For other versions of this document, see http://wikileaks.org/wiki/CRS-RL34409 ------------------------------------------------------------------------------ Order Code RL34409 Selected Laws Governing the Disclosure of Customer Phone Records by Telecommunications Carriers March 10, 2008 Kathleen Ann Ruane Legislative Attorney American Law Division Selected Laws Governing the Disclosure of Customer Phone Records by Telecommunications Carriers Summary Telephone records contain a large amount of intimate personal information. Recent years have seen a rise in the use of this information for marketing and even for criminal purposes. The purchase and sale of telephone record information, therefore, became a booming business. Websites and data brokers claiming to be able to obtain the phone records for any phone number within a few days abounded. However, the methods by which these data brokers obtained their information came under intense fire from public interest groups concerned about consumer privacy. Consumer groups and news outlets reported that telephone records were being obtained fraudulently by data brokers or other individuals without the knowledge or consent of the customers to whom the records related. Data brokers are thought to employ three different practices to obtain customer telephone records without the approval of the customer. The first method occurs when an employee of one of the phone companies sells the records to the data broker. The second method occurs through a practice called "pretexting," where a data broker pretends to be the owner of the phone and obtains the records from the telephone company under false pretenses. The third method is employed when a data broker obtains the customer's telephone records by accessing the customer's account on the Internet. In response to increased concern over the unauthorized disclosure of private telephone records, Congress and other regulatory agencies have taken a number of steps to improve the security of this information. Congress enacted the Telephone Records and Privacy Protection Act of 2006, which makes "pretexting" a federal offense. The Federal Trade Commission has instituted a number of enforcement actions against data brokers. In the 110th Congress, bills have been introduced to ensure greater security of phone records. And the FCC recently amended its regulations governing the disclosure of Customer Proprietary Network Information (CPNI) in an attempt to address the concerns raised by Congress, the Electronic Privacy Information Center (EPIC), and other consumer groups regarding the unauthorized disclosure of such information. This report discusses recent legislative and regulatory efforts to protect the privacy of customer telephone records and efforts to prevent the unauthorized use, disclosure, or sale of such records by data brokers. In addition, it provides a brief overview of the confidentiality protections for customer information established by the Communications Act of 1934. It does not discuss the legal framework for the disclosure by telephone companies of phone records to the government. For an overview of laws that address disclosure of telephone records to the government, see CRS Report RL33424, Government Access to Phone Calling Activity and Related Records, by Elizabeth B. Bazan, Gina Marie Stevens, and Brian Yeh. For an overview of federal law governing wiretapping and electronic eavesdropping, see CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by Gina Marie Stevens and Charles Doyle. This report will be updated when warranted. Contents Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Federal Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Litigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Congressional Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 H.R. 852, Consumer Telephone Records Protection Act of 2007 (Inslee) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 H.R. 936, Prevention of Fraudulent Access to Phone Records Act (Dingell) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 S. 92 (Stevens) and S. 780 (Pryor), Protecting Consumer Phone Records Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Selected Laws Governing the Disclosure of Customer Phone Records by Telecommunications Carriers Background1 In response to a petition filed by the Electronic Privacy Information Center (EPIC) concerning numerous websites advertising the sale of personal telephone records, the Federal Communications Commission conducted a rulemaking to determine the extent of the problem and construct regulations in response to consumer concerns.2 Specifically, EPIC and other commenters pointed out that data brokers advertise the availability of cell phone records, which include calls to and from a particular cell phone number, the duration of such calls, and may include the physical location of the cell phone. In addition to selling cell phone call records, many data brokers also claimed to provide calling records for landline and Voice over Internet Protocol (VOIP) phones, as well as nonpublished phone numbers. Data brokers claimed to be able to provide this information fairly quickly, in a few hours to a few days. Although personal information such