use opt-out or opt-in approval based on the nature of the contact. (2) The contents of any such notification must comply with the requirements of paragraph (c) of this section, except that telecommunications carriers may omit any of the following notice provisions if not relevant to the limited use for which the carrier seeks CPNI: (i) Carriers need not advise customers that if they have opted-out previously, no action is needed to maintain the opt-out election; (ii) Carriers need not advise customers that they may share CPNI with their affiliates or third parties and need not name those entities, if the limited CPNI usage will not result in use by, or disclosure to, an affiliate or third party; (iii) Carriers need not disclose the means by which a customer can deny or withdraw future access to CPNI, so long as carriers explain to customers that the scope of the approval the carrier seeks is limited to one-time use; and (iv) Carriers may omit disclosure of the precise steps a customer must take in order to grant or deny access to CPNI, as long as the carrier clearly communicates that the customer can deny access to his CPNI for the call. Sec. 64.2009 Safeguards required for use of customer proprietary network information. (a) Telecommunications carriers must implement a system by which the status of a customer's CPNI approval can be clearly established prior to the use of CPNI. (b) Telecommunications carriers must train their personnel as to when they are and are not authorized to use CPNI, and carriers must have an express disciplinary process in place. (c) All carriers shall maintain a record, electronically or in some other manner, of their own and their affiliates' sales and marketing campaigns that use their customers' CPNI. All carriers shall maintain a record of all instances where CPNI was disclosed or provided to third parties, or where third parties were allowed access to CPNI. The record must include a description of each campaign, the specific CPNI that was used in the campaign, and what products and services were offered as a part of the campaign. Carriers shall retain the record for a minimum of one year. (d) Telecommunications carriers must establish a supervisory review process regarding carrier compliance with the rules in this subpart for outbound marketing situations and maintain records of carrier compliance for a minimum period of one year. Specifically, sales personnel must obtain supervisory approval of any proposed outbound marketing request for customer approval. (e) A telecommunications carrier must have an officer, as an agent of the carrier, sign and file with the Commission a compliance certificate on an annual basis. The officer must state [[Page 44122]] in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. In addition, the carrier must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year. (f) Carriers must provide written notice within five business days to the Commission of any instance where the opt-out mechanisms do not work properly, to such a degree that consumers' inability to opt-out is more than an anomaly. (1) The notice shall be in the form of a letter, and shall include the carrier's name, a description of the opt-out mechanism(s) used, the problem(s) experienced, the remedy proposed and when it will be/was implemented, whether the relevant state commission(s) has been notified and whether it has taken any action, a copy of the notice provided to customers, and contact information. (2) Such notice must be submitted even if the carrier offers other methods by which consumers may opt-out. Sec. 64.2010 Safeguards on the disclosure of customer proprietary network information. (a) Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer- initiated telephone contact, online account access, or an in-store visit. (b) Telephone access to CPNI. Telecommunications carriers may only disclose call detail information over the telephone, based on customer- initiated telephone contact, if the customer first provides the carrier with a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information. If the customer does not provide a password, the telecommunications carrier may only disclose call detail information by sending it to the customer's address of record, or by calling the customer at the telephone number of record. If the customer is able to provide call detail information to the telecommunications carrier during a customer-initiated call without the telecommunications carrier's assistance, then the telecommunications carrier is permitted to discuss the call detail information provided by the customer. (c) Online access to CPNI. A telecommunications carrier must authenticate a customer without the use of readily available biographical information, or account information, prior to allowing the customer online access to CPNI related to a telecommunications service account. Once authenticated, the customer may only obtain online access to CPNI related to a telecommunications service account through a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information. (d) In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier's retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer's account information. (e) Establishment of a password and back-up authentication methods for lost or forgotten passwords. To establish a password, a telecommunications carrier must authenticate the customer without the use of readily available biographical information, or account information. Telecommunications carriers may create a back-up customer authentication method in the event of a lost or forgotten password, but such back-up customer authentication method may not prompt the customer for readily available biographical information, or account information. If a customer cannot provide the correct password or the correct response for the back-up customer authentication method, the customer must establish