General security

CPNI (Customer Proprietary Network Information) Overview and Key Takeaways

Ravi Das
October 30, 2018 by
Ravi Das

Introduction

In the United States, we have a communications infrastructure that is actually quite complex. For instance, not only do the traditional landlines still exist, but a bulk of our communications is now done through our wireless devices, especially our smartphones.

But keep in mind, the term “communications” is a very broad one. It doesn’t just involve the use of various types of handsets, but it encompasses the video medium as well. Also included in this mix is Internet connectivity, wireless communications (which includes VoIP, video and audio conferencing such as Skype and WebEx), and all forms of messaging. In other words, anything that you use to communicate with another party will broadly fall under the umbrella of “telecommunications.”

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Given this plethora of technologies, the subscriber base will obviously be huge. In an effort to keep all of this information and data uniform and standardized, the Customer Proprietary Network or CPNI was created.

What Exactly Is the CPNI?

The CPNI is simply the information and data that the telecommunications industry collects about you. Your communications provider typically collects this. It includes the following:

  • Your telephone number
  • The telecommunications services that you have purchased through your communications provider
  • The specific types of services that you are using
  • The destination as to where your communications are going (for example, if you place a call or send a text message, who is the specific recipient of that communications?)
  • The technical configuration of all of your telecommunications services that you are currently making use of
  • The specific geographic location in which you are making use of these services
  • The amount of the services that you are making use of (for example, if you use a personal hotspot on your smartphone, how much data do you consume on your allotted plan?)
  • All of your billing information
  • As it relates to a phone call other pieces of information are collected, which includes the following
    • The time of the phone call
    • The date of the phone call
    • The total time duration of the phone call (in hours/minutes/seconds)
    • The actual phone number that you are dialing

The primary goal of the CPNI, as mentioned previously, is not to only have all of this aggregate information/data standardized, but it was also created so that your communications provider will have an easier time to provide you with newer and updated telecommunications products/services as they come out. The outcome here, is to of course to meet the needs of the subscriber in the timeliest and cost-effective manner. Another objective of the CPNI was to eliminate monopolistic practices, which is discussed later in this article.

CPNI Rules

The CPNI Rules include the following, and the below are the highlights. To view the details of these rules, click on the link, which is provided in the text:

  1. What types of customer information and data can be used without the permission of the customer. The details of this can be see here.
  2. The specific circumstances under which customer approval is required to share their information/data. The details of this rule can be seen here.
  3. When the customer needs to be notified that their information/data will be shared, and what their rights are. Details can be seen here.
  4. The safeguards that are deployed to protect customer information/data. Further details can be seen here.
  5. The controls that have been established to prevent accidental customer information/data leakage. More details can be seen here.
  6. The methods that must be used when notifying the customer and other relevant parties about any security breaches that may have occurred. The details of this can be seen here.

The Business Impacts of the CPNI

The direct impact of the CPNI will be felt by the communications providers and the group of individuals and entities that must follow it down to the most granular detail. For instance, if you are a business owner that offers any type or kind of communications services to customers (an example would be if you are reseller for an ISP and offer VoIP-based services to your client base), you are completely bound by the rules and regulations of CPNI. These include:

1. You Must Have an Established Privacy Policy

This must be filed with the FCC on an annual basis, by March 1st. It must provide explicit detail about the policies and procedures that you have in place for safeguarding the information/data that you collect from your customers, especially in the cases of accidental exposure.

But it is important to keep in mind that “explicit” means that you are only satisfying the minimum requirements of the FCC. In order to make sure that you avoid and fines and penalties, your Privacy Policy must also comply with the FCC ‘s rules regarding CPNI. If possible, you should also create and implement other controls, and have that detailed as well in the Privacy Policy.

2. A Certificate Must Be Filed

This has to be filed on an annual basis by March 1st. It also must be signed by an officer of the communications provider, and they must also attest to the fact that they have personal knowledge that the company has a Privacy Policy in place which meets the standards set forth by the FCC. This certificate must also detail any customer complaints that were taken during the year, and any actions taken against data brokers if they misuse the permission given to them to access and use the customer information/data. An example of a CPNI Privacy Policy can be seen here.

If you, the communications provider, are not in full compliance with the CPNI, there are severe financial penalties that can be imposed. At the very minimum, the FCC can impose a fine of $150,000 for every rule that has been violated for each day. There have been fines imposed in the past, and these have ranged from $20,000 all the way up to $25 million (as in the case of AT&T).

CPNI FAQs

The following is a representative sampling of the FAQs related to the CPNI:

Question: Why do you need my consent to give out my CPNI details?

Answer: The FCC requires this by law, and by having a customer’s consent, the communications carrier will be in a much better position to offer products and services that matches the specific needs of the customer.

Question: If I give my consent, who will have access to my CPNI details?

Answer: The only people that will have access to this are the employees of the communications provider, and any of their affiliates and/or subsidiaries. Even with your explicit permission, a communications carrier cannot disclose any of your information/data to unrelated third parties.

Question: How do I give permission to share my CPNI details?

Answer: Under most circumstances, you do not have to do anything. If your communications provider does not hear from within 30-45 days after signing up for new products and services, it is then assumed that you have explicit permission to share your CPNI details.

Question: After I have given my permission, can I withdraw it later?

Answer: Yes, you can. A customer always has the right to withdraw consent at any point they wish to. This can be often done by either accessing the customer online portal or calling the communications provider directly.

Question: Am I allowed to have a CPNI Opt-Out?

Answer: Yes, you can. This simply means that you do not want to have your CPNI details shared under any circumstance. This can be accomplished by either logging into the customer online portal (and from there, selecting the appropriate option), or calling the customer service line of the communications provider.

Conclusion: Is the CPNI Relevant Today?

Given the fact that the legislation surrounding the usage of CPNI is now over twenty years old, its relevance is now being seriously questioned. For example, before its passage, many communications providers had access to all of the information they could ever need in order to offer their customers better products and services.

But this also led to monopolistic practices. During those times, the larger communications providers (such as AT&T and MCI) could get easy access to the information because they had the resources at hand to do so, as opposed to the much smaller providers who did not have this extra capital.

Thus, another primary reason for the passage of the CPNI was to level the playing field amongst all of the communications carriers so that they all could have equal access to this information, given that they had explicit permission from the customer.

But given how tightly-regulated CPNI is these days and how difficult it can be for a communications provider to get access to the information on other customers, many experts are questioning if it’s even worth enforcing. There is no easy answer to this.

Another trend that has greatly impacted the timeliness of the CPNI is the use of social media. Given the heavy usage of Twitter, Facebook, LinkedIn, Instagram and so forth, information on their subscriber base can be accessed much more easily and used for marketing purposes, even by communications providers.

It’s uncertain what the future holds for CPNI. Until we find that out, though, it’s important for businesses and providers to be aware of CPNI and the ways in which it can impact their operations.

 

Sources

What is CPNI?, TechTarget

CPNI, EPIC (Electronic Privacy Information Center)

Customer Proprietary Network Information (CPNI) for Consumers, Verizon

So just what is CPNI, and is it still relevant?, 1stel

Customer Proprietary Network Information (CPNI), Republic Wireless

FCC Releases New Rules for Safeguarding Customer Proprietary Network Information in Response to Pretexting, WilmerHale

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

CPNI Rules, Telecom Lawyer

Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at www.biometricnews.net (or http://biometricnews.blog/); and contact Ravi at ravi.das@biometricnews.net.