Upload
fccfilings
View
16
Download
0
Embed Size (px)
DESCRIPTION
FCC CPNI Submission
Citation preview
Papatel, Inc.
232 Poinciana Drive
Sunny Isles Beach
Marlene H. Dortch, Secretary
FL 33160-0000
Federal Communications Commission 445 l l th Street, SW Washington, DC 20554
RE: Certification of Compliance with Rule 64.1801
Dear Ms. Dortch:
Papatel, Inc. , FRN
February 25, 2016
with the geographic rate averaging and rate integration requirements of Commission Rule 64.1801 (47 C.F.R. § 64.1801).
I hereby verify that I am an officer of Papatel, Inc. am authorized to make this certification on its behalf, and that the foregoing certification is true, complete, and correct to the best of my knowledge. I declare under penalty of perjury under the laws of the United States that the foregoing is true and correct.
Signarure: � ())_
Print Name: E\..)lv1���
Title: C--c::-u ���.;;_:=-��������
0017825092
Federal Communications Commission Page Two
I, � � 9.?A::::t :t.. \ GED(Print Name and Title)
of Papatel, lnc. certify that I am an officer of the company named above, and acting as an agent of the company, that l have personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the Commission's CPNl rules. See 47 C.F.R § 64.2001 et seq.
Attached to this certification as Exhibit "A" is an accompanying statement explaining how Papatel, Inc. procedures ensure that the company is in compliance with the requirements set forth in Section 64.2001 et seq. of the Commission's rules.
FCC Annual Filmg
Federal Communication Commission Page Three
Annual 47 C.F.R. § 64.2009(e) CPNI Certification
EB Docket 06-36
Papatel, lnc. has not taken any actions (proceedings instituted or petitions filed by a company at either state commissions, the court system, or at the Commission against data brokers) against data brokers in the past year. Companies must report on any infonnation that they have with respect to the processes pretexters are using to attempt to access CPNr, and what steps companies are taking to protect CPNJ.
Papatel, Inc. has not received any customer complaints in the past year concerning the unauthorized release of CPN1 ( number of customer complaints a company has received related to unauthorized access to CPNI, or unathorized disclosure ofCPNl, broken down by category or complaint, e.g., instances of improper access by employees, instances of improper disclosure to individuals not authorized to receive the information, or instances of improper access to online infonnation by individuals not authorized to view the infonnation).
Signature:��
Print Name: �� 2>4 t:;L
Title: Cq: D
Annual 47 C.F.R § 64.2009{e) CPNI Certification
EB Docket 06-36
Exhibit A
Papatel, Inc.
Compliance Requirements
Papatel, Inc.
232 Poinciana Drive Sunny Isles Beach FL 33160-0000
Compliance Requirements
Papatel, Inc. ("Companyj maintains the following operating procedures to
ensure compliance with the requirements set forth in Section 64.2001 e1 seq. of the Commission's rules.
Section 64.2005 Use of customer propridllry network information widlout customer
approval
(a} Any telecommun1cat1ons earner may use, disclose. or permit access to CPNI for the purpose of
providing or marketing service olferin� among the categories of scrvice (i.e� local. lntere:<change, and
CMRS) IO which the cusiomcr already subscribes from lhesame carrier, without customer approval.
( l) If a telecommunications carrier provides different categories of service, and a customer
subscribes 10 more than one category of service offered by the carrier, the carrier is permitted to share
CPNI among the carrier's affiliated cnoues that provide a service offering to the customer.
(2) If a telecommunicarions carrier provides different categories of service, but a cusiomer does
not subscribe to more than one offering by the carrier, the earner 1s not pemuned to share CPNl with its
affiliates, except as provided in § 64.2007(b).
(b) A telecommunications carrier may not use, disclose, or permit access to CPNI to market to a
cuslOmef service offcnn� that are within a category of service to which the subscriber does not already
subscribe from that carrier, unless that carrier has customer approval to do so, except as described in
paragraph(c ) oflhis section.
