§ 64.2009   Safeguards required for use of customer proprietary network
information.

   (a) Telecommunications carriers must implement a system by which the status
   of a customer's CPNI approval can be clearly established prior to the use of
   CPNI.

   (b) Telecommunications carriers must train their personnel as to when they
   are and are not authorized to use CPNI, and carriers must have an express
   disciplinary process in place.

   (c) All carriers shall maintain a record, electronically or in some other
   manner, of their own and their affiliates' sales and marketing campaigns
   that use their customers' CPNI. All carriers shall maintain a record of all
   instances where CPNI was disclosed or provided to third parties, or where
   third  parties  were allowed access to CPNI. The record must include a
   description  of  each campaign, the specific CPNI that was used in the
   campaign, and what products and services were offered as a part of the
   campaign. Carriers shall retain the record for a minimum of one year.

   (d) Telecommunications carriers must establish a supervisory review process
   regarding carrier compliance with the rules in this subpart for outbound
   marketing  situations and maintain records of carrier compliance for a
   minimum  period of one year. Specifically, sales personnel must obtain
   supervisory approval of any proposed outbound marketing request for customer
   approval.

   (e) A telecommunications carrier must have an officer, as an agent of the
   carrier, sign and file with the Commission a compliance certificate on an
   annual basis. The officer must state in the certification that he or she has
   personal knowledge that the company has established operating procedures
   that are adequate to ensure compliance with the rules in this subpart. The
   carrier must provide a statement accompanying the certificate explaining how
   its operating procedures ensure that it is or is not in compliance with the
   rules in this subpart. In addition, the carrier must include an explanation
   of any actions taken against data brokers and a summary of all customer
   complaints received in the past year concerning the unauthorized release of
   CPNI. This filing must be made annually with the Enforcement Bureau on or
   before March 1 in EB Docket No. 06-36, for data pertaining to the previous
   calendar year.

   (f) Carriers must provide written notice within five business days to the
   Commission  of  any  instance where the opt-out mechanisms do not work
   properly, to such a degree that consumers' inability to opt-out is more than
   an anomaly.

   (1) The notice shall be in the form of a letter, and shall include the
   carrier's  name,  a  description of the opt-out mechanism(s) used, the
   problem(s)  experienced,  the  remedy proposed and when it will be/was
   implemented, whether the relevant state commission(s) has been notified and
   whether it has taken any action, a copy of the notice provided to customers,
   and contact information.

   (2) Such notice must be submitted even if the carrier offers other methods
   by which consumers may opt-out.

   [ 63 FR 20338 , Apr. 24, 1998, as amended at  64 FR 53264 , Oct. 1, 1999;  67 FR 59213 , Sept. 20, 2002;  72 FR 31962 , June 8, 2007]

   return arrow Back to Top