RealTime IT News

FCC: Fines For AT&T, Alltel

Oh, that pesky paperwork.

The Federal Communications Commission (FCC) Monday proposed fining AT&T and Alltel $100,000 each for failing to file paperwork certifying the security of their customers' telephone data.

The FCC did not claim that either company's data was not secure, only that the two companies did not file a required certification in a timely manner. Both companies have 30 days to pay the fine or file a written statement for a reduction or cancellation of the fines.

"AT&T has the systems and procedures in place to protect customer data. However, a copy of the officer's certificate attesting to those procedures hasn't been located," Michael Balmoris, an AT&T spokesman, said. "The company is rectifying the mistake and is working with the FCC to ensure full compliance."

Alltel was unavailable for comment.

The proposed fines come at a time when both the FCC and Congress are investigating how black market online data brokers are obtaining people's call records for sale.

As part of its investigation, the FCC directed carriers to submit their most recent certification attesting to their compliance with Commission rules governing the protection and use of Customer Proprietary Network Information (CPNI).

Under the Telecommunications Act of 1996, telephone carriers are obligated to protect the CPNI of all customers. The CPNI is considered sensitive personal data since it includes logs of calls that individuals or businesses initiate and receive on their phones.

According to the FCC, the new AT&T, which was formed through a merger with SBC last year, filed the proper certification for SBC but not for the pre-merger AT&T.

"We conclude that AT&T has apparently failed to comply with the requirement that it have an officer certify on an annual basis that the officer has personal knowledge that AT&T has established operating procedures adequate to ensure compliance with the Commission's CPNI rules," the FCC complaint stated. "For this apparent violation, we propose a forfeiture."

Alltel sent the FCC a statement about how it secures customers' data, but did not submit the required certification statement.

"Alltel provided a two-page document [that] describes generally how Alltel uses CPNI," the FCC stated. The document, however, does not contain a statement by an officer 'that the officer has personal knowledge that [Alltel] has established operating procedures that are adequate to ensure compliance with the [CPNI].'"

The FCC further contends that Alltel has not provided any additional information demonstrating that it has otherwise complied with Commission rules by preparing and maintaining a compliant certificate.

The data the online brokers are apparently obtaining from carriers includes numbers dialed, calls received and the location of callers. The privacy watchdog Electronic Privacy Information Center (EPIC) estimates at least 40 Web sites are selling the information.

Two online data brokers -- Data Find Solutions and 1st Source Information Specialists -- have been cited by the FCC for failing to cooperate with the Commission's investigation.

In Congress, Sen. Charles Schumer (D-N.Y.) introduced the Consumer Telephone Records Protection Act of 2006, criminalizing the practice of both stealing and selling the personal records for cell phone, landline and voice over IP subscribers.

The House Energy and Commerce Commission has scheduled a hearing on the matter for Wednesday and Committee Chairman Joe Barton (D-Texas) has promised he will introduce legislation similar to Schumer's.