Advanced Search

Customer Proprietary Network Information


Published: 2007-06-08

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
ACTION:
Final rule.
SUMMARY:
The Commission adopted rules to implement section 222 of the Communications Act of 1934, as amended, which governs carriers' use and disclosure of customer proprietary network information. In this document, the Commission responds to the practice of “pretexting” by strengthening its rules to protect the privacy of customer proprietary network information (CPNI) that is collected and held by providers of communications services.
DATES:
Revised paragraph (o) of § 64.2003, new paragraphs (a), (b), (d), (m), (q), and (r) of § 64.2003, revised paragraph (c)(3) of § 64.2005, revised paragraph (b) of § 64.2007, revised paragraph (e) of 64.2009, and new §§ 64.2010 and 64.2011 contain information collection requirements that have not been approved by the Office of Management and Budget (OMB). The Commission will publish a document in the Federal Register announcing the effective date. Written comment by the public on the modified information collection requirements are due August 7, 2007. Paragraphs (c), (e) through (l), (n), and (p) of § 64.2003 do not contain information collection requirements that have not been approved by OMB and therefore are effective on June 8, 2007.
FOR FURTHER INFORMATION CONTACT:
Adam Kirschenbaum, (202) 418-7280, Wireline Competition Bureau.
For additional information concerning the Paperwork Reduction Act information collection requirements contained in this document, contact Judith B. Herman at (202) 418-0214, or via e-mail at Judith-B.Herman@fcc.gov.
SUPPLEMENTARY INFORMATION:
This is a summary of the Commission's Report and Order (Order) in CC Docket No. 96-115 and WC Docket No. 04-36, FCC 07-22, adopted March 13, 2007, and released April 2, 2007. The complete text of this document is available for inspection and copying during normal business hours in the FCC Reference Information Center, Portals II, 445 12th Street, SW., Room CY-A257, Washington, DC 20554. This document may also be purchased from the Commission's duplicating contractor, Best Copy and Printing, Inc., 445 12th Street, SW., Room CY-B402, Washington, DC 20554, telephone (800) 378-3160 or (202) 863-2893, facsimile (202) 863-2898, or via e-mail at http://www.bcpiweb.com. It is also available on the Commission's Web site at http://www.fcc.gov.
In addition to filing comments with the Office of the Secretary, a copy of any comments on the Paperwork Reduction Act information collection requirements contained herein should be submitted to Judith B. Herman, Federal Communications Commission, Room 1-C804, 445 12th Street, SW., Washington, DC 20554, or via the Internet to Judith-B.Herman@fcc.gov.
Synopsis of the Report and Order
1. On August 30, 2005, the Electronic Privacy Information Center (EPIC) filed a petition with the Commission asking the Commission to investigate telecommunications carriers' current security practices and to initiate a rulemaking proceeding to consider establishing more stringent security standards for telecommunications carriers to govern the disclosure of CPNI. In particular, EPIC proposed that the Commission consider requiring the use of consumer-set passwords, creating audit trails, employing encryption, limiting data retention, and improving notice procedures. On February 14, 2006, the Commission released the EPIC CPNI Notice, 71 FR 13317 (March 15, 2006), in which it sought comment on (a) the nature and scope of the problem identified by EPIC, including pretexting, and (b) what additional steps, if any, the Commission should take to protect further the privacy of CPNI. Specifically, the Commission sought comment on the five EPIC proposals listed above. In addition, the Commission tentatively concluded that it should amend its rules to require carriers annually to file their section 64.2009(e) certifications with the Commission. It also sought comment on whether it should require carriers to obtain a customer's opt-in consent before the carrier shares CPNI with its joint venture partners and independent contractors; whether to impose rules relating to how carriers verify customers' identities; whether to adopt a set of security requirements that could be used as the basis for liability if a carrier failed to implement such requirements, or adopt a set of security requirements that a carrier could implement to exempt itself from liability; whether VoIP service providers or other IP-enabled service providers should be covered by any new rules the Commission adopts in the present rulemaking; and other specific proposals that might increase the protection of CPNI.
2. In this Order, the Commission responds to the practice of “pretexting” by strengthening its rules to protect the privacy of customer proprietary network information (CPNI) that is collected and held by providers of communications services (hereinafter, communications carriers or carriers). Section 222 of the Communications Act requires telecommunications carriers to take specific steps to ensure that CPNI is adequately protected from unauthorized disclosure. In the Order, the Commission strengthens its privacy rules by adopting additional safeguards to protect customers' CPNI against unauthorized access and disclosure.
3. The Order is directly responsive to the actions of data brokers, or pretexters, to obtain unauthorized access to CPNI. As EPIC pointed out in its petition that led to this rulemaking proceeding, numerous Web sites advertise the sale of personal telephone records for a price. These data brokers have been able to obtain private and personal information, including what calls were made to and/or from a particular telephone number and the duration of such calls. In many cases, the data brokers claim to be able to provide this information within fairly quick time frames, ranging from a few hours to a few days. The additional privacy safeguards the Commission adopts in the Order will sharply limit pretexters' ability to obtain unauthorized access to this type of personal customer information from carriers the Commission regulates.
4. The Commission finds that the release of call detail over the telephone presents an immediate risk to privacy and therefore it prohibits carriers from releasing call detail information based on customer-initiated telephone contact except under three circumstances. First, a carrier can release call detail information if the customer provides the carrier with a pre-established password. Second, a carrier may, at the customer's request, send call detail information to the customer's address of record. Third, a carrier may call the telephone number of record and disclose call detail information. A carrier may disclose non-call detail CPNI to a customer after the carrier authenticates the customer.
5. The Commission does not intend for the prohibition on the release of call detail over the telephone for customer-initiated telephone contact to hinder routine carrier-customer relations regarding service/billing disputes and questions. If a customer is able to provide to the carrier, during a customer-initiated telephone call, all of the call detail information necessary to address a customer service issue ( i.e. , the telephone number called, when it was called, and, if applicable, the amount charged for the call), then the carrier is permitted to proceed with its routine customer care procedures. The Commission believes that if a customer is able to provide this information to the carrier, without carrier assistance, then the carrier does not violate the Commission's rules if the carrier takes routine customer service actions related to such information. The Commission additionally clarifies that, under these circumstances, carriers may not disclose to the customer any call detail information about the customer account other than the call detail information that the customer provides without the customer first providing a password. The Commission's rule is intended to prevent pretexter phishing and other pretexter methods for gaining unauthorized access to customer account information.
6. The Commission also requires carriers to password protect online access to CPNI. Although section 222 of the Act imposes a duty on carriers to protect the privacy of CPNI, data brokers and others have been able to access CPNI online without the account holder's knowledge or consent. The Commission agrees with EPIC that the apparent ease with which data brokers have been able to access CPNI online demonstrates the insufficiency of carriers' customer authentication procedures. In particular, the record evidence demonstrates that some carriers permit customers to establish online accounts by providing readily available biographical information. Thus, a data broker may obtain online account access easily without the customer's knowledge. Therefore, the Commission agrees with EPIC and others that use of such identifiers is an insufficient mechanism for preventing data brokers from obtaining unauthorized online access to CPNI.
7. The Commission continues to allow carriers to provide customers with access to CPNI at a carrier's retail location if the customer presents a valid photo ID and the valid photo ID matches the name on the account. The Commission agrees with the Attorneys General and finds that this is a secure authentication practice because it enables the carrier to make a reasonable judgment about the customer's identity.
8. The Commission requires carriers to notify customers immediately of certain account changes, including whenever a password, customer response to a carrier-designed back-up means of authentication, online account, or address of record is created or changed. The Commission agrees with the New Jersey Ratepayer Advocate that this notification is an important tool for customers to monitor their account's security. This notification may be through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record, as to reasonably ensure that the customer receives this notification. The Commission believes this measure is appropriate to protect customers from data brokers that might otherwise manage to circumvent the authentication protections the Commission adopts in this Order, and to take appropriate action in the event of pretexter activity. Further, the Commission finds that this notification requirement will also empower customers to provide carriers with timely information about pretexting activity, which the carriers may not be able to identify easily.
9. The Commission does make an exception to the rules that it adopts for certain business customers. The Commission agrees with commenters who argue that privacy concerns of telecommunications consumers are greatest when using personal telecommunications services. Indeed, the fraudulent practices described by EPIC have mainly targeted individual consumers, and the record indicates that the proprietary information of wireline and wireless business account customers already is subject to stringent safeguards, which are privately negotiated by contract. Therefore, if the carrier's contract with a business customer is serviced by a dedicated account representative as the primary contact, and specifically addresses the carrier's protection of CPNI, the Commission does not extend its carrier authentication rules to cover these business customers, because businesses are typically able to negotiate the appropriate protection of CPNI in their service agreements. However, nothing in the Order exempts carriers serving wireline enterprise and wireless business account customers from section 222 or the remainder of the Commission's CPNI rules.
10. The Commission agrees with EPIC that carriers should be required to notify a customer whenever a security breach results in that customer's CPNI being disclosed to a third party without that customer's authorization. However, the Commission also appreciates law enforcement's concern about delaying customer notification in order to allow law enforcement to investigate crimes. Therefore, the Commission adopts a rule that it believes balances a customer's need to know with law enforcement's ability to undertake an investigation of suspected criminal activity, which itself might advance the goal of consumer protection.