a new password as described in this paragraph. (f) Notification of account changes. Telecommunications carriers must notify customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record, and must not reveal the changed information or be sent to the new account information. (g) Business customer exemption. Telecommunications carriers may bind themselves contractually to authentication regimes other than those described in this section for services they provide to their business customers that have both a dedicated account representative and a contract that specifically addresses the carriers' protection of CPNI. Sec. 64.2011 Notification of customer proprietary network information security breaches. (a) A telecommunications carrier shall notify law enforcement of a breach of its customers' CPNI as provided in this section. The carrier shall not notify its customers or disclose the breach publicly, whether voluntarily or under state or local law or these rules, until it has completed the process of notifying law enforcement pursuant to paragraph (b) of this section. (b) As soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach, the telecommunications carrier shall electronically notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni. (1) Notwithstanding any state law to the contrary, the carrier shall not notify customers or disclose the breach to the public until 7 full business days have passed after notification to the USSS and the FBI except as provided in paragraphs (b)(2) and (b)(3) of this section. (2) If the carrier believes that there is an extraordinarily urgent need to notify any class of affected customers sooner than otherwise allowed under paragraph (b)(1) of this section, in order to avoid immediate and irreparable harm, it shall so indicate in its notification and may proceed to immediately notify its affected customers only after consultation with the relevant investigating agency. The carrier shall cooperate with the relevant investigating agency's request to minimize any adverse effects of such customer notification. (3) If the relevant investigating agency determines that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, such agency may direct the carrier not to so disclose or notify for an initial period of up to 30 days. Such [[Page 44123]] period may be extended by the agency as reasonably necessary in the judgment of the agency. If such direction is given, the agency shall notify the carrier when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. The agency shall provide in writing its initial direction to the carrier, any subsequent extension, and any notification that notice will no longer impede or compromise a criminal investigation or national security and such writings shall be contemporaneously logged on the same reporting facility that contains records of notifications filed by carriers. (c) Customer notification. After a telecommunications carrier has completed the process of notifying law enforcement pursuant to paragraph (b) of this section, it shall notify its customers of a breach of those customers' CPNI. (d) Recordkeeping. All carriers shall maintain a record, electronically or in some other manner, of any breaches discovered, notifications made to the USSS and the FBI pursuant to paragraph (b) of this section, and notifications made to customers. The record must include, if available, dates of discovery and notification, a detailed description of the CPNI that was the subject of the breach, and the circumstances of the breach. Carriers shall retain the record for a minimum of 2 years. (e) Definitions. As used in this section, a ``breach'' has occurred when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI. (f) This section does not supersede any statute, regulation, order, or interpretation in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only to the extent of the inconsistency. [FR Doc. 2017-20137 Filed 9-20-17; 8:45 am] BILLING CODE 6712-01-P
![44118 Federal Register / Vol. 82, No. 182 / Thursday, September 21, 2017 / Rules and Regulations
supporting this determination is § 2.01–25 International Convention for Act, the rule submitted by the FCC shall
available in the docket where indicated Safety of Life at Sea, 1974. be treated as if it had never taken effect.
under the ADDRESSES section of this (a) * * * However, because the Congressional
preamble. (1) * * * Review Act does not direct the Office of
This rule involves: (1) Adding a Polar (x) Polar Ship Certificate. the Federal Register to remove the
Ship Certificate to the list of certificates (2) * * * voided regulatory text and reissue the
required, if applicable, by SOLAS; and (x) Polar Ship Certificate. pre-existing regulatory text, the FCC
(2) adding the Polar Ship Certificate to * * * * * issues this document to effect the
the list of SOLAS certificates that the removal of any amendments, deletions,
Coast Guard is allowed to authorize PART 8—VESSEL INSPECTION or other modifications made by the
recognized classification societies to ALTERNATIVES nullified rule, and the reversion to the
issue on behalf of the Coast Guard. This text of the regulations in effect
action constitutes editorial or ■ 4. The authority citation for 46 CFR immediately prior to the effect date of
procedural changes concerning vessel part 8 is revised to read as follows: the Report and Order relating to
documentation requirements (that is, Authority: 33 U.S.C. 1231, 1903, 1904, ‘‘Protecting the Privacy of Customers of
issuance of Polar Ship Certificates) and 3803 and 3821; 46 U.S.C. 3103, 3306, 3316, Broadband and Other
the delegation of authority for issuing and 3703; Department of Homeland Security Telecommunications Services.’’
such certificates. Thus, as reflected in Delegation No. 0170.1 and Aug. 8, 2011 DATES: This action is effective
the Record of Environmental Delegation of Authority, Anti-Fouling
September 21, 2017.