(I) A wueless provider may use. disclose or penmt access to CPNI denved from its provision of
CMRS, wilhou1 customer approval, for the provision ofCPE and information service(s). A wireline carrier
may use. disclose or pennit access to CPNI derived from its provision of local exchllJlge sen,ice or
interexchange service. withou1 customer approval, for the provision ofCPB and call answering, voice mail
or messaging, voice storage and retrieval services, fax store and forward protocol conversion.
(2) A telecommunica11ons carrier may no1 use. disclose, or permit access 10 CPNI to identify or
track customers tha1 call compe1ing service providers. For example, a local exchange carrier may not use
local service CPNJ to crack all cus1omers that call local service competitors.
(c) A telecommunications carrier may use. disclose, or permit access 10 CPNl, without customer
approval, as described Ill this paragraph (c ).
(I) A telecommunications carrier may use, disclose, or permit access to CPNL without cus1oroer
approval, in its provision of inside wiring installaoon, maintenance, and repair services.
(2) CMRS providers may use, disclose, or p.:rrrul access lo CCPNI for the purpose of conducting
research on the health effects of CMRS.
(3) LECs, CMRS providers. and interconnecu:d VoCP providers may use CPNI, without customer
approval. to market services formerly known as adjunct-to-basic services. such as, but 001 limited to, speed
dialing. computer-provided directory assistance. call monitoring. call tracing call blocking, call return,
repeat dialing, call tracking. call waiting, caller I.D., call forwarding. and cenain Centrex features.
(d) A telecommunications carrier may use, disclose, or penmt access to CPNI 10 protect the rights
or propeny of the carrier. or to protect users of those services and other carriers from fradulcnt, abusive, or
unlawful use of, or subscription lo, such services.
77,e Company has adopted specific C PN I policies to ensure that, in the absence of customer approval,
CPNI is only used t,y the Company to provide or market service offerings among the caJegories of
service (i.e., local interexchonge, and CMRS) to which the cwtomer already subscribes. The
Company's CPNT policies prohibit the sharing o/CPNI with affiliaJed companies. except os permitted
under Rule 64.2005(a)(I) or with customer appro,,a/ p11rsuant to Rule 64.2007(b). The only exceptions 10 these policies are as permiued under 47 U.S..C § 222(d) and Rule 64.2005.
Section 64.2007 Approv1l �uired for ow of customer proprietary network infomt1tion.
(a) A telecommunications carrier may obtain approval through written, oral or electronic
methods.
(l) A telecommunications carrier relying on oral approval shall bear the burden of demonstrating
that such approval has been given in compliance with the Commission's rules in this part.
(2) Approval or disapproval to use, disclose, or permit access to a customer's CPNI obtained by a
telecommunicallons carrier must remain in effect until the customer revokes or Limits such approval or
disapproval.
(3) A telecommunications earner must mainuiin records of approval. whether oral, •written, or
electronic, for at least one year.
In all circumstant2S wht!rt! o.s/omn appro�'DI is requirt!d to USI!, disclost! or permiJ access to CPNI, the Company's CPNJ polldt!S requfrt! that lht! Company obtain CllSlorrur approval through writtor, oral or
elt!dronic methods in compliance with Rule 6'.20()7. A customer's approval or disapproval remains in
efft!ct unJi/ th.e a1stomer revokes or limits the approval or disapproval Thi! Company maintains records of cuslomer approval (whether wrltt01, oral or der:tonic) for a mininu�m of one year.
(b) use of Opt-Ow and Opt-In Approval Procu.ses. A telecommunications carrier may, subject
to opt-out approval or opt-in approval, disclose ns custOITICl's individually idenufiable CPNI for the purpose of
marketing communications-related services to tbal customer A telecommunications carrier may, subject to
opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNL for the purpose
of marketing communications-related services to that customer, to ,ts agents and its affiliates that provide
communications.r'elated savices. A telecommunications carrier may also permit such peiwn or eotiues 10
obtain access to such CPNI for such purposes. Except for use and disclosure ofCPNl that is permitted
withoot customer approval under section§ 64.2005, or that is described in Ibis paragraph, or as otherwise
provided in section 222 of the Communications Act of 1934, as amended. a telecommunications carrier
may only use, disclose, or permit access 10 its customei's individually identifiable CPNI subject to opt-in
approval.