11. The Commission declines to specify the precise content of the notice that must be provided to customers in the event of a security breach of CPNI. The notice requirement the Commission adopts in this proceeding is general, and the Commission recognizes that numerous types of circumstances—including situations other than pretexting—could result in the unauthorized disclosure of a customer's CPNI to a third party. Thus, the Commission leaves carriers the discretion to tailor the language and method of notification to the circumstances. Finally, the Commission expects carriers to cooperate fully in any law enforcement investigation of such unauthorized release of CPNI or attempted unauthorized access to an account consistent with statutory and Commission requirements.
12. The Commission agrees with commenters that techniques for fraud vary and tend to become more sophisticated over time, and that carriers need leeway to engage emerging threats. The Commission therefore clarifies that carriers are free to bolster their security measures through additional measures to meet their section 222 obligations to protect the privacy of CPNI. The Commission also codifies the existing statutory requirement contained in section 222 of the Act that carriers take reasonable measures to discover and protect against activity that is indicative of pretexting. Adoption of the rules in this Order does not relieve carriers of their fundamental duty to remain vigilant in their protection of CPNI, nor does it necessarily insulate them from enforcement action for unauthorized disclosure of CPNI.
13. The Commission modifies its rules to require telecommunications carriers to obtain opt-in consent from a customer before disclosing that customer's CPNI to a carrier's joint venture partner or independent contractor for the purpose of marketing communications-related services to that customer. While the Commission realizes that this is a change in Commission policy, it finds that new circumstances force it to reassess its existing regulations. As the Commission has found previously, the Commission has a substantial interest in protecting customer privacy. Based on this and in light of new privacy concerns, the Commission now finds that an opt-in framework for the sharing of CPNI with joint venture partners and independent contractors for the purposes of marketing communications-related services to a customer both directly advances its interest in protecting customer privacy and is narrowly tailored to achieve its goal of privacy protection. Specifically, an opt-in regime will more effectively limit the circulation of a customer's CPNI by maintaining it in a carrier's possession unless a customer provides informed consent for its release. Moreover, the Commission finds that an opt-in regime will provide necessary informed customer choice concerning these information sharing relationships with other companies.
14. To the extent that carriers voluntarily obtained opt-in approval from their customers for the disclosure of customers' CPNI to a joint venture partner or independent contractor for the purposes of marketing communications-related services to a customer prior to the adoption of this Order, those carriers can continue to use those approvals.
15. The Commission adopts the Commission's tentative conclusion and amends its rules to require carriers to file their annual CPNI certification with the Commission, including an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. The Commission finds that this amendment to the Commission's rules is an appropriate measure and will ensure that carriers regularly focus their attention on their duty to safeguard CPNI. Additionally, the Commission finds that this modification to its rules will remind carriers of the Commission's oversight and high priority regarding carrier performance in this area. Further, with this filing, the Commission will be better able to monitor the industry's response to CPNI privacy issues and to take any necessary steps to ensure that carriers are managing customer CPNI securely.
16. The Commission extends the application of the Commission's CPNI rules to providers of interconnected VoIP service. In the IP-Enabled Services Notice and the EPIC CPNI Notice, the Commission sought comment on whether to extend the CPNI requirements to VoIP service providers. Since the Commission has not decided whether interconnected VoIP services are telecommunications services or information services as those terms are defined in the Act, nor does it do so in this Order, the Commission analyzes the issues addressed in this Order under its Title I ancillary jurisdiction to encompass both types of service. If the Commission later classifies interconnected VoIP service as a telecommunications service, the providers of interconnected VoIP services would be subject to the requirements of section 222 and the Commission's CPNI rules as telecommunications carriers under Title II.
17. The Commission concludes that it has authority under Title I of the Act to impose CPNI requirements on providers of interconnected VoIP service. Ancillary jurisdiction may be employed, in the Commission's discretion, when Title I of the Act gives the Commission subject matter jurisdiction over the service to be regulated and the assertion of jurisdiction is “reasonably ancillary to the effective performance of [its] various responsibilities.” Both predicates for ancillary jurisdiction are satisfied here. First, as the Commission concluded in the Interim USF Order and VoIP 911 Order, interconnected VoIP services fall within the subject matter jurisdiction granted to it in the Act. Second, the Commission analysis requires it to evaluate whether imposing CPNI obligations is reasonably ancillary to the effective performance of the Commission's various responsibilities. Based on the record in this matter, the Commission finds that sections 222 and 1 of the Act provide the requisite nexus, with additional support from section 706.
18. The Commission takes seriously the protection of customers' private information and commit to remaining vigilant to ensure compliance with applicable privacy laws within its jurisdiction. One way in which the Commission will help protect consumer privacy is through strong enforcement measures. When investigating compliance with the rules and statutory obligations, the Commission will consider whether the carrier has taken reasonable precautions to prevent the unauthorized disclosure of a customer's CPNI. Specifically, the Commission hereby puts carriers on notice that the Commission henceforth will infer from evidence that a pretexter has obtained unauthorized access to a customer's CPNI that the carrier did not sufficiently protect that customer's CPNI. A carrier then must demonstrate that the steps it has taken to protect CPNI from unauthorized disclosure, including the carrier's policies and procedures, are reasonable in light of the threat posed by pretexting and the sensitivity of the customer information at issue. If the Commission finds at the conclusion of its investigation that the carrier indeed has not taken sufficient steps adequately to protect the privacy of CPNI, the Commission may sanction it for this oversight, including through forfeiture.
19. The Commission offers additional guidance regarding the Commission's expectations that will inform its investigations. The Commission fully expects carriers to take every reasonable precaution to protect the confidentiality of proprietary or personal customer information. Of course, the Commission requires carriers to implement the specific minimum requirements set forth in the Commission's rules. The Commission further expects carriers to take additional steps to protect the privacy of CPNI to the extent such additional measures are feasible for a particular carrier. For instance, although the Commission declines to impose audit trail obligations on carriers at this time, the Commission expects carriers through audits or other measures to take reasonable measures to discover and protect against activity that is indicative of pretexting. Similarly, although the Commission does not specifically require carriers to encrypt their customers' CPNI, the Commission expects a carrier to encrypt its CPNI databases if doing so would provide significant additional protection against the unauthorized access to CPNI at a cost that is reasonable given the technology a carrier already has implemented.
Final Paperwork Reduction Act Analysis
20. This Order contains modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. It will be submitted to the Office of Management and Budget (OMB) for review under section 3507(d) of the PRA. OMB, the general public, and other Federal agencies are invited to comment on the new information collection requirements contained in this proceeding. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), the Commission previously sought specific comment on how it might “further reduce the information collection burden for small business concerns with fewer than 25 employees.”
21. In the Order, the Commission assessed the burdens placed on small businesses to notify customers of account changes, to notify law enforcement and customers of unauthorized CPNI disclosure; to obtain opt-in consent prior to sharing CPNI with joint venture partners and independent contractors; to file annually a CPNI certification with the Commission, including an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI, and to extend the CPNI rules to providers of interconnected VoIP services, and found that these requirements do not place a significant burden on small businesses.
Final Regulatory Flexibility Analysis
22. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was incorporated in the EPIC CPNI Notice in CC Docket No. 96-115 and the IP-Enabled Services Notice in WC Docket 04-36. The Commission sought written public comment on the proposals in both notices, including comment on the IRFA. The Commission received comments specifically directed toward the IRFA from three commenters in CC Docket No. 96-115 and from three commenters in WC Docket No. 04-36. These comments are discussed below. This Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.
A. Need for, and Objectives of, the Rules
23. The Order strengthens the Commission's rules to protect the privacy of CPNI that is collected and held by providers of communications services. Section 222 of the Communications Act requires telecommunications carriers to take specific steps to ensure that CPNI is adequately protected from unauthorized disclosure. The Order adopts additional safeguards to protect customers' CPNI against unauthorized access and disclosure.
B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA
24. Comments Received in Response to the EPIC CPNI Notice. In this section, the Commission responds to comments filed in response to the IRFA. To the extent the Commission received comments raising general small business concerns during the proceeding, those comments are discussed throughout the Order.
25. The Commission disagrees with Alexicon that small carriers are less vulnerable to unauthorized attempts to access CPNI. In fact, Alexicon itself points out that one of its client companies actually experienced an unauthorized access attempt, and thus the Commission finds the steps it takes in the Order are applicable to all carriers. The Commission does, however, agree with commenters that argue the Commission should not adopt many of EPIC's suggested requirements. The Commission also agrees with commenters that argue for flexible rules to allow carriers to determine proper authentication methods for its customers. Therefore, the Commission does not adopt specific authentication methods, or back-up authentication methods for lost or forgotten passwords and instead adopts rules that provide limits on the types of authentication methods that meet section 222's mandate to protect CPNI. Further, the Commission agrees with commenters that small carriers should be provided additional time to implement the requirements that the Commission does adopt in the Order. Thus, the Commission provides small carriers with an additional six month implementation period for the online carrier authentication requirements adopted in the Order.
