Are Carriers Doing Enough to Protect Consumer Data?

The furor over the unauthorized disclosure of consumers’ personal telephone
records continues to gain momentum in Washington.

Late Friday afternoon, the
Federal Communications Commission (FCC) turned its attention to the
telecommunications carriers entrusted with securing the data.

Already investigating the data brokers who sell the records online, the FCC
now wants to know if carriers are doing all they can to adequately protect
customer call records and other customer proprietary network information
(CPNI).

“We seek comment on whether additional commission rules are necessary to
strengthen the safeguards currently in place to protect consumers’ sensitive
telephone record data,” FCC Chairman Kevin Martin said in a statement. “I am
deeply concerned about reports of companies trafficking in personal
telephone records.”

The FCC probe comes in reaction to an August petition by the Electronic Privacy Information Center (EPIC) that seeks additional FCC rules
and regulations for tighter telecom CPNI security standards.

“By starting this proceeding, we pledge to protect consumers from
unscrupulous data brokers who have built a business on selling information
about our private conversations,” Commissioner Michael Copps said in his
statement. “The commission also commits to adjusting its rules to further
safeguard privacy and prevent the unauthorized disclosure of customer
proprietary network information.”

Since EPIC filed its petition, both houses of Congress have launched
investigations into how the data brokers are obtaining the information and
what the carriers are doing about it. A number of bills have been introduced
aimed at curbing the practice.

According to EPIC and subsequent congressional testimony, carriers being
duped into providing customers’ personal data through a process known as
“pretexting,” which is where con artists, armed with a some personal information about
a consumer, pretend to be the account holder.

EPIC also claims unscrupulous operators can crack consumers’ online
telephone accounts and suggests evidence exists of dishonest insiders at the
carriers selling access to information.

In its petition, EPIC proposed five additional security measures that it
says will more adequately protect CPNI. The FCC is seeking public comment on
EPIC’s ideas, including consumer-set passwords, audit trails to record all
instances when consumers’ records are accessed, encryption and time limits
on retention of certain records.

“We live in a day and age where our cherished right to privacy suffers from
a daily fusillade of data gathering,” Copps said. “Companies can monitor
what we do, stores can study what we buy, technologies can track what we
watch, see and hear.”

Copps added, “Consumers rightfully expect that regulatory agencies like this
one will do something to protect them from this bombardment, to give them a
measure of confidence that not every aspect of their personal information is
available to the highest bidder.”