The Company does not use CPNT for any purpose (including marketing comnumlcations-rdaud
suvlca) and does not disclose or grant access to CPNI to any party (mcluding to agt!llts or afJlllml!S tltaJ provide commm,iclllions-rdated servica), t!Xllpl as permitld under 47 U.S.C § 222(d) and Rule
M.2005.
2
Section 64.2008 Notice mJUil'til for use or ca<1tomer proprietary network irlformalion.
(a) NoJification. Generally. (I) Pnor to any solicitation for customer approval. a telecommunications carrier must provide notification LO the customcr or the customer's right to restrict use of, disclose of, and access 10 that customer's CPNI.
(2) 11. lelec:ommumcauons carrier must maintain records ofno1dication, whether oral. written, orelectronic, for at least one year
(b) Individual notice to customers must be provided when sobcitmg approval tO use, disclose. orpermit access t0 customers' CPNl
(c) ContenJ of Notice. Customer notifiication must provide sufficient informatJon to enable thecustomer to make an informed decision as to whether to permit a carrier- to use, disclose, or per-mil access
10, the c�'tomer's CPNI.
(I) The notification must state that the customer- has a right, and the carrier has a duty, under
federal law, to protect the confideouality orCPNI.
(2) The notification must specify the types of informauon that constitute CPNI and the specificentities that will receive the CPNl, descnbe the purpo5eS for which CPNJ will be used, and inform the customer of his or her right 10 disapprove those uses. and deny or withdraw access 10 CPNJ at any lime.
(3) The notificauon must advise the customer of lhe percise steps the customer must fllkc m order to grant or deny access to CPNl, and must clearly state I.hat a denial of approval will not affect the provision of any services 10 which the customer subscribes. However, camers may provide a bnef �IJltemcnt, m a clear and neutral language, describing conrequences directly resulting from the lack of access to CPNI.
(4) The notification must be comprehensible and must not be misleading.
(5) tr wrinen notification is provided, the no1ice must be clearly legible, use sufficiently large
type. and be placed in an area so as to be readily apparent to a customer.
(6) lfany portion ofa notification is translated into another language, then all portions of the notification must be translated mto that language.
(7) A carrier may state in lbe norifK:ation lhat the customer's approval to use CPNI may enhance the carrier's ability to offer products and services tailored to the customer's needs. A earner also may srate in the notificatton lhat it may be compelled to disclose CPNl to any person upon affirmative written request by the customer.
(8) A carrrier may not include m the notificauon any statement attemptmg to encourage a customer to freeze tlurd-party access LO CPNL
(9) The notification must state that any approval, or denial or approval for the use of CPNJoutside of the service to which the customer already subscribes from that carrier is valid until the customer
affirmatively revokes or limits such approval or denial.
( I 0) A 1elecommumca1ions carrier's sobcnauon for approval must be proximate to the
notification of a cusomer's CPNJ rights.
The Company's CPNI policies require thaJ cu.stQmus 1H nmified of their righJs, and the Company's
obligaJions, with rapi!el to CPNI prior to turJ solldtaJio11for customer appruval All required customer
notices (whether writ/en, oral or electronic) comply with the requirements of Rule 61.2008. The
3
Company mainJalns rtc()rr/s of all rtqulred customer notices (wheather wrinm, oral or eledronfc) for a
minimum of one year.
(d) Notice Requrremenu Specific to Op,-0,11. A telecomumcations carrier must provide
notification 10 obtain opt--Out approval through electronicor written methods, but not by oral
communication (except as provided in paragraph (I) of this section). The contents of any such noulication
must comply with the requirements of paragraph (c) of this section.
(I) Carriers must wait a 30-<lay minimum period of time after giving customers notice and an
opportunity to opt-<>Ut before asswning customer approval to use, disclose. or permit access to CPNl A
carrier may, in its discretion. provide for a longer period. Caniers must notify customers as to the
applicable waiting period for a response before approval tS assumed.