as Social Security numbers can be found on public documents, phone records are stored only by phone companies.3 For this reason, data brokers are alleged to have obtained phone records from the phone companies themselves, albeit without their approval. It is also believed that data brokers had taken advantage of inadequate company security standards to gain access to customer telephone information. Data brokers are thought to employ three different practices to obtain customer telephone records without the approval of the customer. The first method occurs when an employee of one of the phone companies sells the records to the data broker. The second method occurs through a practice called "pretexting," where a data broker pretends to be the owner of the phone and obtains the records from the telephone company under false pretenses. The third method is employed when a data broker obtains the customer's telephone records by accessing the customer's account on the Internet. 1 The previous version of this report is available as an archived product. CRS Report RL33287, Data Security: Protecting the Privacy of Phone Records, by Gina Marie Stevens, Legislative Attorney. 2 Petition of the Electronic Privacy Information Center for Rulemaking to Enhance Security and Authentication Standards for Access to Customer Proprietary Network Information, CC Docket No. 96-115 (filed Aug. 30, 2005), at [http://www.epic.org/privacy/iei/]. 3 Jonathan Krim, "Online Data Gets Personal: Cell Phone Records for Sale," Washington Post, July 8, 2005, at D01. CRS-2 Pretext calling for customer telephone records occurs when the data broker or investigator pretends to be the cell phone account holder and persuades phone company employees to release the information. The public availability of personal identifiers, like the Social Security number, made it easier for someone to impersonate the account holder to convince the employee that they were the account holder. For this reason, it was suggested that phone companies cease the use of readily available biographical information, like the Social Security number, for identity authentication. Telephone companies are encouraging customers to receive electronic statements and to access customer accounts online. Typically, online accounts are set up in advance, to be activated at a later date by the customer. If someone can figure out how to activate and access the online account of the customer, the call records can be obtained. In response to these concerns, Congress, the Federal Communications Commission (FCC), and the Federal Trade Commission (FTC) have acted to prevent the unauthorized disclosure of phone records. The federal government has moved to directly address the problem of "pretexting" and to more clearly define the protective framework that telecommunications carriers must implement. Federal Laws Certain sectors are currently subject to legal obligations to protect sensitive personal information. These obligations were created, in large part, through the enactment of federal privacy legislation in the financial services, health care, government, and Internet sectors. Federal regulations issued to carry out requirements of federal privacy laws impose obligations on covered entities to implement information security programs to protect personal information. For further information, see CRS Report RL34120, Information Security and Data Breach Notification Safeguards, by Gina Marie Stevens. Pretext calling for financial information has long been illegal.4 In 2006, Congress enacted the Telephone Records and Privacy Protection Act, which makes pretexting for the acquisition of telephone records a federal offense. Furthermore, several other federal statutes address illegal conduct associated with identity theft and pretext calling.5 Telephone Records and Privacy Protection Act. Section 3 of the act makes it a crime to knowingly and intentionally obtain, or attempt to obtain, "confidential phone records information"6 of a covered entity (defined as a 4 See CRS Report RS20185, Privacy Protection for Customer Financial Information, by M. Maureen Murphy. 5 Board of Governors of the Federal Reserve System, Identity Theft and Pretext Calling, Apr. 26, 2001, at [http://www.federalreserve.gov/boarddocs/SRLetters/2001/sr0111.htm]. 6 "The term `confidential phone records information' means information that -- (A) relates (continued...) CRS-3 telecommunications carrier or an IP-enabled voice service provider) by making false statements or representations to an employee of a covered entity, making false or fraudulent statements to a customer of a covered entity, providing a document to a covered entity knowing that the document is false or fraudulent, or accessing customer accounts via the Internet without prior authorization from the customer to whom the information pertains.7 The act further makes it a crime, except as otherwise provided by law or regulation, to knowingly and intentionally purchase, receive, transfer, or sell these records if they were obtained without the consent of the customer to whom the records relate.8 This act is not applicable to law enforcement agencies.9 Penalties. For a violation of Section 3, an individual may be fined not