Systems.
Consideration, this rule is categorically FOR FURTHER INFORMATION CONTACT: For
excluded under chapter 2, Section B, ■ 5. Amend § 8.320 as follows: further information about this
Paragraph 2 Categorical Exclusions ■ a. In paragraph (b)(13), remove the proceeding, please contact Melissa
(CEs) and Figure 2–1 (Coast Guard word ‘‘and’’; Kirkel, FCC Wireline Competition
Categorical Exclusions), paragraphs ■ b. In paragraph (b)(14), remove the Bureau, Competition Policy Division,
(34)(a), (b), and (d) of COMDTINST period at the end of the paragraph and 445 12th St. SW., Washington, DC
M16475.1D. This rule promotes the add, in its place, ‘‘; and’’; and 20554, (202) 418–1580.
Coast Guard’s maritime safety and ■ c. Add paragraph (b)(15).
SUPPLEMENTARY INFORMATION: This is a
environmental protection missions. The addition reads as follows: summary of the Commission’s Report
List of Subjects § 8.320 Classification society authorization and Order, adopted on October 27, 2016
to issue international certificates. in WC Docket No. 16–106, FCC 16–148,
46 CFR Part 2 which amended the rules under 47 CFR
* * * * *
Marine Safety, Reporting and (b) * * * part 64, subpart U. It published a
recordkeeping requirements, Vessels. (15) Polar Ship Certificate. summary of the Report and Order on
December 2, 2016 (81 FR 87274), and
46 CFR Part 8 * * * * *
thereafter submitted it to Congress
Administrative practice and Dated: September 18, 2017. pursuant to the Congressional Review
procedure, Organization and functions J.G. Lantz, Act, 5 U.S.C. 801(a)(1)(A). On March 23,
(Government agencies), Reporting and Director, Commercial Regulations and 2017, the Senate passed a resolution of
recordkeeping requirements, Vessels. Standards, U.S. Coast Guard. disapproval (S.J. Res. 34) of the Report
[FR Doc. 2017–20155 Filed 9–20–17; 8:45 am] and Order under the Congressional
For the reasons discussed in the
BILLING CODE 9110–04–P Review Act. The House of
preamble, the Coast Guard amends 46
Representatives then passed S.J. Res. 34
CFR parts 2 and 8 as follows:
on March 28, 2017. President Trump
Title 46—Shipping FEDERAL COMMUNICATIONS signed the resolution into law as Public
COMMISSION Law 115–22 on April 3, 2017. Therefore,
PART 2—VESSEL INSPECTIONS under the terms of the Congressional
47 CFR Part 64 Review Act, the Report and Order shall
■ 1. The authority citation for 46 CFR be ‘‘treated as though such a rule had
part 2 is revised to read as follows: [WC Docket No. 16–106; FCC 16–148]
never taken effect.’’ 5 U.S.C. 801(f).
Authority: Sec. 622, Pub. L. 111–281; 33 Protecting the Privacy of Customers of However, because the CRA does not
U.S.C. 1231, 1903; 43 U.S.C. 1333; 46 U.S.C. Broadband and Other include direction regarding the removal,
2103, 2110, 3306, 3703; Department of by the Office of the Federal Register or
Homeland Security Delegation No.
Telecommunications Services
otherwise, of the voided language from
0170.1(II)(77), (90), (92)(a), (92)(b); E.O. AGENCY: Federal Communications the Code of Federal Regulations, the
12234, 45 FR 58801, 3 CFR, 1980 Comp., p. Commission. FCC must publish this document to
277, sec. 1–105.
ACTION: Final rule. effect the removal of the voided text.
