Prepared by Kris Twomey Law Office of Kristopher E. Twomey, P.C. CPNI? Prepared by Kris Twomey Law Office of Kristopher E. Twomey, P.C.

Summary Background Basics of CPNI Customer-facing Compliance Marketing and Sales Compliance Recordkeeping Requirements Breach Notifications Questions Try to get you out of here in 30 minutes

VoIP Regulation by the Federal Communications Commission It’s not 2006 anymore—offering voice services to the public is not a hobby E911 FUSF CALEA CPNI VoIP Subscriber Reporting- Form 477 Various Federal Regulatory Fees Besides FUSF Outage reporting Handicap accessibility certification State USF and other requirements

Fines by the FCC Enforcement Bureau Regarding CPNI aka Scare Marketing Take a look at http://transition.fcc.gov/eb/ http://transition.fcc.gov/eb/Headlines.html Enforcement Bureau Annual Reminder to File CPNI certification statement $25,000 for failure to file CPNI certifications $1,000 to $6,000 for non-compliant CPNI statements In September, Verizon fined $7.6 million for CPNI marketing violations

CPNI- What is it? Fine, what does it even stand for? Customer Proprietary Network Information… Huh? Information regarding to whom, where, when, how long a customer places or receives a call- CDRs The types of service offerings to which the customer subscribes The extent to which a customer uses a service CPNI does not consist of subscriber list information; customer name, address and phone number; or aggregate customer information

How Can Voxox Become Compliant Need 3 things Certification of compliance due March 1 every year Retail providers must certify that they have not had any CPNI breaches and otherwise properly guard the data In 2009, proposed penalties of $20K to more than 700 companies for failure to file on time CPNI Manual Employee Training- sit here for ½ hour

Customer-facing Compliance Must Have Procedures In Place to Protect CPNI, usually call detail records Password or code to obtain access, otherwise upon a request must email it to the address on record Online access must be password-protected For access, form in Appendix 4, page 31 Business/Enterprise Customer Exception

Customer-facing Compliance The Company may use, disclose, or permit access to CPNI, without customer approval: To provide inside wiring installation, maintenance, and repair services. For the provision of customer Premises Equipment and call answering, voice mail or messaging, voice storage and retrieval services, fax store and forward, and protocol conversion. To protect the rights or property of the Company, or to protect users of services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services. To initiate, render, bill and collect for services.

Marketing and Sales Compliance The Company may use, disclose, or permit access to aggregate customer information The Company cannot use, disclose or permit access to CPNI to identify or track customers that call competing service providers. The Company must obtain opt-in consent to share CPNI with a joint venture partner for purposes of a marketing communication Opt-out consent is not permissible Just ask Verizon

Marketing and Sales Compliance Opt-in versus Opt-out Opt-out Permissible: marketing Communications-Related Services to a customer Not Permissible (must be opt-in): For the purpose of marketing non-communications-related services to a customer. To obtain approval to disclose the customer's CPNI to joint venture partners or independent contractors. Just ask Verizon Opt-in All is Permissible

Marketing and Sales Compliance Ok, how do we get there? Company must notify the customer of the customer’s right to restrict use, disclosure , and access to, the customer’s CPNI. For notice requirements, see page 13-14 of the manual Appendix 3 on page 30 has an opt-out form Any Use of CPNI for any reason must be run by the appointed personnel in Section 2 of the manual

Recordkeeping The Company must maintain records for a year of: its own sales and marketing campaigns that use CPNI all instances where it discloses or provides CPNI to third parties, or where third parties are allowed access to CPNI. customer approval for use of CPNI, as well as notices required by the FCC’s regulations, for a minimum of one year. The Company must maintain records of customer approval and disapproval for use of CPNI in a readily-available location that is consulted on an as-needed basis.

Recordkeeping The Company may obtain approval through written, oral or electronic methods. If the Company relies on oral approval, it bears the burden of demonstrating that such approval has been given in compliance with the FCC’s regulations. A customer’s approval or disapproval to use, disclose, or permit access to CPNI must remain in effect until the customer revokes or limits such approval or disapproval. Complaints log on Appendix 5, page 32

Notification The Company will take reasonable steps to protect CPNI databases from hackers and other unauthorized attempts by third parties to access CPNI Must notify law enforcement USSS and FBI within 7 business days Must notify customers 7 business days AFTER May be told to hold for an extra 30 days Must notify FCC after 5 days Must retain these records for 2 years

Ostriches Don’t Really Put Their Heads in the Sand, Only People Do Kris Twomey Law Office of Kristopher E. Twomey, P.C. 202 681-1850 kris@lokt.net