In mid-March, the House Energy and Commerce Committee held hearings on H.R. 936, the Prevention of Fraudulent Access to Phone Records Act. Although President Bush signed a bill in early January making pretexting illegal, some privacy proponents felt the bill did not go far enough.
Steve Largent, president and chief executive officer of CTIA, testified before the committee and outlined several wireless industry initiatives to better secure phone records. He also expressed concerns about the proposed legislation.
Largent says that CTIA supports giving customers the option of using passcodes and would support a requirement that carriers make passwords available to all customers for account access. He noted that many providers already offer password protection but that CTIA not does not support “a blanket obligation” that all accounts be password protected, because some customers don’t want to deal with the frustration. He also notes that passwords are not always effective, because some customers share their passwords with significant others and family members, thus compromising the security of their own accounts.
Largent's main objections to H.R. 936 involve new restrictions on the ability of carriers to share CPNI with joint venture partners or third-party contractors. These restrictions, which he called "burdensome," would include third parties that help to deliver, bill for or market products and services to consumers. The new provisions, he says, would raise billing costs and would likely be problematic for smaller carriers. Although the proposed law appears to permit some sharing of information with third parties to initiate, render, bill and collect for services and to provide customer service, Largent stated that "this exemption is potentially compromised by the sweeping restrictions on disclosures elsewhere in the bill."
H.R. 936 also would require mobile providers to change the opt-out policy to opt-in regarding marketing initiatives. Largent argued that under this provision, wireless providers would not be able to target market to their customer base. For example, carriers would be precluded from informing only a subset of customers who have handsets that can receive a new service such as mobile TV that such services are available. Instead, under the new bill, marketing would have to encompass its entire customer base.
CTIA also opposes the provisions of H.R. 936 that direct the Federal Communications Commission to consider whether it should require carriers to encrypt all stored CPNI data, because the organization says it would increase costs, could delay response to legitimate customer service inquiries, and would needlessly complicate carrier storage and access methods.
Although Largent and others in the industry took issue with several of the bill’s provisions, he is hoping for national uniformity in the guidelines. Currently, he says, at least 34 different pieces of legislation related to call records have been introduced in 17 states this year. In the last legislative session, there were 75 bills in 28 states.
Although state legislation is fairly similar, he says that variances will make them more difficult and costly to implement. The wireless industry does not welcome having to deal with a multitude of varying state-by-state obligations in this area.
H.R. 936 would authorize the Federal Trade Commission to file lawsuits against pretexters and the people who hire them. A similar bill was introduced in Congress last year (H.R. 4943) but did not pass.
One reason the bill didn’t pass was disagreement over an opt-in or opt-out approach to marketing. Currently, subscribers need to opt out, if they don’t want their information available for marketing purposes; the bill dropped last year would have changed that policy to an opt-in method. Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), also spoke at the hearing in March and took a strong stand that consumers should have the right to an opt-in approach. One of his top criticisms during his speech was that the FCC has not released new rules regarding CPNI. Those rules have been expected for some time and may be released as early as March 19.
The new rules will most likely address the issues of encryption, passwords, opt-in versus opt-out and sharing of CPNI with third parties. The new rules will also address homeland security issues. The FCC will consider proposed limitations on data retention of phone records as a way to better protect consumer data. The Department of Justice said that policy could hamper investigations involving terrorism. In addition, the DoJ wants to ensure that the FBI and other law enforcement agencies to access records in a timely manner. Another issue concerned a waiting period before a service provider can notify a subscriber that the privacy of their records had been violated. The DoJ wanted seven days before notification was necessary, and it wanted the FBI and Secret Service to be notified before the subscribers so that those agencies could perform their own investigations, if necessary.
According to Communications Daily, the new rules will require a carrier to notify the FBI and Secret Service whenever a pretexter violates CPNI rules. Carriers will not be able to notify customers for seven business days, “notwithstanding any state law to the contrary.” Service providers would also have to maintain a record of breaches for two years. The magazine also reported that the FCC’s order will not address carriers’ sharing of CPNI with vendors that perform billing.
If the FCC does release new CPNI rules as expected, they will still be considered temporary pending H.R. 936.
Among all of the congressional testimony and FCC rule changes, the incident that triggered all of this activity in the first place has quietly faded. Wire fraud and other charges against HP’s Patricia Dunn have been dismissed. As for her three codefendants in the case, once they perform 96 hours of community service, their misdemeanor charges will also be dismissed. Dunn and the others had been charged with four felony counts for their roles in an internal investigation to identify insiders leaking information to the news media.
Email this article
Add a comment
Printer version
Order reprints
RSS Feed
Bookmark article