§ 64.5109   Safeguards required for use of customer proprietary network
information.

   (a)  TRS  providers  shall implement a system by which the status of a
   customer's CPNI approval can be clearly established prior to the use of
   CPNI. Except as provided for in § § 64.5105 and 64.5108(f) of this subpart,
   TRS providers shall provide access to and shall require all personnel,
   including any agents, contractors, and subcontractors, who have contact with
   customers to verify the status of a customer's CPNI approval before using,
   disclosing, or permitting access to the customer's CPNI.

   (b)  TRS  providers shall train their personnel, including any agents,
   contractors, and subcontractors, as to when they are and are not authorized
   to  use CPNI, including procedures for verification of the status of a
   customer's CPNI approval. TRS providers shall have an express disciplinary
   process  in  place,  including in the case of agents, contractors, and
   subcontractors, a right to cancel the applicable contract(s) or otherwise
   take disciplinary action.

   (c) TRS providers shall maintain a record, electronically or in some other
   manner, of their own and their affiliates' sales and marketing campaigns
   that use their customers' CPNI. All TRS providers shall maintain a record of
   all instances where CPNI was disclosed or provided to third parties, or
   where third parties were allowed access to CPNI. The record shall include a
   description  of  each campaign, the specific CPNI that was used in the
   campaign, including the customer's name, and what products and services were
   offered as a part of the campaign. TRS providers shall retain the record for
   a minimum of three years.

   (d) TRS providers shall establish a supervisory review process regarding TRS
   provider compliance with the rules in this subpart for outbound marketing
   situations and maintain records of TRS provider compliance for a minimum
   period of three years. Sales personnel must obtain supervisory approval of
   any proposed outbound marketing request for customer approval.

   (e) A TRS provider shall have an officer, as an agent of the TRS provider,
   sign and file with the Commission a compliance certification on an annual
   basis. The officer shall state in the certification that he or she has
   personal knowledge that the company has established operating procedures
   that are adequate to ensure compliance with the rules in this subpart. The
   TRS  provider  must provide a statement accompanying the certification
   explaining how its operating procedures ensure that it is or is not in
   compliance with the rules in this subpart. In addition, the TRS provider
   must include an explanation of any actions taken against data brokers, a
   summary of all customer complaints received in the past year concerning the
   unauthorized release of CPNI, and a report detailing all instances where the
   TRS  provider,  or  its  agents, contractors, or subcontractors, used,
   disclosed, or permitted access to CPNI without complying with the procedures
   specified in this subpart. In the case of iTRS providers, this filing shall
   be included in the annual report filed with the Commission pursuant to
   § 64.606(g) of this part for data pertaining to the previous year. In the
   case of all other TRS providers, this filing shall be made annually with the
   Disability Rights Office of the Consumer and Governmental Affairs Bureau on
   or  before  March 1 in CG Docket No. 03-123 for data pertaining to the
   previous calendar year.

   (f) TRS providers shall provide written notice within five business days to
   the Disability Rights Office of the Consumer and Governmental Affairs Bureau
   of the Commission of any instance where the opt-out mechanisms do not work
   properly, to such a degree that consumers' inability to opt-out is more than
   an anomaly.

   (1) The notice shall be in the form of a letter, and shall include the TRS
   provider's  name,  a description of the opt-out mechanism(s) used, the
   problem(s)  experienced,  the  remedy proposed and when it will be/was
   implemented, whether the relevant state commission(s) has been notified, if
   applicable, and whether the state commission(s) has taken any action, a copy
   of the notice provided to customers, and contact information.

   (2) Such notice shall be submitted even if the TRS provider offers other
   methods by which consumers may opt-out.

   [ 79 FR 40613 , July 5, 2013]

   return arrow Back to Top