FCC Fines Telcos Over Data Security
In April of 2007, the Federal Communications Commission (FCC) created a new rule requiring all phone companies to submit reports on its Customer Proprietary Network Information (CPNI) practices. Unfortunately, many of those required to submit the yearly reports have not done so, and now face hefty fines.
Today, the FCC proposed fining over 600 different companies up to $20,000 for not complying with the CPNI certificate order. "I have long stressed the importance of protecting the sensitive information that telecommunications carriers collect about their customers," said FCC Chairman Michael Copps (view the statement PDF here). "The broad nature of this enforcement action hopefully will ensure substantial compliance with our CPNI rules going forward as the Commission continues to make consumer privacy protection a top priority."
According to Ars Technica, the FCC also said there are a number of other companies who filed certificates, but did so improperly. These companies may face fines up to $10,000.
The CPNI debacle dates back to 2006, when "pretexting" became popular with scam artists. The scammers would call up phone companies and convince the service rep that they were a subscriber, and then gain full access to that subscribers' account information and phone records. The gleaned info would then be sold on the black market. The most infamous abuse of CPNI came when Hewlett-Packard used such tactics to keep track of executives' phone records. With the 2007 FCC order in place, subscribers who call their carrier must provide a password before any sensitive information can be given out over the phone. If no password can be given, the service rep can only mail information to the address on record with the company, or call the subscriber back on the phone number of record. Also, phone companies are required to keep a "CPNI officer" on staff, who would oversee the certificate process.
With hundreds of different companies facing fines, one has to wonder why no one seems to be complying with the nearly two year old order. In the end, it may simply be cheaper for a telco to eat the fine rather than set up a system for creating and filing certificates. Look to Tom's Guide for more details in the coming days and weeks.
Also, if you have a few hours to kill, you can read the original FCC CPNI order (all 101 pages of it) here.
-
Previous News Article
Intel is Denied a Hearing in... -
Next News Article
Wolfenstein RPG, Quake 3 Porting...
what about the at&t, verizon, ect for all those fiber splitters the nsa installed to grab all the internet traffic.
that's ok, no need to fine, shut down.
I can't believe the FCC has the power to fine companies or restrict their business practices, but the FDA has no power to do anything. Our communication is apparently more important than our food and drugs.
The Telcos aren't complying because they don't care. There's no money to be made in CPNI, just like there's no money to be made in upgrading the aging networks they run on. I don't think anyone ever mistook a Telco's actions as being considerate of their customers satisfaction and security.
Telcos are the modern railroad companies. They own the infrastructure, and they'll decide how to use it. The FCC can do whatever they want, companies like Verizon, ATT, etc... just don't care.
LOL a 20,000 fine is a joke to a business, its not even their janitor's yearly salary. Why both to upgrade their systems when they can turn off the lights in their buildings an hour earlier and save the same amount of money?
LOL a 20,000 fine is a joke to a business, its not even their janitor's yearly salary. Why both to upgrade their systems when they can turn off the lights in their buildings an hour earlier and save the same amount of money?
THIS
It pisses me off so much when the government attempts to punish companies, but they never seem to outweigh the benefit of breaking a regulation.