more than $250,000, imprisoned for not more than 10 years, or both.10 Violations of this section of the act by organizations may result in fines up to $500,000.11 The act also provides for enhanced penalties for violations in certain situations. First, whoever violates Section 3 of the act, as described above, "while violating another law of the United States or as part of a pattern of any illegal activity involving more than $100,000, or more than 50 customers of a covered entity, in a 12-month period shall," in addition to penalties already provided for, be fined $500,000 in the case of an individual's violation or $1,000,000 in the case of an organization's violation (as the case may be), "imprisoned for not more than five years, or both."12 Second, whoever violates Section 3 of the act, as described above, "in furtherance of, or with the intent to commit" the offenses of interstate domestic violence, stalking, interstate violation of a protective order, or any other crime of violence, in addition to penalties already provided for in the act, shall be fined and imprisoned for not more than five years.13 Third, whenever an individual violates Section 3 of the act, as described above, "in furtherance of, or with the intent to commit" certain crimes against federal, state or local law enforcement or "to intimidate, threaten, harass, injure, or kill any Federal, State, or local law enforcement officer," the act provides that in 6 (...continued) to the quantity, technical configuration, type, destination, location, or amount of use of a service offered by a covered entity, and kept by or on behalf of that covered entity solely by virtue of the relationship between that covered entity and the customer; (B) is made available to a covered entity by a customer solely by virtue of the relationship between that covered entity and the customer; or (C) is contained in any bill, itemization, or account statement provided to a customer by or on behalf of a covered entity solely by virtue of the relationship between that covered entity and the customer." P.L. 109-476; 18 U.S.C. § 1309(h)(1). 7 P.L. 109-476; 18 U.S.C. §1039(a). 8 P.L. 109-476; 18 U.S.C. §1039(b)-(c). 9 P.L. 109-476, 18 U.S.C. § 1039(g). 10 P.L. 109-476; 18 U.S.C. § 1039; 18 U.S.C. § 3571(b)(3). The act also provides for enhanced penalties under certain circumstances. 18 U.S.C. § 1039(d)-(e). 11 18 U.S.C. § 3571(c)(3). 12 P.L. 109-476; 18 U.S.C. § 1039(d). 13 P.L. 109-476; 18 U.S.C. § 1039(e)(1). CRS-4 addition to the penalties already provided, that individual shall also be assessed an additional fine and imprisoned not more than five years.14 Federal Trade Commission Act. The FTC may bring a law enforcement action against a pretexter of telephone records for deceptive or unfair practices.15 Using its authority under Section 5, the FTC has brought a number of cases against businesses that use pretexting to gather financial information on consumers. Currently, the FTC is investigating data brokers that use pretexting to gather customer telephone records and is working with the FCC, which has jurisdiction over telecommunications carriers subject to the Communications Act. In May 2006, the Federal Trade Commission filed federal court complaints in Maryland, Wyoming, Florida, California, and Virginia charging five web-based operations that have obtained and sold consumers' confidential telephone records to third parties with violating Section 5(a) of Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in or affecting commerce.16 The agency sought a permanent halt to the sale of the phone records and a rescission of contracts, restitution, disgorgement of ill-gotten gains, and other equitable relief.17 In four of the five cases, the FTC succeeded in permanently enjoining the sale of phone records as well as imposing monetary penalties on the perpetrators.18 The Communications Act. Telecommunications carriers are subject to obligations to guard the confidentiality of customer proprietary network information (CPNI) and to ensure that it is not disclosed to third parties without customer approval or as required by law. Section 222 of the Communication Act of 1934, as amended, establishes a duty of every telecommunications carrier to protect the confidentiality of CPNI.19 Section 222 attempts to achieve a balance between marketing and customer privacy. CPNI includes personally identifiable information derived from a customer's relationship with a telephone company, irrespective of whether the customer purchases landline or wireless telephone service. CPNI is defined as 14 P.L. 109-476; 18 U.S.C. § 1039(e)(2). 15 15 U.S.C. §§ 41-58. 16 15 U.S.C. § 45(a). 17 FTC Seeks Halt to Sale of Consumers' Confidential Telephone Records, May 3, 2006, at [http://www.ftc.gov/opa/2006/05/phonerecords.htm]. 18 Telephone Records Seller Settles FTC Charges, October 5, 2006, at [http://www.ftc.gov/ opa/2006/10/isis.shtm]; Telephone Records Seller Settles FTC Charges, March 9, 2007, at [http://www.ftc.gov/opa/2007/03/infosearch.shtm]; Telephone Records Seller Settles FTC Charges, December 17, 2007, at [http://www.ftc.gov/opa/2007/12/ceo.shtm]; District Court Bars the Sale of Consumers' Telephone Records to Third Parties, January 28, 2008, at [http://www.ftc.gov/opa/2008/01/telrec.shtm]. 