FCC imposes rules designed to prevent pretexting
Commission order lists new regulations phone companies must follow to protect subscriber call records, other personal data.
On Monday, the FCC issued an order designed to strengthen its current privacy rules by requiring telephone and wireless operators to adopt additional safeguards to protect personal telephone records from being disclosed to unauthorized people.
The new regulations come as lawmakers have already outlawed the practice of "pretexting," which encompasses any technique used to fraudulently obtain personal information. Congress is now looking to impose stricter regulations on phone companies to protect customer data.
The issue came to a head last year when investigators hired by Hewlett-Packard, in a quest to trace the source of board room media leaks, employed pretexting to nab the phone records of journalists--including three from CNET News.com--and company board members.
Specifically, the FCC order prohibits carriers from releasing--either over the phone or online--sensitive personal data, such as call detail records, unless the customer provides a password. It also requires operators to notify customers immediately when changes are made to their accounts. And it requires providers to notify their customers in the event of a breach of confidentiality.
Phone companies, including wireless, fixed line and voice over IP (VoIP) providers, also must annually certify their compliance with these regulations, inform the FCC of any actions they have taken against data brokers, and provide a summary of the complaints they receive regarding the unauthorized release of personal customer information. The regulations also require telephone carriers to notify law enforcement authorities before customers when they suspect breaches have occurred--a provision that drew criticism from the two Democratic FCC commissioners and consumer privacy advocates.
"Particularly in light of the most recent report on the TJX fiasco, which makes clear the problem with failing to notify consumers once a breach occurs, we believe the FCC should have rejected that approach," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which petitioned the regulators in August 2005 to impose stronger security standards on telephone companies.
He was referring to recent reports that 45.7 million accounts for customers of the company that operates such discount retail chains as T.J. Maxx and Marshalls were compromised.
Rotenberg said his organization was nevertheless "generally pleased" with the rules.
The FCC has taken "commendable and important steps to strengthen consumer privacy, and commendably done so without taking away the right of states to enact stronger laws," said Ed Mierzwinski of the U.S. Public Interest Research Group, a consumer advocacy group, although he added that he shared concerns about the law enforcement notification rules.
Phone companies, such as Verizon Communications, say protecting customer information is a top priority for them, and they are constantly reevaluating their security practices to protect consumers' data. Several companies have taken data brokers to court.
But they also feel the FCC may be going too far with its requirements.
"The key is protecting (sensitive) information without disrupting legitimate consumer activities and customer service," said David Fish, a spokesman for Verizon. "We have strong concerns that parts of the FCC order may have the unintended consequence of undermining consumers' ability to receive useful information about new products, services and savings."
One of the biggest concerns phone companies have is that the FCC is making it difficult for them to work with partners and marketing contractors to bring new services to consumers, by mandating that they can only share customer data with these partners once they obtain customer consent.
"We are deeply concerned that the FCC is taking an overly broad approach far beyond protecting the legitimate privacy interests of call detail information to preventing any marketing of new services, bundled offerings and new applications--using joint venture partners or independent contractors--that can save consumers money," Walter McCormick Jr., president and CEO of USTelecom, said in a statement.
"This is an extremely anticonsumer outcome. This approach also will impede competition and will particularly impact the smaller rural service providers, who now will be unable to work with outside marketing partners, even though they have no connection to illegal pretexting."
But the FCC said that after an extensive investigation, it found that the phone companies' current steps to protect consumers' information has not been adequate.
"The former 'opt-out' approach to customer consent, whereby a carrier may disclose a customer's phone records provided that a customer does not expressly withhold consent to such use, shifted too much of the burden to consumers, and has resulted in a much broader dissemination of consumer phone records," FCC Chairman Kevin Martin said in a statement. "The 'opt-in' approach adopted in this order clearly is supported by the record, is consistent with applicable law, and directly advances our interest in protecting customer privacy."
The new rules will go into effect six months after the federal Office of Management and Budget approves them, a process that by itself could take 120 days or more.