FCC 64.2010 Revised as of October 1, 2007
Goto Year:2006 |
2008
Sec. 64.2010 Safeguards on the disclosure of customer proprietary network
information.
(a) Safeguarding CPNI. Telecommunications carriers must take reasonable
measures to discover and protect against attempts to gain unauthorized
access to CPNI. Telecommunications carriers must properly authenticate a
customer prior to disclosing CPNI based on customer-initiated telephone
contact, online account access, or an in-store visit.
(b) Telephone access to CPNI. Telecommunications carriers may only disclose
call detail information over the telephone, based on customer-initiated
telephone contact, if the customer first provides the carrier with a
password, as described in paragraph (e) of this section, that is not
prompted by the carrier asking for readily available biographical
information, or account information. If the customer does not provide a
password, the telecommunications carrier may only disclose call detail
information by sending it to the customer's address of record, or by calling
the customer at the telephone number of record. If the customer is able to
provide call detail information to the telecommunications carrier during a
customer-initiated call without the telecommunications carrier's assistance,
then the telecommunications carrier is permitted to discuss the call detail
information provided by the customer.
(c) Online access to CPNI. A telecommunications carrier must authenticate a
customer without the use of readily available biographical information, or
account information, prior to allowing the customer online access to CPNI
related to a telecommunications service account. Once authenticated, the
customer may only obtain online access to CPNI related to a
telecommunications service account through a password, as described in
paragraph (e) of this section, that is not prompted by the carrier asking
for readily available biographical information, or account information.
(d) In-store access to CPNI. A telecommunications carrier may disclose CPNI
to a customer who, at a carrier's retail location, first presents to the
telecommunications carrier or its agent a valid photo ID matching the
customer's account information.
(e) Establishment of a Password and Back-up Authentication Methods for Lost
or Forgotten Passwords. To establish a password, a telecommunications
carrier must authenticate the customer without the use of readily available
biographical information, or account information. Telecommunications
carriers may create a back-up customer authentication method in the event of
a lost or forgotten password, but such back-up customer authentication
method may not prompt the customer for readily available biographical
information, or account information. If a customer cannot provide the
correct password or the correct response for the back-up customer
authentication method, the customer must establish a new password as
described in this paragraph.
(f) Notification of account changes. Telecommunications carriers must notify
customers immediately whenever a password, customer response to a back-up
means of authentication for lost or forgotten passwords, online account, or
address of record is created or changed. This notification is not required
when the customer initiates service, including the selection of a password
at service initiation. This notification may be through a carrier-originated
voicemail or text message to the telephone number of record, or by mail to
the address of record, and must not reveal the changed information or be
sent to the new account information.
(g) Business customer exemption. Telecommunications carriers may bind
themselves contractually to authentication regimes other than those
described in this section for services they provide to their business
customers that have both a dedicated account representative and a contract
that specifically addresses the carriers' protection of CPNI.
[ 72 FR 31962 , June 8, 2007]
Effective Date Note: At 72 FR 31962 , June 8, 2007, Sec. 64.2010 was added to
subpart U. This text contains information collection and recordkeeping
requirements and will not become effective until approval has been given by
the Office of Management and Budget (OMB).
CiteFind - See documents on FCC website that
cite this rule
Want to support this service?
Thanks!
Report errors in
this rule. Since these rules are converted to HTML by machine, it's possible errors have been made. Please
help us improve these rules by clicking the Report FCC Rule Errors link to report an error.