19 47 U.S.C. § 222. Section 222 was added to the Communications Act by the Telecommunications Act of 1996. Telecommunications Act of 1996, P.L. 104-104, 110 Stat. 56 (codified at 47 U.S.C. §§ 151 et seq.) CRS-5 (A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.20 CPNI includes customers' calling activities and history (e.g., phone numbers called, frequency, duration, and time) and billing records. It does not include subscriber list information, such as name, address, and phone number. In Section 222, Congress created a framework to govern telecommunications carriers' use of information obtained through provision of a telecommunications service. Section 222 of the act provides that telecommunications carriers must protect the confidentiality of customer proprietary network information. The act limits carriers' abilities to use customer phone records, including for their own marketing purposes, without customer approval and appropriate safeguards. The act also prohibits carriers from using, disclosing, or permitting access to this information without the approval of the customer, or as otherwise required by law, if the use or disclosure is not in connection with the provided service. Section 222(a) imposes a general duty on telecommunications carriers to protect the confidentiality of proprietary information of other carriers, equipment manufacturers, and customers.21 Section 222(b) states that a carrier that receives or obtains proprietary information from other carriers in order to provide a telecommunications service may use such information only for that purpose and may not use that information for its own marketing efforts.22 The confidentiality protections applicable to customer proprietary network information are established in Section 222(c). Subsection (c)(1) constitutes the core privacy requirement for telecommunications carriers: Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.23 20 47 U.S.C. § 222(h)(1). 21 47 U.S.C.§ 222(a). 22 47 U.S.C. § 222(b). 23 47 U.S.C. § 222(c)(1). CRS-6 A carrier must disclose CPNI "upon affirmative written request by the customer, to any person designated by the customer."24 Section 222(c)(3) provides that a carrier may use, disclose, or permit access to aggregate customer information other than for the purposes described in subsection (1).25 Thus, the general principle of confidentiality for customer information is that a carrier may only use, disclose, or permit access to customers' individually identifiable CPNI in limited circumstances: (1) as required by law; (2) with the customer's approval; or (3) in its provision of the telecommunications service from which such information is derived, or services necessary to or used in the provision of such telecommunications service. Exceptions to the general principle of confidentiality permit carriers to use, disclose, or permit access to customer proprietary network information to (1) initiate, render, bill, and collect for telecommunications services; (2) protect the rights or property of the carrier, the customers, and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services; (3) provide any inbound telemarketing, referral, or administrative services to the customer for the duration of the call; and (4) provide call location information concerning the user of a commercial mobile service for emergency.26 Section 222(e) addresses the disclosure of subscriber list information and permits carriers to provide subscriber list information to any person upon request for the purpose of publishing directories. The term "subscriber list information" means any information identifying the listed names of subscribers of a carrier and such subscribers' telephone numbers, addresses, or primary advertising classifications, or any combination of such listed names, numbers, addresses, or classifications; that the carrier or an affiliate has published, caused to be published, or accepted for publication in any directory format.27 Customer Proprietary Network Information (CPNI) Regulations. In 1998, the Federal Communications Commission issued its CPNI Order to implement Section 222.28 The CPNI Order and subsequent orders issued by the Commission govern the use and disclosure of customer proprietary network information by telecommunications carriers. When the FCC implemented Section 222, telecommunications carriers were required to obtain express consent from their customers (i.e., "opt-in consent") before a carrier could use customer phone records to market services outside of the customer's relationship with the carrier. The United 24 47 U.S.C. § 222(c)(2). 25 47 U.S.C. § 222(c)(3). The term "aggregate customer information" means collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed. 47 U.S.C. § 222(h)(2). 26 47 U.S.C. § 222(d). 27 47 U.S.C. § 222(e). 