§  64.2009   Safeguards required for use of customer proprietary network
information.

   (a) Telecommunications carriers must implement a system by which the
   status of a customer's CPNI approval can be clearly established prior
   to the use of CPNI.

   (b) Telecommunications carriers must train their personnel as to when
   they are and are not authorized to use CPNI, and carriers must have an
   express disciplinary process in place.

   (c) All carriers shall maintain a record, electronically or in some
   other manner, of their own and their affiliates' sales and marketing
   campaigns that use their customers' CPNI. All carriers shall maintain a
   record of all instances where CPNI was disclosed or provided to third
   parties, or where third parties were allowed access to CPNI. The record
   must include a description of each campaign, the specific CPNI that was
   used in the campaign, and what products and services were offered as a
   part of the campaign. Carriers shall retain the record for a minimum of
   one year.

   (d) Telecommunications carriers must establish a supervisory review
   process regarding carrier compliance with the rules in this subpart for
   outbound marketing situations and maintain records of carrier
   compliance for a minimum period of one year. Specifically, sales
   personnel must obtain supervisory approval of any proposed outbound
   marketing request for customer approval.

   (e) A telecommunications carrier must have an officer, as an agent of
   the carrier, sign and file with the Commission a compliance certificate
   on an annual basis. The officer must state in the certification that he
   or she has personal knowledge that the company has established
   operating procedures that are adequate to ensure compliance with the
   rules in this subpart. The carrier must provide a statement
   accompanying the certificate explaining how its operating procedures
   ensure that it is or is not in compliance with the rules in this
   subpart. In addition, the carrier must include an explanation of any
   actions taken against data brokers and a summary of all customer
   complaints received in the past year concerning the unauthorized
   release of CPNI. This filing must be made annually with the Enforcement
   Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining
   to the previous calendar year.

   (f) Carriers must provide written notice within five business days to
   the Commission of any instance where the opt-out mechanisms do not work
   properly, to such a degree that consumers' inability to opt-out is more
   than an anomaly.

   (1) The notice shall be in the form of a letter, and shall include the
   carrier's name, a description of the opt-out mechanism(s) used, the
   problem(s) experienced, the remedy proposed and when it will be/was
   implemented, whether the relevant state commission(s) has been notified
   and whether it has taken any action, a copy of the notice provided to
   customers, and contact information.

   (2) Such notice must be submitted even if the carrier offers other
   methods by which consumers may opt-out.

   [ 63 FR 20338 , Apr. 24, 1998, as amended at  64 FR 53264 , Oct. 1, 1999;
    67 FR 59213 , Sept. 20, 2002;  72 FR 31962 , June 8, 2007]