§ 2.01–6 [Amended] This document will enable the Office of
SUMMARY: Under the Congressional the Federal Register to effectuate
■ 2. In § 2.01–6(a)(1), after the words Review Act, Congress has passed, and congressional intent to remove the
‘‘passengers in U.S. ports’’ and before the President has signed, Public Law voided text of the rules adopted in the
asabaliauskas on DSKBBXCHB2PROD with RULES
the words ‘‘holds a valid’’, remove the 115–22, a resolution of disapproval of Report and Order as if it had never
word ‘‘and’’; and after the text the rule that the Federal taken effect, and to restore the previous
‘‘Passenger Ship Safety Certificate’’, add Communications Commission (FCC) language in 47 CFR part 64, subpart U
the text ‘‘, and, if applicable, holds a submitted pursuant to such Act relating and prior state of the Code of Federal
valid Polar Ship Certificate’’. to ‘‘Protecting the Privacy of Customers Regulations.
■ 3. Amend § 2.01–25 by adding of Broadband and Other This action is not an exercise of the
paragraphs (a)(1)(x) and (a)(2)(x) to read Telecommunications Services.’’ By FCC’s rulemaking authority under the
as follows: operation of the Congressional Review Administrative Procedure Act, because
VerDate Sep<11>2014 16:39 Sep 20, 2017 Jkt 241001 PO 00000 Frm 00066 Fmt 4700 Sfmt 4700 E:\FR\FM\21SER1.SGM 21SER1](https://thefederalregister.org/doc/82_FR_44300/page/1.svg)
![Federal Register / Vol. 82, No. 182 / Thursday, September 21, 2017 / Rules and Regulations 44123
period may be extended by the agency (c) Customer notification. After a breach. Carriers shall retain the record
as reasonably necessary in the judgment telecommunications carrier has for a minimum of 2 years.
of the agency. If such direction is given, completed the process of notifying law (e) Definitions. As used in this
the agency shall notify the carrier when enforcement pursuant to paragraph (b) section, a ‘‘breach’’ has occurred when
it appears that public disclosure or of this section, it shall notify its a person, without authorization or
notice to affected customers will no customers of a breach of those exceeding authorization, has
longer impede or compromise a customers’ CPNI. intentionally gained access to, used, or
criminal investigation or national (d) Recordkeeping. All carriers shall disclosed CPNI.
security. The agency shall provide in maintain a record, electronically or in (f) This section does not supersede
writing its initial direction to the carrier, some other manner, of any breaches any statute, regulation, order, or
any subsequent extension, and any discovered, notifications made to the interpretation in any State, except to the
notification that notice will no longer USSS and the FBI pursuant to paragraph extent that such statute, regulation,
impede or compromise a criminal (b) of this section, and notifications order, or interpretation is inconsistent
investigation or national security and made to customers. The record must with the provisions of this section, and
such writings shall be include, if available, dates of discovery then only to the extent of the
contemporaneously logged on the same and notification, a detailed description inconsistency.
reporting facility that contains records of the CPNI that was the subject of the [FR Doc. 2017–20137 Filed 9–20–17; 8:45 am]
of notifications filed by carriers. breach, and the circumstances of the BILLING CODE 6712–01–P
asabaliauskas on DSKBBXCHB2PROD with RULES
VerDate Sep<11>2014 16:39 Sep 20, 2017 Jkt 241001 PO 00000 Frm 00071 Fmt 4700 Sfmt 9990 E:\FR\FM\21SER1.SGM 21SER1](https://thefederalregister.org/doc/82_FR_44300/page/6.svg)
Document Created: 2018-10-24 14:35:57
Document Modified: 2018-10-24 14:35:57
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | This action is effective September 21, 2017. | |
| Contact | For further information about this proceeding, please contact Melissa Kirkel, FCC Wireline Competition Bureau, Competition Policy Division, 445 12th St. SW., Washington, DC 20554, (202) 418-1580. | |
| FR Citation | 82 FR 44118 | |
| CFR Associated | Claims; Communications Common Carriers; Computer Technology; Credit; Foreign Relations; Individuals with Disabilities; Political Candidates; Radio; Reporting and Recordkeeping Requirements; Telecommunications; Telegraph and Telephone |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR