FCC Will Update CPNI Rules to Stop Data Breaches

By: Andrew Regitsky

Section 222(a) of the Telecommunications Act requires every telecommunications carrier to protect the confidentiality of customer proprietary network information (CPNI) of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier.

Specifically, section 222(c) states:

Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.

Unfortunately, there have been several recent breaches of customer data, and apparently, the current rules are not sufficiently alerting affected customers on a timely basis. Therefore, FCC Chairwoman Jessica Rosenworcel recently circulated a Notice of Proposed Rulemaking (NPRM) that would “begin the process of strengthening the Commission’s rules for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI).” Rosenworcel stated that,

Current law already requires telecommunications carriers to protect the privacy and security of sensitive customer information. But these rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected consumers. Customers deserve to be protected against the increase in frequency, sophistication, and scale of these data leaks, and the consequences that can last years after an exposure of personal information. (FCC January 12, 2022, News Release).

Although the NPRM has not yet been released, we know it will contain the following proposals to stop data breaches:

Eliminating the current seven business days mandatory waiting period for notifying customers of a breach.

Expanding customer protection by requiring notification of inadvertent breaches; and,

Requiring carriers to notify the Commission of all reportable breaches in addition to the FBI and U.S. Secret Service.

The Commission view this Rulemaking as a logical follow-up to the actions it took last September to stop SIM swapping scams and port-out fraud. These schemes work as follows:

Subscriber Identity Module (SIM) Swapping – A bad actor convinces a victim’s wireless carrier to transfer the victim’s service from the victim’s cell phone to a cell phone in the bad actor’s possession. This is called “SIM swapping” because it involves an account being fraudulently transferred (or swapped) from a device associated with one SIM to a device associated with a different SIM.

Port-Out Fraud – A bad actor, posing as the victim, opens an account with a carrier other than the victim’s current carrier. The bad actor then arranges for the victim’s phone number to be transferred to (or “ported out”) to the account with the new carrier controlled by the bad actor.

In an NPRM in Docket 21-341 the agency proposed modifying section 222 to require carriers to adopt secure methods of authenticating a customer before redirecting that customer’s phone number to a new device or carrier. It also proposed requiring providers to immediately notify customers whenever a SIM change or port request is made on their accounts. Specifically, the FCC proposed that the use of either (1) a pre-established password; a one-time passcode sent via text message to the account phone number or (2) a pre-registered backup number; a one-time passcode sent via e-mail to the e-mail address associated with the account; or (3) a passcode sent using a voice call to the account phone number or a preregistered back-up telephone number would each constitute a secure method of authenticating a customer prior to a SIM change.

To stop port-out fraud, the Commission proposed to strengthen its Local Number Portability rules in section 251 by requiring wireless carriers to provide notification to customers through text message or other push notification to the customer’s device whenever a port-out request is made, to ensure that customers respond in the event of an unauthorized port request.

The “Data Breach” NPRM should be released in the next few weeks. Every carrier ought to follow it closely since it impacts all of us.