CTIA urges caution in protecting customer info

The mobile-phone industry challenged a Federal Communications Commission decision to better safeguard consumer phone records, citing provisions that it claims run contrary to applicable legal standards and to the agency’s enforcement regime.
The FCC in April beefed up rules governing access to customer proprietary network information, or CPNI. The agency, the Federal Trade Commission and Congress want to stem the tide on the growing practice of “pretexting,” whereby individual data brokers get a hold of customers’ phone records by impersonating subscribers. Congress last year criminalized pretexting. Lawmakers want mobile-phone carriers to take additional steps to shield subscribers from privacy invasion, but the wireless industry opposes any additional laws.
Under new FCC guidelines, telecom carriers cannot release phone records when a customer calls unless a password is provided. If a customer does not provide a password, carriers can mail it or call the customer. Moreover, telecom operators must provide mandatory password protection for online account access. Carriers can provide all CPNI, including phone call records, to subscribers based on in-store contact with a valid photo identification.
When there are changes involving a password, a backup for forgotten passwords, online accounts or an address of record, carriers must notify customers promptly. In addition, the FCC now requires wireless and wireline carriers to obtain explicit consent from a customer before disclosing a customer’s CPNI to a carrier’s joint-venture partners or independent contractors who would use that information to market communications-related services to that customer. As such, new guidelines represent a shift from an opt-out to an opt-in regime.
A controversial provision opposed by Democratic Commissioners Michael Copps and Jonathan Adelstein allows delays in notifying customers of some phone-record privacy breaches until after investigation by the FBI and Secret Service.
CTIA, the cellular industry association, said it agreed wireless carriers should take reasonable measures to safeguard customer privacy, such as using password protections and notifying federal authorities when subscriber phone records have been fraudulently obtained. But there are other aspects of the FCC decision that the trade group believes run astray of good public policy.
“There is no basis to presume that a carrier has acted unreasonably or violated [CPNI rules] based on the sole fact that there has been a breach,” CTIA stated. “A presumption would unfairly predetermine and lead to a legal conclusion based of a fact (the disclosure) that tells little about the appropriateness of the carrier’s efforts to protect customer information.”
CTIA recommended the FCC provide greater guidance on the reasonable measure standard, perhaps drawing on the Federal Trade Commission’s implementation of 1999 legislation designed to protect consumers’ personal financial information held by financial institutions. The cellular association also urged the FCC to revise its definition of ‘address of record’ to enable wireless carriers to provide customer service within the first month after establishing an account. “Unless modified, the new definition would forbid carriers from contacting customers within the first 30 days regarding their account. This modest change would not undermine any new protection afforded against pretexters by the [FCC]order,” CTIA stated.