(i) ln the case of an electronic fom, of notification, the waiting period shall begin to run from the
date on which the notification was sent; and
(ii) ln the case of notification by mail. the waiting period shall begin to run on the third day
following the date that the notification was mailed.
(2) Carriers using the opt-<>Ut mechanism must provide notices to their cuslOlllerS every two
years.
(3) Telecommunications carriers that use e-mail to provide opt-out notices must comply with the
following requirements in addition to the requirements generally applicable to notification:
(i) Carriers must obtain express. verifiable. prior approval from consumers to send notices via e-mail regarding their service in general. or CPNl in particular,
opt--0ut
(ii) Carriers must allow customers to reply directly io 1>-mails containing CPNI notices in order Lo
(iii) Opt-out e-mail notices that are returned to the carrier as undeliverable must be sent to the
customer m another fonn before carriers nay consider the customer to have received notice:
(iv) Carri= that use e-mail lo send CPNI notices must ensure lhat the subject line of the message
clearly and accurately identifies the subject matter of the e-mail: and
(v) Telecommunica11ons carriers must make available to every customer a medlod to opt-out that
is of no additional cost to the customer and that is available 24 hours a day, seven days a week. Carriers
may satisfy this requirement through a combination of methods, so long as all customers have the ability to
opt--0ut at no cost and are able to effectuate that choice whenever they choose.
Thi! Cq,rrpany dOl!S nqf currently solicit "opt quJ" customer approval for IM TISI! qr dlsd<lSUTI! of CPNI,
The Company does not use CPNI for any purposa (induding marketing comnunricatlons-relaJed
services) and does not disclose or gnurt accesy to CPNI to an, party (including to agents or affiliatts thal
provide c.omnuutfcatlons-re/ated sen.ices), l!XCl!pf as pennittl!J/ under '7 U.S.C § 12l(d) atrd Rule
64.1005.
(e) Nqtice Requfremen1s Specific to Opt-In. A telecommunications carrier may provule
notification to obtain opt-in approval through oral, written. or elecLTonic methods. The contents of any such
notification must comply with the requirements of paragraph (c) of this section.
The CDffl/Hlll1 dots not aurenl/y solidi 'opt-in" CllSIOmtr approval for the use qr disclosure of CPNT.
The Company dOl!S not use, dislclOSl! or grant acca$ lo CPNI for ant purpqse, to any party or In any
manntr thaJ would require a customer's "opt In" approval undtr tht Commissi'1n's CPNI Rules.
4
(I) NO/ice Req111rem.ents Specific to One-Time Use ofCPNI. (I) Carriers use oral nouce to
obtian limited. one-time use of CPNl for inbound and outbound customer contacts for the
duralton of the call, regardless of whether carriers use opt-out or opt-in approval based on the nature of the
contacL
(2) lbe contents of any such nooficauon must comply with the requirements of paragraph (c) of
this section, except that telecommunications carriers may omit any of the following notice provisions if not
relevant l() the limited use for which the earner seeks CP1'll:
(i) Carriers need not advise customers tha1 if they have opted-out previously, no action is needed
to maintain the opt-out elecuon.
(ii) Carriers need oot advise customers that they may share CPNl with their affiliates or third
parties and need not any those entities, if the limited CPNJ usage will not result in use by, or disclosure
to, an affiliate or third party;
(iii) Carriers need not disclose the means by which a customer can deny or withdraw future sccess
to CPN.l, so long as carriers explain to customers that lhescope of lhe approval the canier seeks is limited
to one-time use aod;
(iv) Carriers may omit disclosure of the precise slepS a customer must take in order to gamt or
deny access to CPN I, as long as the carrier clearly communicates tho1 the customer can deny access to his
CPNl for the call.
In Instances where the Company sulcs one-time cuslomer approval for the use or dlsclosure of CPNI,
the Company obtains such approval in accordance with the disclosuns, mdltods and Tt!qulrUl'fQIJs
contained In Rllle 2008(/).
