The Federal Communications Commission (FCC) approved anti-pretexting rules on Monday that would require telephone carriers to have a better grip on their customers’ records. The rules still need the approval of the White House Office of Management and Budget, which could take as long as six months.
The rules would provide mandatory password protection for online accounts, as well as mandate express consumer consent before a carrier can disclose a customer’s phone records. They also require carriers to notify customers when passwords, addresses or other changes have been made in an account. Carriers also have to notify customers in the event of a breach of their confidential data, but this includes some exceptions for law enforcement purposes.
Service providers also must annually certify their compliance with the new FCC regulations, inform the FCC of any actions taken against data brokers and provide a summary of the complaints they receive regarding the unauthorized release of customer information.
Pretexting became headline news last year when it was revealed that HP gained unauthorized access to the private telephone records of board members and the media in seeking the source of boardroom leaks.
In the aftermath of the scandal, Congress approved legislation targeting pretexters but did not impose any requirements on telephone carriers to better protect customer data. The FCC rules aim to balance that equation.
FCC Chairman Kevin Martin said in a statement that previous rules requiring customers to opt-out of carriers’ release of their data to marketing partners and other third parties “shifted too much of the burden to consumers, and has resulted in a much broader dissemination of consumer phone records.”
“Compliance with our consumer protection regulations is not optional for any telephone service provider,” Martin said. “We need to take whatever actions are necessary to enforce these requirements to secure the privacy of personal and confidential information of American customers.”
But not everyone is convinced the proposed FCC rules are necessarily beneficial. Verizon issued a statement expressing “strong concerns” about the FCC action.
“Parts of the order may have the unintended consequence of undermining consumers’ ability to receive useful information about new products, services and savings,” the company said. “The key is protecting that information without disrupting legitimate consumer activities and customer service.”
AT&T’s statement neither praised nor criticized the FCC’s new rules, but said the company would “continue to work with the Commission, lawmakers and law enforcement officials to ensure that personal and private customer information is not illicitly obtained.”
The FCC has been aware of the practice of pretexting and the growing number of online data brokers selling personal phone records, many obtained through pretexting, since a 2005 complaint by the Electronic Privacy Information Center.
Since then, the FCC has investigated how data brokers are obtaining consumer telephone records. It has also levied forfeitures against companies that failed to respond to FCC subpoenas and requests for information. Telephone carriers have also filed civil suits against data brokers selling customer information.
FCC Commissioner Michael Copps voted for most of the provisions of the new rules but dissented over the law enforcement exemptions for disclosing a breach of a customer’s information.
Under the rules, telephone companies can delay informing a customer of a confidentiality breach up to 14 days if law enforcement officials request the delay. An FBI or U.S. Secret Service request can delay the disclosure even longer.
“As some have described it, it is akin to not telling victims of a burglary that their home has been broken into because law enforcement needs to continue dusting for fingerprints,” he said in a statement.