26. Comments Received in Response to the IP-Enabled Services Notice. In this section, the Commission responds to comments filed in response to the IRFA. To the extent the Commission received comments raising general small business concerns during the proceeding, those comments are discussed throughout the Order.
27. The Commission disagrees with the SBA and Francois D. Menard (Menard) that the Commission should postpone acting in this proceeding—thereby postponing extending the application of the CPNI rules to interconnected VoIP service providers—and instead should reevaluate the economic impact and the compliance burdens on small entities and issue a further notice of proposed rulemaking in conjunction with a supplemental IRFA identifying and analyzing the economic impacts on small entities and less burdensome alternatives. The Commission believes the additional steps suggested by SBA and Menard are unnecessary because small entities already have received sufficient notice of the issues addressed in the Order and because the Commission has considered the economic impact on small entities and what ways are feasible to minimize the burdens imposed on those entities, and, to the extent feasible, has implemented those less burdensome alternatives.
C. Description and Estimate of the Number of Small Entities to Which Rules Will Apply
28. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the rules adopted herein. The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. A small business concern is one which: (1) Is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA).
29. Small Businesses. Nationwide, there are a total of approximately 22.4 million small businesses, according to SBA data.
30. Small Organizations. Nationwide, there are approximately 1.6 million small organizations.
31. Small Governmental Jurisdictions. The term “small governmental jurisdiction” is defined generally as “governments of cities, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” Census Bureau data for 2002 indicate that there were 87,525 local governmental jurisdictions in the United States. The Commission estimates that, of this total, 84,377 entities were “small governmental jurisdictions.” Thus, the Commission estimates that most governmental jurisdictions are small.
1. Telecommunications Service Entities
a. Wireline Carriers and Service Providers
32. The Commission has included small incumbent local exchange carriers in the present RFA analysis. As noted above, a “small business” under the RFA is one that, inter alia, meets the pertinent small business size standard ( e.g. , a telephone communications business having 1,500 or fewer employees), and “is not dominant in its field of operation.” The SBA's Office of Advocacy contends that, for RFA purposes, small incumbent local exchange carriers are not dominant in their field of operation because any such dominance is not “national” in scope. The Commission has therefore included small incumbent local exchange carriers in this RFA analysis, although the Commission emphasizes that this RFA action has no effect on Commission analyses and determinations in other, non-RFA contexts.
33. Incumbent Local Exchange Carriers (LECs) . Neither the Commission nor the SBA has developed a small business size standard specifically for incumbent local exchange services. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 1,303 carriers have reported that they are engaged in the provision of incumbent local exchange services. Of these 1,303 carriers, an estimated 1,020 have 1,500 or fewer employees and 283 have more than 1,500 employees. Consequently, the Commission estimates that most providers of incumbent local exchange service are small businesses that may be affected by its action.
34. Competitive Local Exchange Carriers, Competitive Access Providers (CAPs), “Shared-Tenant Service Providers,” and “Other Local Service Providers. ” Neither the Commission nor the SBA has developed a small business size standard specifically for these service providers. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 769 carriers have reported that they are engaged in the provision of either competitive access provider services or competitive local exchange carrier services. Of these 769 carriers, an estimated 676 have 1,500 or fewer employees and 93 have more than 1,500 employees. In addition, 12 carriers have reported that they are “Shared-Tenant Service Providers,” and all 12 are estimated to have 1,500 or fewer employees. In addition, 39 carriers have reported that they are “Other Local Service Providers.” Of the 39, an estimated 38 have 1,500 or fewer employees and one has more than 1,500 employees. Consequently, the Commission estimates that most providers of competitive local exchange service, competitive access providers, “Shared-Tenant Service Providers,” and “Other Local Service Providers” are small entities that may be affected by its action.
35. Local Resellers . The SBA has developed a small business size standard for the category of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 143 carriers have reported that they are engaged in the provision of local resale services. Of these, an estimated 141 have 1,500 or fewer employees and two have more than 1,500 employees. Consequently, the Commission estimates that the majority of local resellers are small entities that may be affected by its action.
36. Toll Resellers . The SBA has developed a small business size standard for the category of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 770 carriers have reported that they are engaged in the provision of toll resale services. Of these, an estimated 747 have 1,500 or fewer employees and 23 have more than 1,500 employees. Consequently, the Commission estimates that the majority of toll resellers are small entities that may be affected by its action.
37. Payphone Service Providers (PSPs) . Neither the Commission nor the SBA has developed a small business size standard specifically for payphone services providers. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 613 carriers have reported that they are engaged in the provision of payphone services. Of these, an estimated 609 have 1,500 or fewer employees and four have more than 1,500 employees. Consequently, the Commission estimates that the majority of payphone service providers are small entities that may be affected by its action.
38. Interexchange Carriers (IXCs) . Neither the Commission nor the SBA has developed a small business size standard specifically for providers of interexchange services. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 316 carriers have reported that they are engaged in the provision of interexchange service. Of these, an estimated 292 have 1,500 or fewer employees and 24 have more than 1,500 employees. Consequently, the Commission estimates that the majority of IXCs are small entities that may be affected by its action.
39. Operator Service Providers (OSPs) . Neither the Commission nor the SBA has developed a small business size standard specifically for operator service providers. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 23 carriers have reported that they are engaged in the provision of operator services. Of these, an estimated 20 have 1,500 or fewer employees and three have more than 1,500 employees. Consequently, the Commission estimates that the majority of OSPs are small entities that may be affected by its action.
40. Prepaid Calling Card Providers . Neither the Commission nor the SBA has developed a small business size standard specifically for prepaid calling card providers. The appropriate size standard under SBA rules is for the category Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 89 carriers have reported that they are engaged in the provision of prepaid calling cards. Of these, 88 are estimated to have 1,500 or fewer employees and one has more than 1,500 employees. Consequently, the Commission estimates that all or the majority of prepaid calling card providers are small entities that may be affected by its action.
41. 800 and 800-Like Service Subscribers . Neither the Commission nor the SBA has developed a small business size standard specifically for 800 and 800-like service (“toll free”) subscribers. The appropriate size standard under SBA rules is for the category Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. The most reliable source of information regarding the number of these service subscribers appears to be data the Commission collects on the 800, 888, and 877 numbers in use. According to the Commission's data, at the end of January, 1999, the number of 800 numbers assigned was 7,692,955; the number of 888 numbers assigned was 7,706,393; and the number of 877 numbers assigned was 1,946,538. The Commission does not have data specifying the number of these subscribers that are not independently owned and operated or have more than 1,500 employees, and thus is unable at this time to estimate with greater precision the number of toll free subscribers that would qualify as small businesses under the SBA size standard. Consequently, the Commission estimates that there are 7,692,955 or fewer small entity 800 subscribers; 7,706,393 or fewer small entity 888 subscribers; and 1,946,538 or fewer small entity 877 subscribers.
b. International Service Providers
42. The Commission has not developed a small business size standard specifically for providers of international service. The appropriate size standards under SBA rules are for the two broad census categories of “Satellite Telecommunications” and “Other Telecommunications.” Under both categories, such a business is small if it has $12.5 million or less in average annual receipts.
43. The first category of Satellite Telecommunications “comprises establishments primarily engaged in providing point-to-point telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” For this category, Census Bureau data for 2002 show that there were a total of 371 firms that operated for the entire year. Of this total, 307 firms had annual receipts of under $10 million, and 26 firms had receipts of $10 million to $24,999,999. Consequently, the Commission estimates that the majority of Satellite Telecommunications firms are small entities that might be affected by its action.
44. The second category of Other Telecommunications “comprises establishments primarily engaged in (1) providing specialized telecommunications applications, such as satellite tracking, communications telemetry, and radar station operations; or (2) providing satellite terminal stations and associated facilities operationally connected with one or more terrestrial communications systems and capable of transmitting telecommunications to or receiving telecommunications from satellite systems.” For this category, Census Bureau data for 2002 show that there were a total of 332 firms that operated for the entire year. Of this total, 259 firms had annual receipts of under $10 million and 15 firms had annual receipts of $10 million to $24,999,999. Consequently, the Commission estimates that the majority of Other Telecommunications firms are small entities that might be affected by its action.
c. Wireless Telecommunications Service Providers
45. Below, for those services subject to auctions, the Commission notes that, as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Also, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated.
46. Wireless Service Providers . The SBA has developed a small business size standard for wireless firms within the two broad economic census categories of “Paging” and “Cellular and Other Wireless Telecommunications.” Under both SBA categories, a wireless business is small if it has 1,500 or fewer employees. For the census category of Paging, Census Bureau data for 2002 show that there were 807 firms in this category that operated for the entire year. Of this total, 804 firms had employment of 999 or fewer employees, and three firms had employment of 1,000 employees or more. Thus, under this category and associated small business size standard, the majority of firms can be considered small. For the census category of Cellular and Other Wireless Telecommunications, Census Bureau data for 2002 show that there were 1,397 firms in this category that operated for the entire year. Of this total, 1,378 firms had employment of 999 or fewer employees, and 19 firms had employment of 1,000 employees or more. Thus, under this second category and size standard, the majority of firms can, again, be considered small.
47. Cellular Licensees . The SBA has developed a small business size standard for wireless firms within the broad economic census category “Cellular and Other Wireless Telecommunications.” Under this SBA category, a wireless business is small if it has 1,500 or fewer employees. For the census category of Cellular and Other Wireless Telecommunications, Census Bureau data for 2002 show that there were 1,397 firms in this category that operated for the entire year. Of this total, 1,378 firms had employment of 999 or fewer employees, and 19 firms had employment of 1,000 employees or more. Thus, under this category and size standard, the great majority of firms can be considered small. Also, according to Commission data, 437 carriers reported that they were engaged in the provision of cellular service, Personal Communications Service (PCS), or Specialized Mobile Radio (SMR) Telephony services, which are placed together in the data. The Commission has estimated that 260 of these are small, under the SBA small business size standard.
48. Common Carrier Paging . The SBA has developed a small business size standard for wireless firms within the broad economic census category, “Cellular and Other Wireless Telecommunications.” Under this SBA category, a wireless business is small if it has 1,500 or fewer employees. For the census category of Paging, Census Bureau data for 2002 show that there were 807 firms in this category that operated for the entire year. Of this total, 804 firms had employment of 999 or fewer employees, and three firms had employment of 1,000 employees or more. Thus, under this category and associated small business size standard, the majority of firms can be considered small. In the Paging Third Report and Order , the Commission developed a small business size standard for “small businesses” and “very small businesses” for purposes of determining their eligibility for special provisions such as bidding credits and installment payments. A “small business” is an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $15 million for the preceding three years. Additionally, a “very small business” is an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $3 million for the preceding three years. The SBA has approved these small business size standards. An auction of Metropolitan Economic Area licenses commenced on February 24, 2000, and closed on March 2, 2000. Of the 985 licenses auctioned, 440 were sold. Fifty-seven companies claiming small business status won. Also, according to Commission data, 375 carriers reported that they were engaged in the provision of paging and messaging services. Of those, the Commission estimates that 370 are small, under the SBA-approved small business size standard.
49. Wireless Communications Services . This service can be used for fixed, mobile, radiolocation, and digital audio broadcasting satellite uses. The Commission established small business size standards for the wireless communications services (WCS) auction. A “small business” is an entity with average gross revenues of $40 million for each of the three preceding years, and a “very small business” is an entity with average gross revenues of $15 million for each of the three preceding years. The SBA has approved these small business size standards. The Commission auctioned geographic area licenses in the WCS service. In the auction, there were seven winning bidders that qualified as “very small business” entities, and one that qualified as a “small business” entity.
50. Wireless Telephony . Wireless telephony includes cellular, personal communications services (PCS), and specialized mobile radio (SMR) telephony carriers. As noted earlier, the SBA has developed a small business size standard for “Cellular and Other Wireless Telecommunications” services. Under that SBA small business size standard, a business is small if it has 1,500 or fewer employees. According to Commission data, 445 carriers reported that they were engaged in the provision of wireless telephony. The Commission has estimated that 245 of these are small under the SBA small business size standard.
51. Broadband Personal Communications Service . The broadband Personal Communications Service (PCS) spectrum is divided into six frequency blocks designated A through F, and the Commission has held auctions for each block. The Commission defined “small entity” for Blocks C and F as an entity that has average gross revenues of $40 million or less in the three previous calendar years. For Block F, an additional classification for “very small business” was added and is defined as an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years.” These standards defining “small entity” in the context of broadband PCS auctions have been approved by the SBA. No small businesses, within the SBA-approved small business size standards bid successfully for licenses in Blocks A and B. There were 90 winning bidders that qualified as small entities in the Block C auctions. A total of 93 small and very small business bidders won approximately 40 percent of the 1,479 licenses for Blocks D, E, and F. On March 23, 1999, the Commission re-auctioned 347 C, D, E, and F Block licenses. There were 48 small business winning bidders. On January 26, 2001, the Commission completed the auction of 422 C and F Broadband PCS licenses in Auction No. 35. Of the 35 winning bidders in this auction, 29 qualified as “small” or “very small” businesses. Subsequent events, concerning Auction 35, including judicial and agency determinations, resulted in a total of 163 C and F Block licenses being available for grant.
52. Narrowband Personal Communications Services . To date, two auctions of narrowband personal communications services (PCS) licenses have been conducted. For purposes of the two auctions that have already been held, “small businesses” were entities with average gross revenues for the prior three calendar years of $40 million or less. Through these auctions, the Commission has awarded a total of 41 licenses, out of which 11 were obtained by small businesses. To ensure meaningful participation of small business entities in future auctions, the Commission has adopted a two-tiered small business size standard in the Narrowband PCS Second Report and Order . A “small business” is an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $40 million. A “very small business” is an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $15 million. The SBA has approved these small business size standards. In the future, the Commission will auction 459 licenses to serve Metropolitan Trading Areas (MTAs) and 408 response channel licenses. There is also one megahertz of narrowband PCS spectrum that has been held in reserve and that the Commission has not yet decided to release for licensing. The Commission cannot predict accurately the number of licenses that will be awarded to small entities in future auctions. However, four of the 16 winning bidders in the two previous narrowband PCS auctions were small businesses, as that term was defined. The Commission assumes, for purposes of this analysis that a large portion of the remaining narrowband PCS licenses will be awarded to small entities. The Commission also assumes that at least some small businesses will acquire narrowband PCS licenses by means of the Commission's partitioning and disaggregation rules.
53. 220 MHz Radio Service—Phase I Licensees . The 220 MHz service has both Phase I and Phase II licenses. Phase I licensing was conducted by lotteries in 1992 and 1993. There are approximately 1,515 such non-nationwide licensees and four nationwide licensees currently authorized to operate in the 220 MHz band. The Commission has not developed a small business size standard for small entities specifically applicable to such incumbent 220 MHz Phase I licensees. To estimate the number of such licensees that are small businesses, the Commission applies the small business size standard under the SBA rules applicable to “Cellular and Other Wireless Telecommunications” companies. This category provides that a small business is a wireless company employing no more than 1,500 persons. For the census category Cellular and Other Wireless Telecommunications, Census Bureau data for 1997 show that there were 977 firms in this category, total, that operated for the entire year. Of this total, 965 firms had employment of 999 or fewer employees, and an additional 12 firms had employment of 1,000 employees or more. Thus, under this second category and size standard, the majority of firms can, again, be considered small. Assuming this general ratio continues in the context of Phase I 220 MHz licensees, the Commission estimates that nearly all such licensees are small businesses under the SBA's small business size standard. In addition, limited preliminary census data for 2002 indicate that the total number of cellular and other wireless telecommunications carriers increased approximately 321 percent from 1997 to 2002.
54. 220 MHz Radio Service—Phase II Licensees . The 220 MHz service has both Phase I and Phase II licenses. The Phase II 220 MHz service is a new service, and is subject to spectrum auctions. In the 220 MHz Third Report and Order , the Commission adopted a small business size standard for “small” and “very small” businesses for purposes of determining their eligibility for special provisions such as bidding credits and installment payments. This small business size standard indicates that a “small business” is an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $15 million for the preceding three years. A “very small business” is an entity that, together with its affiliates and controlling principals, has average gross revenues that do not exceed $3 million for the preceding three years. The SBA has approved these small business size standards. Auctions of Phase II licenses commenced on September 15, 1998, and closed on October 22, 1998. In the first auction, 908 licenses were auctioned in three different-sized geographic areas: three nationwide licenses, 30 Regional Economic Area Group (EAG) Licenses, and 875 Economic Area (EA) Licenses. Of the 908 licenses auctioned, 693 were sold. Thirty-nine small businesses won licenses in the first 220 MHz auction. The second auction included 225 licenses: 216 EA licenses and 9 EAG licenses. Fourteen companies claiming small business status won 158 licenses.
55. 800 MHz and 900 MHz Specialized Mobile Radio Licenses . The Commission awards “small entity” and “very small entity” bidding credits in auctions for Specialized Mobile Radio (SMR) geographic area licenses in the 800 MHz and 900 MHz bands to firms that had revenues of no more than $15 million in each of the three previous calendar years, or that had revenues of no more than $3 million in each of the previous calendar years, respectively. These bidding credits apply to SMR providers in the 800 MHz and 900 MHz bands that either hold geographic area licenses or have obtained extended implementation authorizations. The Commission does not know how many firms provide 800 MHz or 900 MHz geographic area SMR service pursuant to extended implementation authorizations, nor how many of these providers have annual revenues of no more than $15 million. One firm has over $15 million in revenues. The Commission assumes, for purposes here, that all of the remaining existing extended implementation authorizations are held by small entities, as that term is defined by the SBA. The Commission has held auctions for geographic area licenses in the 800 MHz and 900 MHz SMR bands. There were 60 winning bidders that qualified as small or very small entities in the 900 MHz SMR auctions. Of the 1,020 licenses won in the 900 MHz auction, bidders qualifying as small or very small entities won 263 licenses. In the 800 MHz auction, 38 of the 524 licenses won were won by small and very small entities.
56. 700 MHz Guard Band Licensees . In the 700 MHz Guard Band Order , the Commission adopted a small business size standard for “small businesses” and “very small businesses” for purposes of determining their eligibility for special provisions such as bidding credits and installment payments. A “small business” as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $15 million for the preceding three years. Additionally, a “very small business” is an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $3 million for the preceding three years. An auction of 52 Major Economic Area (MEA) licenses commenced on September 6, 2000, and closed on September 21, 2000. Of the 104 licenses auctioned, 96 licenses were sold to nine bidders. Five of these bidders were small businesses that won a total of 26 licenses. A second auction of 700 MHz Guard Band licenses commenced on February 13, 2001 and closed on February 21, 2001. All eight of the licenses auctioned were sold to three bidders. One of these bidders was a small business that won a total of two licenses.
57. Rural Radiotelephone Service . The Commission has not adopted a size standard for small businesses specific to the Rural Radiotelephone Service. A significant subset of the Rural Radiotelephone Service is the Basic Exchange Telephone Radio System (BETRS). The Commission uses the SBA's small business size standard applicable to “Cellular and Other Wireless Telecommunications,” i.e. , an entity employing no more than 1,500 persons. There are approximately 1,000 licensees in the Rural Radiotelephone Service, and the Commission estimates that there are 1,000 or fewer small entity licensees in the Rural Radiotelephone Service that may be affected by the rules and policies adopted herein.
58. Air-Ground Radiotelephone Service . The Commission has not adopted a small business size standard specific to the Air-Ground Radiotelephone Service. The Commission will use SBA's small business size standard applicable to “Cellular and Other Wireless Telecommunications,” i.e. , an entity employing no more than 1,500 persons. There are approximately 100 licensees in the Air-Ground Radiotelephone Service, and the Commission estimates that almost all of them qualify as small under the SBA small business size standard.
59. Aviation and Marine Radio Services . Small businesses in the aviation and marine radio services use a very high frequency (VHF) marine or aircraft radio and, as appropriate, an emergency position-indicating radio beacon (and/or radar) or an emergency locator transmitter. The Commission has not developed a small business size standard specifically applicable to these small businesses. For purposes of this analysis, the Commission uses the SBA small business size standard for the category “Cellular and Other Telecommunications,” which is 1,500 or fewer employees. Most applicants for recreational licenses are individuals. Approximately 581,000 ship station licensees and 131,000 aircraft station licensees operate domestically and are not subject to the radio carriage requirements of any statute or treaty. For purposes of the Commission's evaluations in this analysis, the Commission estimates that there are up to approximately 712,000 licensees that are small businesses (or individuals) under the SBA standard. In addition, between December 3, 1998 and December 14, 1998, the Commission held an auction of 42 VHF Public Coast licenses in the 157.1875-157.4500 MHz (ship transmit) and 161.775-162.0125 MHz (coast transmit) bands. For purposes of the auction, the Commission defined a “small” business as an entity that, together with controlling interests and affiliates, has average gross revenues for the preceding three years not to exceed $15 million dollars. In addition, a “very small” business is one that, together with controlling interests and affiliates, has average gross revenues for the preceding three years not to exceed $3 million dollars. There are approximately 10,672 licensees in the Marine Coast Service, and the Commission estimates that almost all of them qualify as “small” businesses under the above special small business size standards.
60. Offshore Radiotelephone Service . This service operates on several UHF television broadcast channels that are not used for television broadcasting in the coastal areas of states bordering the Gulf of Mexico. There are presently approximately 55 licensees in this service. The Commission is unable to estimate at this time the number of licensees that would qualify as small under the SBA's small business size standard for “Cellular and Other Wireless Telecommunications” services. Under that SBA small business size standard, a business is small if it has 1,500 or fewer employees.
61. 39 GHz Service . The Commission created a special small business size standard for 39 GHz licenses—an entity that has average gross revenues of $40 million or less in the three previous calendar years. An additional size standard for “very small business” is: an entity that, together with affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years. The SBA has approved these small business size standards. The auction of the 2,173 39 GHz licenses began on April 12, 2000 and closed on May 8, 2000. The 18 bidders who claimed small business status won 849 licenses. Consequently, the Commission estimates that 18 or fewer 39 GHz licensees are small entities that may be affected by the rules and polices adopted herein.
62. Multipoint Distribution Service, Multichannel Multipoint Distribution Service, and ITFS . Multichannel Multipoint Distribution Service (MMDS) systems, often referred to as “wireless cable,” transmit video programming to subscribers using the microwave frequencies of the Multipoint Distribution Service (MDS) and Instructional Television Fixed Service (ITFS). In connection with the 1996 MDS auction, the Commission established a small business size standard as an entity that had annual average gross revenues of less than $40 million in the previous three calendar years. The MDS auctions resulted in 67 successful bidders obtaining licensing opportunities for 493 Basic Trading Areas (BTAs). Of the 67 auction winners, 61 met the definition of a small business. MDS also includes licensees of stations authorized prior to the auction. In addition, the SBA has developed a small business size standard for Cable and Other Program Distribution, which includes all such companies generating $12.5 million or less in annual receipts. According to Census Bureau data for 1997, there were a total of 1,311 firms in this category, total, that had operated for the entire year. Of this total, 1,180 firms had annual receipts of under $10 million and an additional 52 firms had receipts of $10 million or more but less than $25 million. Consequently, the Commission estimates that the majority of providers in this service category are small businesses that may be affected by the rules and policies adopted herein. This SBA small business size standard also appears applicable to ITFS. There are presently 2,032 ITFS licensees. All but 100 of these licenses are held by educational institutions. Educational institutions are included in this analysis as small entities. Thus, the Commission tentatively conclude that at least 1,932 licensees are small businesses.
63. Local Multipoint Distribution Service . Local Multipoint Distribution Service (LMDS) is a fixed broadband point-to-multipoint microwave service that provides for two-way video telecommunications. The auction of the 1,030 Local Multipoint Distribution Service (LMDS) licenses began on February 18, 1998 and closed on March 25, 1998. The Commission established a small business size standard for LMDS licenses as an entity that has average gross revenues of less than $40 million in the three previous calendar years. An additional small business size standard for “very small business” was added as an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years. The SBA has approved these small business size standards in the context of LMDS auctions. There were 93 winning bidders that qualified as small entities in the LMDS auctions. A total of 93 small and very small business bidders won approximately 277 A Block licenses and 387 B Block licenses. On March 27, 1999, the Commission re-auctioned 161 licenses; there were 40 winning bidders. Based on this information, the Commission concludes that the number of small LMDS licenses consists of the 93 winning bidders in the first auction and the 40 winning bidders in the re-auction, for a total of 133 small entity LMDS providers.
64. 218-219 MHz Service. The first auction of 218-219 MHz spectrum resulted in 170 entities winning licenses for 594 Metropolitan Statistical Area (MSA) licenses. Of the 594 licenses, 557 were won by entities qualifying as a small business. For that auction, the small business size standard was an entity that, together with its affiliates, has no more than a $6 million net worth and, after federal income taxes (excluding any carry over losses), has no more than $2 million in annual profits each year for the previous two years. In the 218-219 MHz Report and Order and Memorandum Opinion and Order, the Commission established a small business size standard for a “small business” as an entity that, together with its affiliates and persons or entities that hold interests in such an entity and their affiliates, has average annual gross revenues not to exceed $15 million for the preceding three years. A “very small business” is defined as an entity that, together with its affiliates and persons or entities that hold interests in such an entity and its affiliates, has average annual gross revenues not to exceed $3 million for the preceding three years. The Commission cannot estimate, however, the number of licenses that will be won by entities qualifying as small or very small businesses under its rules in future auctions of 218-219 MHz spectrum.
65. 24 GHz—Incumbent Licensees. This analysis may affect incumbent licensees who were relocated to the 24 GHz band from the 18 GHz band, and applicants who wish to provide services in the 24 GHz band. The applicable SBA small business size standard is that of “Cellular and Other Wireless Telecommunications” companies. This category provides that such a company is small if it employs no more than 1,500 persons. According to Census Bureau data for 1997, there were 977 firms in this category, total, that operated for the entire year. Of this total, 965 firms had employment of 999 or fewer employees, and an additional 12 firms had employment of 1,000 employees or more. Thus, under this size standard, the great majority of firms can be considered small. These broader census data notwithstanding, the Commission believes that there are only two licensees in the 24 GHz band that were relocated from the 18 GHz band, Teligent and TRW, Inc. It is the Commisson's understanding that Teligent and its related companies have less than 1,500 employees, though this may change in the future. TRW is not a small entity. Thus, only one incumbent licensee in the 24 GHz band is a small business entity.
66. 24 GHz—Future Licensees. With respect to new applicants in the 24 GHz band, the small business size standard for “small business” is an entity that, together with controlling interests and affiliates, has average annual gross revenues for the three preceding years not in excess of $15 million. “Very small business” in the 24 GHz band is an entity that, together with controlling interests and affiliates, has average gross revenues not exceeding $3 million for the preceding three years. The SBA has approved these small business size standards. These size standards will apply to the future auction, if held.
2. Cable and OVS Operators
67. Cable and Other Program Distribution. This category includes cable systems operators, closed circuit television services, direct broadcast satellite services, multipoint distribution systems, satellite master antenna systems, and subscription television services. The SBA has developed small business size standard for this census category, which includes all such companies generating $12.5 million or less in revenue annually. According to Census Bureau data for 2002, there were a total of 1,191 firms in this category that operated for the entire year. Of this total, 1,087 firms had annual receipts of under $10 million, and 43 firms had receipts of $10 million or more but less than $25 million. Consequently, the Commission estimates that the majority of providers in this service category are small businesses that may be affected by the rules and policies adopted herein.
68. Cable System Operators. The Commission has developed its own small business size standards for cable system operators, for purposes of rate regulation. Under the Commission's rules, a “small cable company” is one serving fewer than 400,000 subscribers nationwide. In addition, a “small system” is a system serving 15,000 or fewer subscribers.
69. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, also contains a size standard for small cable system operators, which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than 1 percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” The Commission has determined that there are approximately 67,700,000 subscribers in the United States. Therefore, an operator serving fewer than 677,000 subscribers shall be deemed a small operator, if its annual revenues, when combined with the total annual revenues of all its affiliates, do not exceed $250 million in the aggregate. Based on available data, the Commission estimates that the number of cable operators serving 677,000 subscribers or fewer, totals 1,450. The Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million, and therefore is unable, at this time, to estimate more accurately the number of cable system operators that would qualify as small cable operators under the size standard contained in the Communications Act of 1934.
70. Open Video Services. Open Video Service (OVS) systems provide subscription services. The SBA has created a small business size standard for Cable and Other Program Distribution. This standard provides that a small entity is one with $12.5 million or less in annual receipts. The Commission has certified approximately 25 OVS operators to serve 75 areas, and some of these are currently providing service. Affiliates of Residential Communications Network, Inc. (RCN) received approval to operate OVS systems in New York City, Boston, Washington, DC, and other areas. RCN has sufficient revenues to assure that they do not qualify as a small business entity. Little financial information is available for the other entities that are authorized to provide OVS and are not yet operational. Given that some entities authorized to provide OVS service have not yet begun to generate revenues, the Commission concludes that up to 24 OVS operators (those remaining) might qualify as small businesses that may be affected by the rules and policies adopted herein.
3. Internet Service Providers
71. Internet Service Providers. The SBA has developed a small business size standard for Internet Service Providers (ISPs). ISPs “provide clients access to the Internet and generally provide related services such as Web hosting, Web page designing, and hardware or software consulting related to Internet connectivity.” Under the SBA size standard, such a business is small if it has average annual receipts of $21 million or less. According to Census Bureau data for 2002, there were 2,529 firms in this category that operated for the entire year. Of these, 2,437 firms had annual receipts of under $10 million, and 47 firms had receipts of $10 million or more but less then $25 million. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action.
4. Other Internet-Related Entities
72. Web Search Portals. The Commission's action pertains to interconnected VoIP services, which could be provided by entities that provide other services such as e-mail, online gaming, Web browsing, video conferencing, instant messaging, and other, similar IP-enabled services. The Commission has not adopted a size standard for entities that create or provide these types of services or applications. However, the census bureau has identified firms that “operate Web sites that use a search engine to generate and maintain extensive databases of Internet addresses and content in an easily searchable format. Web search portals often provide additional Internet services, such as e-mail, connections to other Web sites, auctions, news, and other limited content, and serve as a home base for Internet users.” The SBA has developed a small business size standard for this category; that size standard is $6 million or less in average annual receipts. According to Census Bureau data for 1997, there were 195 firms in this category that operated for the entire year. Of these, 172 had annual receipts of under $5 million, and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action.
73. Data Processing, Hosting, and Related Services. Entities in this category “primarily * * * provid[e] infrastructure for hosting or data processing services.” The SBA has developed a small business size standard for this category; that size standard is $21 million or less in average annual receipts. According to Census Bureau data for 1997, there were 3,700 firms in this category that operated for the entire year. Of these, 3,477 had annual receipts of under $10 million, and an additional 108 firms had receipts of between $10 million and $24,999,999. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action.
74. All Other Information Services. “This industry comprises establishments primarily engaged in providing other information services (except new syndicates and libraries and archives).” The Commission's action pertains to interconnected VoIP services, which could be provided by entities that provide other services such as email, online gaming, web browsing, video conferencing, instant messaging, and other, similar IP-enabled services. The SBA has developed a small business size standard for this category; that size standard is $6 million or less in average annual receipts. According to Census Bureau data for 1997, there were 195 firms in this category that operated for the entire year. Of these, 172 had annual receipts of under $5 million, and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action.
75. Internet Publishing and Broadcasting. “This industry comprises establishments engaged in publishing and/or broadcasting content on the Internet exclusively. These establishments do not provide traditional (non-Internet) versions of the content that they publish or broadcast.” The SBA has developed a small business size standard for this new (2002) census category; that size standard is 500 or fewer employees. To assess the prevalence of small entities in this category, the Commission will use 1997 Census Bureau data for a relevant, now-superseded census category, “All Other Information Services.” The SBA small business size standard for that prior category was $6 million or less in average annual receipts. According to Census Bureau data for 1997, there were 195 firms in the prior category that operated for the entire year. Of these, 172 had annual receipts of under $5 million, and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, the Commission estimates that the majority of the firms in this current category are small entities that may be affected by its action.
76. Software Publishers. These companies may design, develop or publish software and may provide other support services to software purchasers, such as providing documentation or assisting in installation. The companies may also design software to meet the needs of specific users. The SBA has developed a small business size standard of $21 million or less in average annual receipts for all of the following pertinent categories: Software Publishers, Custom Computer Programming Services, and Other Computer Related Services. For Software Publishers, Census Bureau data for 1997 indicate that there were 8,188 firms in the category that operated for the entire year. Of these, 7,633 had annual receipts under $10 million, and an additional 289 firms had receipts of between $10 million and $24, 999,999. For providers of Custom Computer Programming Services, the Census Bureau data indicate that there were 19,334 firms that operated for the entire year. Of these, 18,786 had annual receipts of under $10 million, and an additional 352 firms had receipts of between $10 million and $24,999,999. For providers of Other Computer Related Services, the Census Bureau data indicate that there were 5,524 firms that operated for the entire year. Of these, 5,484 had annual receipts of under $10 million, and an additional 28 firms had receipts of between $10 million and $24,999,999. Consequently, the Commission estimates that the majority of the firms in each of these three categories are small entities that may be affected by its action.
5. Equipment Manufacturers
77. The equipment manufacturers described in this section are merely indirectly affected by the Commission's current action, and therefore are not formally a part of this RFA analysis. The Commission has included them, however, to broaden the record in this proceeding and to alert them to its decisions.
78. Wireless Communications Equipment Manufacturers. The SBA has established a small business size standard for Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing. Examples of products in this category include “transmitting and receiving antennas, cable television equipment, GPS equipment, pagers, cellular phones, mobile communications equipment, and radio and television studio and broadcasting equipment” and may include other devices that transmit and receive IP-enabled services, such as personal digital assistants (PDAs). Under the SBA size standard, firms are considered small if they have 750 or fewer employees. According to Census Bureau data for 1997, there were 1,215 establishments in this category that operated for the entire year. Of those, there were 1,150 that had employment of under 500, and an additional 37 that had employment of 500 to 999. The percentage of wireless equipment manufacturers in this category was approximately 61.35%, so the Commission estimates that the number of wireless equipment manufacturers with employment of under 500 was actually closer to 706, with an additional 23 establishments having employment of between 500 and 999. Consequently, the Commission estimates that the majority of wireless communications equipment manufacturers are small entities that may be affected by its action.
79. Telephone Apparatus Manufacturing. This category “comprises establishments primarily engaged primarily in manufacturing wire telephone and data communications equipment.” Examples of pertinent products are “central office switching equipment, cordless telephones (except cellular), PBX equipment, telephones, telephone answering machines, and data communications equipment, such as bridges, routers, and gateways.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 598 establishments in this category that operated for the entire year. Of these, 574 had employment of under 1,000, and an additional 17 establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action.
80. Electronic Computer Manufacturing. This category “comprises establishments primarily engaged in manufacturing and/or assembling electronic computers, such as mainframes, personal computers, workstations, laptops, and computer servers.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 563 establishments in this category that operated for the entire year. Of these, 544 had employment of under 1,000, and an additional 11 establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action.
81. Computer Terminal Manufacturing. “Computer terminals are input/output devices that connect with a central computer for processing.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 142 establishments in this category that operated for the entire year, and all of the establishments had employment of under 1,000. Consequently, the Commission estimates that the majority or all of these establishments are small entities that may be affected by it action.
82. Other Computer Peripheral Equipment Manufacturing. Examples of peripheral equipment in this category include keyboards, mouse devices, monitors, and scanners. The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 1061 establishments in this category that operated for the entire year. Of these, 1,046 had employment of under 1,000, and an additional six establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action.
83. Fiber Optic Cable Manufacturing. These establishments manufacture “insulated fiber-optic cable from purchased fiber-optic strand.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 38 establishments in this category that operated for the entire year. Of these, 37 had employment of under 1,000, and one establishment had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action.
84. Other Communication and Energy Wire Manufacturing. These establishments manufacture “insulated wire and cable of nonferrous metals from purchased wire.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 275 establishments in this category that operated for the entire year. Of these, 271 had employment of under 1,000, and four establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority or all of these establishments are small entities that may be affected by its action.
85. Audio and Video Equipment Manufacturing. These establishments manufacture “electronic audio and video equipment for home entertainment, motor vehicle, public address and musical instrument amplifications.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 750 or fewer employees. According to Census Bureau data for 1997, there were 554 establishments in this category that operated for the entire year. Of these, 542 had employment of under 500, and nine establishments had employment of 500 to 999. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action.
86. Electron Tube Manufacturing. These establishments are “primarily engaged in manufacturing electron tubes and parts (except glass blanks).” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 750 or fewer employees. According to Census Bureau data for 1997, there were 158 establishments in this category that operated for the entire year. Of these, 148 had employment of under 500, and three establishments had employment of 500 to 999. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action.
87. Bare Printed Circuit Board Manufacturing. These establishments are “primarily engaged in manufacturing bare (i.e., rigid or flexible) printed circuit boards without mounted electronic components.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 1,389 establishments in this category that operated for the entire year. Of these, 1,369 had employment of under 500, and 16 establishments had employment of 500 to 999. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action.
88. Semiconductor and Related Device Manufacturing. These establishments manufacture “computer storage devices that allow the storage and retrieval of data from a phase change, magnetic, optical, or magnetic/optical media.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 1,082 establishments in this category that operated for the entire year. Of these, 987 had employment of under 500, and 52 establishments had employment of 500 to 999.
89. Electronic Capacitor Manufacturing. These establishments manufacture “electronic fixed and variable capacitors and condensers.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 128 establishments in this category that operated for the entire year. Of these, 121 had employment of under 500, and four establishments had employment of 500 to 999.
90. Electronic Resistor Manufacturing. These establishments manufacture “electronic resistors, such as fixed and variable resistors, resistor networks, thermistors, and varistors.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 118 establishments in this category that operated for the entire year. Of these, 113 had employment of under 500, and 5 establishments had employment of 500 to 999.
91. Electronic Coil, Transformer, and Other Inductor Manufacturing. These establishments manufacture “electronic inductors, such as coils and transformers.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 448 establishments in this category that operated for the entire year. Of these, 446 had employment of under 500, and two establishments had employment of 500 to 999.
92. Electronic Connector Manufacturing . These establishments manufacture “electronic connectors, such as coaxial, cylindrical, rack and panel, pin and sleeve, printed circuit and fiber optic.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 347 establishments in this category that operated for the entire year. Of these, 332 had employment of under 500, and 12 establishments had employment of 500 to 999.
93. Printed Circuit Assembly (Electronic Assembly) Manufacturing . These are establishments “primarily engaged in loading components onto printed circuit boards or who manufacture and ship loaded printed circuit boards.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 714 establishments in this category that operated for the entire year. Of these, 673 had employment of under 500, and 24 establishments had employment of 500 to 999.
94. Other Electronic Component Manufacturing . These are establishments “primarily engaged in loading components onto printed circuit boards or who manufacture and ship loaded printed circuit boards.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 1,835 establishments in this category that operated for the entire year. Of these, 1,814 had employment of under 500, and 18 establishments had employment of 500 to 999.
95. Computer Storage Device Manufacturing . These establishments manufacture “computer storage devices that allow the storage and retrieval of data from a phase change, magnetic, optical, or magnetic/optical media.” The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 209 establishments in this category that operated for the entire year. Of these, 197 had employment of under 500, and eight establishments had employment of 500 to 999.
D. Description of Projected Reporting, Recordkeeping and Other Compliance Requirements
96. The Commission is requiring telecommunications carriers and providers of interconnected VoIP service to collect certain information and take other actions to comply with its rules regarding the use of CPNI. For example, carriers must have an officer, as an agent of the carrier, sign and file with the Commission a compliance certificate on an annual basis stating that the officer has personal knowledge that the carrier has established procedures that are adequate to ensure compliance with the CPNI rules. The carrier must also provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the CPNI rules. Further, the carrier must include an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI. Additionally, carriers must obtain opt-in approval before sharing CPNI with their joint venture partners or independent contractors for the purposes of marketing communications-related services to customers. Also, carriers are required to maintain a record of any discovered breaches, notifications to the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) regarding those breaches, as well as the USSS and FBI response to those notifications for a period of at least two years.
97. The Commission also imposes other requirements on telecommunications carriers and providers of interconnected VoIP service. Specifically, the Order prohibits carriers from releasing call detail information over the phone during customer-initiated telephone calls except by those methods provided for in the Order. The Order also requires that a carrier not permit customers to gain access to an online account without first properly authenticating the customer and, for subsequent access, without a customer password or response to a back-up authentication method for lost or forgotten passwords, neither of which may be based on a carrier prompt for readily available biographical information, or account information. For the rules pertaining to online carrier authentication, the Commission provides carriers that satisfy the definition of a “small entity” or a “small business concern” under the RFA or SBA an additional six months to implement these rules.
98. The Order also requires that carriers notify customers through a carrier-originated voicemail or text message to the telephone number of record, or by mail or email to the address of record whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. Further, the Order requires that carriers notify the USSS and the FBI no later than seven days after a reasonable determination of a CPNI breach.
E. Steps Taken to Minimize Significant Economic Impact on Small Entities, and Significant Alternatives Considered
99. The RFA requires an agency to describe any significant alternatives that it has considered in reaching its proposed approach, which may include (among others) the following four alternatives: (1) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance or reporting requirements under the rule for small entities; (3) the use of performance, rather than design, standards; and (4) an exemption from coverage of the rule, or any part thereof, for small entities.
100. The notices invited comment on a number of issues related to small entities. For example, the Commission sought comment on the effect the various proposals described in the EPIC CPNI Notice will have on small entities, and on what effect alternative rules would have on those entities. Additionally, the Commission invited comment on ways in which the Commission can achieve its goal of protecting consumers while at the same time imposing minimal burdens on small telecommunications service providers. With respect to any of the Commission consumer protection regulations already in place, the Commission sought comment on whether it has adopted any provisions for small entities that the Commission should similarly consider in this proceeding? The Commission also invited comment on whether the problems identified by EPIC were better or worse at smaller carriers. The Commission invited comment on whether small carriers should be exempt from password-related security procedures to protect CPNI. The Commission invited comment on the benefits and burdens of recording audit trails for the disclosure of CPNI on small carriers. The Commission invited comment on whether requiring a small carrier to encrypt its stored data would be unduly burdensome. The Commission solicited comment on the cost to a small carrier of notifying a customer upon release of CPNI. The Commission sought comment on whether the Commission should amend its rules to require carriers to file annual certifications concerning CPNI and whether this requirement should extend to only telecommunications carriers that are not small telephone companies as defined by the Small Business Administration, and whether small carriers should be subject to different CPNI-related obligations.
101. The Commission has considered each of the alternatives described above, and in this Order, imposes minimal regulation on small entities to the extent consistent with its goal of ensuring that carriers and providers of interconnected VoIP service protect against the unauthorized release of CPNI. Specifically, the Commission extended the implementation date for the rules pertaining to online authentication by six months so that small businesses will have additional time to come into compliance with the Order's rules.
102. As stated above, the Commission must assess the interests of small businesses in light of the overriding public interest of protecting against the unlawful release of CPNI. The Order discusses that CPNI is made up of very personal data. Therefore, the Commission concluded that it was important for all telecommunications carriers and providers of interconnected VoIP service, including small businesses, to comply with the rules the Commission adopts in this Order six months after the Order's effective date or on receipt of OMB approval, as required by the Paperwork Reduction Act, whichever is later. For example, the Commission concluded that carriers and providers of interconnected VoIP service must stop releasing call detail information based on customer-initiated telephone calls except by those methods provided for in the Order. Additionally, the Commission concluded that it was important for all telecommunications carriers and providers of interconnected VoIP service to report breaches of CPNI data to law enforcement. The Commission therefore rejected solutions that would exempt small businesses. The record indicated that exempting small carriers from these regulations would compromise the Commission's goal of protecting all Americans from the unauthorized release of CPNI.
103. Report to Congress: The Commission will send a copy of the Order, including this FRFA, in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act. In addition, the Commission will send a copy of the Order, including this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Order and FRFA (or summaries thereof) will also be published in the Federal Register .
Ordering Clauses
104. Accordingly, It is ordered that pursuant to sections 1, 4(i), 4(j), 222, and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. 151, 154(i)-(j), 222, 303(r), this Report and Order and Further Notice of Proposed Rulemaking in CC Docket No. 96-115 and WC Docket No. 04-36 is adopted, and that Part 64 of the Commission's rules, 47 CFR Part 64, is amended as set forth in Appendix B. The Order shall become effective upon publication in the Federal Register subject to OMB approval for new information collection requirements or six months after the Order's effective date, whichever is later.
105. It Is Further Ordered that the Commission's Consumer and Governmental Affairs Bureau, Reference Information Center, shall send a copy of this Report and Order and Further Notice of Proposed Rulemaking, including the Final Regulatory Flexibility Analysis and the Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration.
List of Subjects in 47 CFR Part 64
Customer proprietary network information, Reporting and recordkeeping requirements, Telecommunications.
Federal Communications Commission.
Marlene H. Dortch,
Secretary.
Final Rules
For the reasons discussed in the preamble, the FCC amends 47 CFR part 64 as follows:
PART 64—MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
1. The authority citation for part 64 continues to read as follows:
Authority:
47 U.S.C. 154, 254(k); secs. 403(b)(2)(B),(c), Pub. L. 104-104, 110 Stat. 56. Interpret or apply 47 U.S.C. 201, 218, 222, 225, 226, 228, and 254(k) unless otherwise noted.
2. Revise § 64.2003 to read as follows:
§ 64.2003
(a) Account information . “Account information” is information that is specifically connected to the customer's service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill's amount.
(b) Address of record . An “address of record,” whether postal or electronic, is an address that the carrier has associated with the customer's account for at least 30 days.
(c) Affiliate . The term “affiliate” has the same meaning given such term in section 3(1) of the Communications Act of 1934, as amended, 47 U.S.C. 153(1).
(d) Call detail information . Any information that pertains to the transmission of specific telephone calls, including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call.
(e) Communications-related services . The term “communications-related services” means telecommunications services, information services typically provided by telecommunications carriers, and services related to the provision or maintenance of customer premises equipment.
(f) Customer . A customer of a telecommunications carrier is a person or entity to which the telecommunications carrier is currently providing service.
(g) Customer proprietary network information (CPNI) . The term “customer proprietary network information (CPNI)” has the same meaning given to such term in section 222(h)(1) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(1).
(h) Customer premises equipment (CPE) . The term “customer premises equipment (CPE)” has the same meaning given to such term in section 3(14) of the Communications Act of 1934, as amended, 47 U.S.C. 153(14).
(i) Information services typically provided by telecommunications carriers . The phrase “information services typically provided by telecommunications carriers” means only those information services (as defined in section 3(20) of the Communication Act of 1934, as amended, 47 U.S.C. 153(20)) that are typically provided by telecommunications carriers, such as Internet access or voice mail services. Such phrase “information services typically provided by telecommunications carriers,” as used in this subpart, shall not include retail consumer services provided using Internet Web sites (such as travel reservation services or mortgage lending services), whether or not such services may otherwise be considered to be information services.
(j) Local exchange carrier (LEC). The term “local exchange carrier (LEC)” has the same meaning given to such term in section 3(26) of the Communications Act of 1934, as amended, 47 U.S.C. 153(26).
(k) Opt-in approval. The term “opt-in approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart.
(l) Opt-out approval. The term “opt-out approval” refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart.
(m) Readily available biographical information. “Readily available biographical information” is information drawn from the customer's life history and includes such things as the customer's social security number, or the last four digits of that number; mother's maiden name; home address; or date of birth.
(n) Subscriber list information (SLI). The term “subscriber list information (SLI)” has the same meaning given to such term in section 222(h)(3) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(3).
(o) Telecommunications carrier or carrier. The terms “telecommunications carrier” or “carrier” shall have the same meaning as set forth in section 3(44) of the Communications Act of 1934, as amended, 47 U.S.C. 153(44). For the purposes of this subpart, the term “telecommunications carrier” or “carrier” shall include an entity that provides interconnected VoIP service, as that term is defined in section 9.3 of these rules.
(p) Telecommunications service. The term “telecommunications service” has the same meaning given to such term in section 3(46) of the Communications Act of 1934, as amended, 47 U.S.C. 153(46).
(q) Telephone number of record. The telephone number associated with the underlying service, not the telephone number supplied as a customer's “contact information.”
(r) Valid photo ID. A “valid photo ID” is a government-issued means of personal identification with a photograph such as a driver's license, passport, or comparable ID that is not expired.
3. Section 64.2005 is amended by revising paragraph (c)(3) to read as follows:
§ 64.2005
(c) * * *
(3) LECs, CMRS providers, and entities that provide interconnected VoIP service as that term is defined in § 9.3 of this chapter, may use CPNI, without customer approval, to market services formerly known as adjunct-to-basic services, such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex features.
4. Section 64.2007 is amended by revising paragraph (b) to read as follows:
§ 64.2007
(b) Use of Opt-Out and Opt-In Approval Processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services. A telecommunications carrier may also permit such persons or entities to obtain access to such CPNI for such purposes. Except for use and disclosure of CPNI that is permitted without customer approval under section § 64.2005, or that is described in this paragraph, or as otherwise provided in section 222 of the Communications Act of 1934, as amended, a telecommunications carrier may only use, disclose, or permit access to its customer's individually identifiable CPNI subject to opt-in approval.
5. Section 64.2009 is amended by revising paragraph (e) to read as follows:
§ 64.2009
(e) A telecommunications carrier must have an officer, as an agent of the carrier, sign and file with the Commission a compliance certificate on an annual basis. The officer must state in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. In addition, the carrier must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year.
6. Section 64.2010 is added to subpart U to read as follows:
§ 64.2010
(a) Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an in-store visit.
(b) Telephone access to CPNI. Telecommunications carriers may only disclose call detail information over the telephone, based on customer-initiated telephone contact, if the customer first provides the carrier with a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information. If the customer does not provide a password, the telecommunications carrier may only disclose call detail information by sending it to the customer's address of record, or by calling the customer at the telephone number of record. If the customer is able to provide call detail information to the telecommunications carrier during a customer-initiated call without the telecommunications carrier's assistance, then the telecommunications carrier is permitted to discuss the call detail information provided by the customer.
(c) Online access to CPNI. A telecommunications carrier must authenticate a customer without the use of readily available biographical information, or account information, prior to allowing the customer online access to CPNI related to a telecommunications service account. Once authenticated, the customer may only obtain online access to CPNI related to a telecommunications service account through a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information.
(d) In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier's retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer's account information.
(e) Establishment of a Password and Back-up Authentication Methods for Lost or Forgotten Passwords. To establish a password, a telecommunications carrier must authenticate the customer without the use of readily available biographical information, or account information. Telecommunications carriers may create a back-up customer authentication method in the event of a lost or forgotten password, but such back-up customer authentication method may not prompt the customer for readily available biographical information, or account information. If a customer cannot provide the correct password or the correct response for the back-up customer authentication method, the customer must establish a new password as described in this paragraph.
(f) Notification of account changes. Telecommunications carriers must notify customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record, and must not reveal the changed information or be sent to the new account information.
(g) Business customer exemption. Telecommunications carriers may bind themselves contractually to authentication regimes other than those described in this section for services they provide to their business customers that have both a dedicated account representative and a contract that specifically addresses the carriers' protection of CPNI.
7. Section 64.2011 is added to subpart U to read as follows:
§ 64.2011
(a) A telecommunications carrier shall notify law enforcement of a breach of its customers' CPNI as provided in this section. The carrier shall not notify its customers or disclose the breach publicly, whether voluntarily or under state or local law or these rules, until it has completed the process of notifying law enforcement pursuant to paragraph (b) of this section.
(b) As soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach, the telecommunications carrier shall electronically notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni.
(1) Notwithstanding any state law to the contrary, the carrier shall not notify customers or disclose the breach to the public until 7 full business days have passed after notification to the USSS and the FBI except as provided in paragraphs (b)(2) and (b)(3) of this section.
(2) If the carrier believes that there is an extraordinarily urgent need to notify any class of affected customers sooner than otherwise allowed under paragraph (b)(1) of this section, in order to avoid immediate and irreparable harm, it shall so indicate in its notification and may proceed to immediately notify its affected customers only after consultation with the relevant investigating agency. The carrier shall cooperate with the relevant investigating agency's request to minimize any adverse effects of such customer notification.
(3) If the relevant investigating agency determines that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, such agency may direct the carrier not to so disclose or notify for an initial period of up to 30 days. Such period may be extended by the agency as reasonably necessary in the judgment of the agency. If such direction is given, the agency shall notify the carrier when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. The agency shall provide in writing its initial direction to the carrier, any subsequent extension, and any notification that notice will no longer impede or compromise a criminal investigation or national security and such writings shall be contemporaneously logged on the same reporting facility that contains records of notifications filed by carriers.
(c) Customer notification. After a telecommunications carrier has completed the process of notifying law enforcement pursuant to paragraph (b) of this section, it shall notify its customers of a breach of those customers' CPNI.
(d) Recordkeeping. All carriers shall maintain a record, electronically or in some other manner, of any breaches discovered, notifications made to the USSS and the FBI pursuant to paragraph (b) of this section, and notifications made to customers. The record must include, if available, dates of discovery and notification, a detailed description of the CPNI that was the subject of the breach, and the circumstances of the breach. Carriers shall retain the record for a minimum of 2 years.
(e) Definitions. As used in this section, a “breach” has occurred when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.
(f) This section does not supersede any statute, regulation, order, or interpretation in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only to the extent of the inconsistency.
[FR Doc. E7-10732 Filed 6-7-07; 8:45 am]
BILLING CODE 6712-01-P