Sttion 64.2009 Safeguards required for use of customer propritary aeht'ork i11formatlon.
(a) Telecommumcauons earners must 1mplemett a system by which the status of a customer's
CPNI approval can be clearly es1ablisbed pnor to the useofCPNL
The Compnay's billing system allows authorized company personnel to easily determine the slatus of a
customer's CPNJ approval on the customLr account sctror prior to the u.se or disclosure ofCPNI.
(b) Telecommunications carricrs must tram their personncl as to wheu tbay are and are not
authori:red to use CPNI, and carriers must have an express disciplinary process in place.
The Company has established CPNI c:ompllan« pofica that include employu training on restric:Jions
on the use and disclosure ofCPNI and required safeguards to protea against unauthorlud use or
dlsclasure ofCPNL Employees have signed that they unde�tand the CPNI policies and a violation of
those po/ides will result in d/sdplinary action.
(c) All carriers shall maintain a record, eleironically or in some other manner, of their own and
their affil iares' sales and marketing campaigns that use I.heir customers' CPNL All caniers shall maintain a
record of all instances wi1ere CPNI was disclosed or provided to third parties, or where third parues were
allo\\oo access to CPNL The record must include a descnption of each campaign, the specific CPNl that
was used in the campaign, and what products and SCl'Yio:s were offered as a part of the campaign. Carriers
shall retain the record for a mmmmum of one year.
The Company's CPNI policies require that all sales ani marketing campaigns including those utilizing
CPNI be recorded and kept on file for at least one year. Records ore also maintained for disclosure or
access to CPNI by third parties. The records include tht rt!qulred information fisted in Rule 64.2009 {c).
5
(d) Telecommunications carriers must establish a supervisory review process regarding carrier
compliance with the rules in this subpart for out-bound marketing situations and maintain records of carrier
compliance for a minimum period of one year. Specifically, sales personnel must obtain supervisory
approval of any proposed out-bound marketing request for customer approval.
The Company'y CPNI pollcia reqlli� onployees to obt11in approval from the Company'$ CPNI
Compliance Officer for all rrnuketlng campaigns, Including those utilizing CPNI, prior to Initiating thlll
campaign. Record of the marl.ding campaigns, along with the appropralte YUperllisory approval I.,
maintained for at lt!0$1 one year.
(e) A telecommunications carrier must have an officer, as an agent of the carrier, sign and file
with the Commission a compliance cert11icate on an annual bas1s. The officer must stale in tile certification
that he or she has personal knowledge that the company has established operating procedures that are
adequate to ensure compliance with Lhe rules in this subpart. The carrier must provide a statement
accompanying the certificate explaining bow its operating procedures ensure that it is or is not in
compliance with the rules in this subject. In addition. the carrier must include an explaination of any
actions taken against data brokers and a summary of all customer complaints received in the past tear
concerning the authorm..'CI release of CPNI. This filing must be made annually wilh the Enforcement
Bureau on or before March I in EB Docket No. 06-36, for data pertaining to the previous calendar year.
The r�uirt!d officu certlflcatiun actions talcor against data brokers and YUmmary of Cl/Slomer
complaint documenJs are Included with thiN accomanying stateme11l The Company will file th
documents on an annual basis on or IH!fore March I for data pt!rtaining to the previoUY calendar year.
(I) Carriers must provide written notice within five business days to the Commission of any
instance where the opt-out mechanisms do oot work properly, to such a degree that consumers' inability to
opt-out is more than an anomaly.
(I) The notice shall be in the fonn of a letter, and shall include the carriel's name. a description of
the opt--OUt mecbanism(s) used, the problem(s) experienced, the remedy proposed and when it will be/was
implemented, whether the relevant state commission(s) has been notified and whether rt has taken any
action. a copy of the notice provjded to cust0meis and contact infonnation.
(2) Such notice must be submitted even if the carrier otTers other methods by which consumers
may opt-out.
The Company doa not currt!1f1/y solidi "opt out" cllSJOmer approval for the ,ue or disclosure of CPNJ.
