Oh, that pesky paperwork.
The Federal Communications Commission (FCC) Monday proposed fining AT&T and
Alltel $100,000 each for failing to file paperwork certifying the security
of their customers’ telephone data.
The FCC did not claim that either company’s data was not secure, only that
the two companies did not file a required certification in a timely manner.
Both companies have 30 days to pay the fine or file a written statement for
a reduction or cancellation of the fines.
“AT&T has the systems and procedures in place to protect customer data.
However, a copy of the officer’s certificate attesting to those procedures
hasn’t been located,” Michael Balmoris, an AT&T spokesman, said. “The
company is rectifying the mistake and is working with the FCC to ensure full
Alltel was unavailable for comment.
The proposed fines come at a time when both the FCC and Congress are
investigating how black market online data brokers are obtaining people’s
call records for sale.
As part of its investigation, the FCC directed carriers to submit their most
recent certification attesting to their compliance with Commission rules
governing the protection and use of Customer Proprietary Network Information
Under the Telecommunications Act of 1996, telephone carriers are obligated
to protect the CPNI of all customers. The CPNI is considered sensitive
personal data since it includes logs of calls that individuals or businesses
initiate and receive on their phones.
According to the FCC, the new AT&T, which was formed through a merger with
SBC last year, filed the proper certification for SBC but not for the
“We conclude that AT&T has apparently failed to comply with the requirement
that it have an officer certify on an annual basis that the officer has
personal knowledge that AT&T has established operating procedures adequate
to ensure compliance with the Commission’s CPNI rules,” the FCC complaint
stated. “For this apparent violation, we propose a forfeiture.”
Alltel sent the FCC a statement about how it secures customers’ data, but
did not submit the required certification statement.
“Alltel provided a two-page document [that] describes generally how Alltel
uses CPNI,” the FCC stated. The document, however, does not contain a
statement by an officer ‘that the officer has personal knowledge that
[Alltel] has established operating procedures that are adequate to ensure
compliance with the [CPNI].'”
The FCC further contends that Alltel has not provided any additional
information demonstrating that it has otherwise complied with Commission
rules by preparing and maintaining a compliant certificate.
The data the online brokers are apparently obtaining from carriers includes
numbers dialed, calls received and the location of callers. The privacy
watchdog Electronic Privacy Information Center (EPIC) estimates at least 40
Web sites are selling the information.
Two online data brokers — Data Find Solutions and 1st Source Information
Specialists — have been cited by the FCC for failing to cooperate with the
In Congress, Sen. Charles Schumer (D-N.Y.) introduced the
Consumer Telephone Records Protection Act of 2006, criminalizing the
practice of both stealing and selling the personal records for cell phone,
landline and voice over IP
The House Energy and Commerce Commission has scheduled a hearing on the
matter for Wednesday and Committee Chairman Joe Barton (D-Texas) has promised
he will introduce legislation similar to Schumer’s.