28 CPNI Order, 13 FCC Rcd 8061. CRS-7 States Court of Appeals for the Tenth Circuit struck down those rules, finding that they violated the First and Fifth Amendments of the Constitution.29 In response to the Tenth Circuit's remand, the FCC amended its CPNI regulations to require telecommunications carriers to receive opt-in (affirmative) consent before disclosing CPNI to third parties or affiliates that do not provide communications-related services.30 However, carriers were permitted to disclose CPNI to affiliated parties, joint venture partners, and independent contractors after obtaining a customer's "opt-out" consent. "Opt-Out" consent means that the telephone company sends the customer a notice saying it will consider the customer to have given approval to use the customer's information for marketing unless the customer tells it not to do so (usually within 30 days.)31 On April 2, 2007, the FCC issued an order amending its Customer Proprietary Network Information Regulations and largely accepting EPIC's proposed changes.32 The revised rules broaden the opt-in requirement for sharing CPNI with third parties and affiliated entities that do not provide a telecommunications service33 to include joint venture partners and independent contractors as well.34 Opt-out consent remains acceptable for sharing CPNI with affiliates that provide telecommunications services.35 Carriers are required, prior to soliciting the customer's approval, to provide notice of the customer's right to restrict use, disclosure, and access to the customer's CPNI.36 Carriers are also required to establish safeguards to protect against the unauthorized disclosure of CPNI. To that end, carriers must maintain records that track access to customer CPNI records.37 The FCC also has implemented carrier authentication requirements for the disclosure of call detail information under which carriers are not allowed to release call detail information during a customer-initiated 29 U.S. West v. FCC, 182 F.3d 1224 (10th Cir. 1999), cert. denied Competition Policy Instit. v. U.S. West, Inc., 530 U.S. 1213 (2000). 30 Except as required by law, carriers may not disclose CPNI to third parties or their own affiliates that do not provide communications-related services unless the consumer has given "opt in" consent, which is express written, oral, or electronic consent. 47 C.F.R. §§ 64.2005(b)-(c), 64.2007(b); 64.2008(e); see also 47 C.F.R. § 64.2003(h) (defining "opt-in approval"). 31 47 C.F.R. § 64.2003(l). 32 In the Matter of Implementation of the Telecommunications Act of 1996; Telecommunications Carriers; Use of Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services, 22 FCC Rcd 6927 (2007). 33 47 C.F.R. §§ 64.2005(b)-(c), 64.2007(b). 34 Id. 35 47 C.F.R. § 64.2005(a). 36 47 C.F.R. § 64.2008. 37 47 C.F.R. § 64.2009. CRS-8 phone call, except when the customer provides a pre-established password.38 If the customer does not or cannot provide the password, the carrier may release the call detail information only by sending the information to the address of record for the account or through backup authentication methods that do not use readily available biographical information (such as a social security number, or mother's maiden name).39 Carriers also must establish passwords for online account access.40 Carriers must provide notice to customers whenever changes to their accounts occur, as well as adhere to a notification process for both law enforcement and affected customers in the event of unauthorized or improper disclosure of CPNI.41 Each carrier is also required to certify annually its compliance with the CPNI regulations and to make this certification publicly available.42 The certification must contain a list of customer complaints regarding unauthorized disclosure of CPNI for the previous year. It is worth noting that the FCC's most recent order extended its CPNI regulations to cover interconnected Voice-Over-Internet-Protocol (VOIP) service providers.43 Penalties. Carriers in violation of the CPNI requirements are subject to a variety of penalties under the act. Under the criminal penalty provision in Section 501 of the act, 47 U.S.C. § 501, any person who willfully and knowingly does, causes, or allows to be done, any act, matter, or thing prohibited by the act or declared unlawful, or who willfully and knowingly omits or fails to do what is required by the act, or who willfully or knowingly causes or allows such omission or failure, shall be punished for any such offense for which no penalty (other than a forfeiture) is provided by the act by a fine up to $10,000, imprisonment up to one year, or both, and in the case of a person previously convicted of violating the act, a fine up to $10,000 imprisonment up to two years, or both. Section 502 of the act punishes willful and knowing violations of Federal Communication Commission regulations. Any person who willfully and knowingly violates any rule, regulation, restriction, or condition made or imposed by the Commission is, in addition to other penalties provided by law, subject to a maximum fine of $500 for each day on which a violation occurs.44 Under Section 503(b)(1) of the act, any person who is determined by the Commission to have willfully or repeatedly failed to comply with any provision of the act or any rule, regulation, or order issued by the Commission shall be liable to 38 47 C.F.R. § 64.2010(b). 39 47 C.F.R. § 64.2010(b),(e). 40 47 C.F.R. § 64.2010(c). 41 47 C.F.R. §§ 64.2010(f), 64.2011. 42 47 C.F.R. §§ 64.2009(e). 