Section 64.20 I 0 S.(eg:u.nh on I.he disdosun of castomer proprietary network iofonnatioe.
(a) Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover
and protect against attempts to gain unauthorfacd access to CPNI. Telecommunications earners must
properly authenieate a customer prior to dislclosing CPNI based on customer-initiated telephone contact,
on line account access, or an on-store visit.
The CompQJfJ's CPNJ po/odes and onployu tarfrring indude rl!llSonablt! mt!(lfflres to dlscovt!T and
protecJ against activity that Is lndlCllllvt! of prdt!Xling and employees are brslrueud to notify the CPNT
Compliana Offl-= if an:, such aCIJvity ls suspedt!d.
(b) Telephone access to CPNI. Telecommunications carriers may only disclose call detail
information over the telephone, based on customer-initiated telephone contact. if the customer first
provides the carrier with a password, as described m paragraph (e) of this section. that is not prompted by
the carrier asking for readily available biographical information, or account information. If the customer
does not provide a password, the telecomminicatioos earner may only disclose call detail information by
sending it to the customer's address of record, or by calling the customer ai the telephone number of
record. If the customer is able 10 provide call detail information to the telecommunications earner during a
6
custt>mer-initiated call without the telecommunications camel's assistance. then the telecommunications
carrier is permitted to discuss the call delllil information provided by the cllSlomer.
The Company's CPNI pol/des ensure that a 01stomu t's only able to access call detail information over
the tdephont on one of tht ways listed in R.lllt 64.201 O(b). If tht customer amnot remtmber thdr
pOS$Word, they are prompted to answu a security question. /\ieilher the pmsword nor the stcurlty
question OTe based on readily available biographical informaJlon or account information. Customer
service repre.setrJadvts are instruc:Jed to authmicale OlStomers ovu tl,e telephone tn a/11 lmtances except
in the case where the CU.$/omu provides the call detail information withouJ the ilSSlstance of the
Company.
(c) Online access to CPNI. A tclecommumcations earner must authenticate a customer without
the use of readily available biographical informauon, or account information, prior to allowing the
CustoJlli)r onli.oe access to CPNI related to a telecommunications service account. Once authenticated, the
customer may only obtam access lo CPNI related to a telecommunications service account through a
password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily
available b1ograph1cal mformatton. or account information.
The company authenticates cunomers without the use of readily wal/able blogn,ph/cal or account lmormatlon prior to
allowing on IICC8SS to CPNI "*'9d to an account Once .uthentJcated. the wston,er may only obC8lrl .:cess ID CPNJ
through • passWOt"d, tha1 Is not prompted by readily twdable biogntphlcal or account�
(d) In Slore access to CPNJ. A telecommunications carrier may disclose CPNI to a customer
who, at a carrier's re1ail location, first presents to the telecommunicanons carrier or its agent a valid photo
ID matching the customer's account information.
(e) &1abhshmen1 of a Password and Back-up AHthemication Methods for Lost or Forgotten
Passwords. To establish a password, a telecommunications earner must authenticare the customer without
the use of readily available biographical information, or account information. Telecommunications carriers
may create a back-up customer authentication method in lhe even1 of a lost or forgotten passm>rd, but such
back-up customer authentication method may not prompt the customer for readily available biographical
infonnation, or account information. If a customer cannot provide the correct passv,.-ord or the correct
response for the back-up customer authentication method, the customer muSl establish a new password as
described m this paragraph
Tht Company's CP/•{f policies allow for a Jtw ways to l!Sf.ablish a password, all of which ensun
compliance will, the abol'I! paragraph. Each method also allows the customer to establish a back-up or
.,ecurlty qutsllon In tht event that the)' forget thdr password. In no evo,t dots the Company use rtadlly
available blograhlcal information or account lnformaJion as a bar.k..up question or as a means to
establish a pa.'iSWord or 11uthmficate the customer.
