RealTime IT News

EPIC Petition Catches FCC's Attention

The Federal Communications Commission (FCC) expects to open a proceeding next Friday on imposing stricter security standards for telephone carriers' handling of consumers' personal data.

FCC Commissioner Kevin Martin on Wednesday told a House Energy and Commerce Committee that the FCC will consider approving an Electronic Privacy Information Center (EPIC) calling for more stringent regulations on the carriers' handling of the data.

"Several weeks ago, I circulated an item to my fellow commissioners granting EPIC's petition and inviting comment on whether additional commission rules are necessary to strengthen the safeguards for customer records," Martin said.

Martin said the petition, which calls for action to protect consumers, would be considered and acted upon at the FCC's Feb. 10 open meeting.

"Data brokers and private investigators are taking advantage of inadequate security through pretexting, the practice of pretending to have authority to access protected records," EPIC's petition states.

The petition also says unscrupulous operators can crack consumers' online telephone accounts and suggests evidence exists of dishonest insiders at the carriers selling access to information.

EPIC's petition set off a ripple effect that has resulted in investigations by the FCC and the Federal Trade Commission and proposed legislation by Congress.

How well the carriers secure the data has been a subject of intense debate in Washington, as lawmakers probe how consumers' data -- including call logs -- is being obtained for sale on data-broker Web sites.

Telephone carriers are obligated to protect the Customer Proprietary Network Information (CPNI) of consumers under the Telecommunications Act of 1996. However, last August EPIC brought to light the widespread online availability of the information.

Martin said the FCC would seek comment on EPIC's recommendations to address the unlawful and fraudulent release of CPNI data, including consumer-set passwords, audit trails, encryption, limiting data retention and notice procedures to consumers on the release of CPNI.

"Further, the item tentatively concludes that the commission should require all telecommunications carriers to certify on a date certain each year [they] have established operating procedures adequate to ensure compliance with [FCC rules]," Martin told the lawmakers.

Earlier this week, the FCC proposed fining AT&T and Alltel $100,000 each for failing to file paperwork certifying the security of their customers' telephone data.

The FCC is also seeking information from online data brokers, who have so far resisted the agency's efforts to reveal how they are obtaining consumer data.