43 In the Matter of Implementation of the Telecommunications Act of 1996; Telecommunications Carriers; Use of Customer Proprietary Network Information and Other Customer Information; IP-Enabled Services, 22 FCC Rcd 6927 at ¶ 54. 44 47 U.S.C. § 502. CRS-9 the United States for a civil money "forfeiture" penalty.45 Section 312(f)(1) of the act defines "willful" as "the conscious and deliberate commission or omission of [any] act, irrespective of any intent to violate" the law. "Repeated" means that the act was committed or omitted more than once, or lasts more than one day. If the violator is a common carrier, Section 503(b) authorizes the Commission to assess a forfeiture penalty of up to $130,000 for each violation or for each day of a continuing violation, except that the amount assessed for any continuing violation shall not exceed a total of $1,325,000 for any single act or failure to act.46 To impose such a forfeiture penalty, the Commission must issue a notice of apparent liability, and the person against whom the notice has been issued must have an opportunity to show, in writing, why no such forfeiture penalty should be imposed. The Commission will then issue a forfeiture if it finds by a preponderance of the evidence that the person has violated the act or a Commission rule. Litigation The National Cable and Telecommunications Association (NCTA) has challenged the FCC's new requirement for carriers to obtain opt-in consent for sharing CPNI with joint venture partners and independent contractors in the U.S. Court of Appeals for the DC Circuit.47 NCTA argues that the new opt-in rule is arbitrary and capricious and that it violates the First Amendment rights of carriers. NCTA does not challenge the remainder of the recently implemented rules. The case is currently in its preliminary stages. Congressional Response Legislation has been introduced in the 110th Congress to address the problems presented by unauthorized disclosure of telephone records. Generally, the bills would expand the enforcement authority of the FTC to punish pretexting and unauthorized receipt of confidential customer information and would require the FCC to ensure that telecommunications carriers and IP-enabled voice service providers are taking proper care to safeguard the privacy of these records. Many of the substantive requirements for regulatory action contained in the proposed legislation were implemented by the FCC's most recent rulemaking. None of the bills has been reported out of committee. H.R. 852, Consumer Telephone Records Protection Act of 2007 (Inslee). H.R. 852 is similar in substance to the Telephone Records and Privacy Protection Act of 2006 in that it prohibits obtaining or attempting to obtain confidential phone records by fraud or false statement and prohibits the purchase or sale of such fraudulently obtained information. The bill also would amend Section 45 47 U.S.C. § 503(b)(1). 46 FCC Forfeiture Proceedings, Limits on the amount of forfeiture assessed, 47 C.F.R. Part 1.80(b). 47 Petition for Review, National Cable & Telecommunications Association v. Federal Communications Commission, U.S. Court of Appeals for the DC Circuit (August 7, 2007), available at [http://www.ncta.com/PublicationType/JudicialFiling/4323.aspx]. CRS-10 222 of the Communications Act of 1934 to direct the FCC to promulgate regulations that would require telecommunications carriers to notify customers when CPNI has been disclosed improperly, and grants enforcement authority to the FTC. H.R. 936, Prevention of Fraudulent Access to Phone Records Act (Dingell). H.R. 936 grants the FTC specific authority to enforce its prohibition on the fraudulent acquisition of customer proprietary network information as it would a violation of a rule defining an unfair or deceptive act or practice prescribed by the FTC act. Furthermore, the bill would expand the protections of detailed customer records maintained by telecommunications carriers by prohibiting disclosure of CPNI by telecommunications carriers to joint venture partners, independent contractors, or any other third parties except with the express prior authorization of the customer. The bill also would direct the FCC to promulgate regulations that would require telecommunications carriers, for example, to notify customers of unauthorized disclosures of CPNI, to maintain records of each time CPNI is requested or accessed, and to establish a security policy to ensure the confidentiality of CPNI. S. 92 (Stevens) and S. 780 (Pryor), Protecting Consumer Phone Records Act. Except as authorized by other law or regulation, S. 92 and S. 780 would make it unlawful to obtain, transfer, sell, or purchase CPNI without the express written consent of the customer to whom the CPNI relates. These proposals would create a private right of action against violators of the act for telecommunications carriers (as well as IP-enabled voice service providers) and for consumers with the possible award of treble damages if the court finds a knowing and willful violation. The bills would further require the FCC to revise its CPNI regulations to increase the security and confidentiality of CPNI. Concurrent enforcement jurisdiction would be granted to the FCC and the FTC for violations of the act. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL34409