(f) Not,fica11on of occoum changes. Telecommumcauons carriers must notify customers
immediately whenever a password, customer response to a baclc-up means of authentication for lost or
forgotten passwords. on line account, or address of record is created or changed. This notification is not
required when the customer initiates service. including the selection ofa password at service initianon.
This notification may be through a carrier-originated voicemail or text message to the telephone number of
record or by mail to the address of record, and must not reveal the changed infonnauon or be seal to the
new account information.
The company wlll notify a customer Immediately wtren accoont changes occur, including a password, a response ID a
back-up -s of authentkation, or address of l"flC«d. 7be notJJk:ation will be through • canter-originated IIOlc«ntlB or
tex1 tMSsage a, the flllephoM number of record, or by man ID the address of record, and will not contain the changed
Jnfonrnttioll or be sent to the new account Information.
7
(g) Business Customer Exemption. Telecommunications carriers may bind themselves
contractually to authentication regimes other than those described in this section for seivices they provide
to thc.ir business customer that have both a dedicated ac.count representative and a contract that specif1C81Jy
addresses the carriers' protection of CPNI.
The Company does not utlllZ:e the business � uceptlon llf this time.
Section 64.20 J 1 Notification or customer propriew"y n.etwork laformation security
breaches..
(a) A relecommunications carrier shall notify law enforcement of a breach of its customers' CPNI
as provided in this section. The carrier shall not notify ns customers or disclose the breach publicly,
whether voluntarily or under state or local law or these rules, until it has completed the process of notifying
law enforcement pursuant to paragraph (b).
(b) As soon as practicable, and in no event later than seven (7) business days, after reasonable
derernunation of the breach. the telecommunications carrier shall electronically notify the United States
Secret Service (USSS) and the Federal Bureau of lnvestigalion (FBI) through a central reporting facility.
The Commission will amintain a link to the reporting facilil)' at http://www.fcc.gov/eb/cpni.
(I) Notwithstanding any statc law to the contraJy, the carrier shall not notify customers or
disclose the breach to the public until 7 full business days have passed after notification to the USSS and
the FBI except as provided in paragraphs (2) and (3 ).
(2) If the carrier believes that there is an eXDaordinanly urgent need to notify any class of affected customers sooner than otherwise allowed under paragraph ( l), in order to aviod immediate and irreparable
harm, 1t shall so indicate in its notificallon and may proceed to immediatley notify its affected customers
only after consultation with the relevant investigating agency. The carrier shall cooperate with the relevant
investigatmg agency's request to mirunuze any advCJSe effects of such customer notificatJOn.
(3) If the relevant investigating agency detennines that the public disclosure or notice 10
customers \\Ollld impede or compromise an ongoing or potential cnminal investigation or national security,
such agency may dinx:t the carrier not to so disclose or notify for an initial period of up to 30 days. Such
period may be extended by the agency as reasonable necessary in the judgement of the agency. lf such direction is given, the agency shall notify the carrier wben it appears that public diselosure or notice to
affected customers will no longer impede or compromise a criminal investigation or national security. The
agency shall provide in writing its initial direction to the carrier, any subsequent extension and any
notification that notice will no longer impede or compromise a criminal investigation or national security
and such writings shall be conb:mporaneously logged on the same reporting facility that contains records of
notifications filed by carriers.
(c) Recordkeeping. All carriers shall maintain a record. electronically or in some other manner, of
any breaches discovered, notification made 10 the USSS and the FBl pursuant 10 paragraph (b). and
notification to customers. The record must include, if available, dates of discovery and notification, a
detailed description oflhe CPNl that was the subject of the breach, and the circumstances of the breach.
Carriers shall retain the record for a minimum of2 yems.
The Company 1,as policia IUld procethlra in platt to DISIUe C1Jmpll1Uta w/Ji, RJlle 64.201 J. When ii ts
reasonably determined thlll a breach has oa:u"ed, the CPNI Compliance Officer will notifj, law
enforeconmt and Its CllSWmus In the required timeff'llllles.. A record of the breach will be maintained/or
a mlnlm11m of two years and will include all lnformalilHf required by Rule 64.201 /.
8