Title 47
SECTION 64.5109
64.5109 Safeguards required for use of customer proprietary network information.
§ 64.5109 Safeguards required for use of customer proprietary network information.(a) TRS providers shall implement a system by which the status of a customer's CPNI approval can be clearly established prior to the use of CPNI. Except as provided for in §§ 64.5105 and 64.5108(f) of this subpart, TRS providers shall provide access to and shall require all personnel, including any agents, contractors, and subcontractors, who have contact with customers to verify the status of a customer's CPNI approval before using, disclosing, or permitting access to the customer's CPNI.
(b) TRS providers shall train their personnel, including any agents, contractors, and subcontractors, as to when they are and are not authorized to use CPNI, including procedures for verification of the status of a customer's CPNI approval. TRS providers shall have an express disciplinary process in place, including in the case of agents, contractors, and subcontractors, a right to cancel the applicable contract(s) or otherwise take disciplinary action.
(c) TRS providers shall maintain a record, electronically or in some other manner, of their own and their affiliates' sales and marketing campaigns that use their customers' CPNI. All TRS providers shall maintain a record of all instances where CPNI was disclosed or provided to third parties, or where third parties were allowed access to CPNI. The record shall include a description of each campaign, the specific CPNI that was used in the campaign, including the customer's name, and what products and services were offered as a part of the campaign. TRS providers shall retain the record for a minimum of three years.
(d) TRS providers shall establish a supervisory review process regarding TRS provider compliance with the rules in this subpart for outbound marketing situations and maintain records of TRS provider compliance for a minimum period of three years. Sales personnel must obtain supervisory approval of any proposed outbound marketing request for customer approval.
(e) A TRS provider shall have an officer, as an agent of the TRS provider, sign and file with the Commission a compliance certification on an annual basis. The officer shall state in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The TRS provider must provide a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. In addition, the TRS provider must include an explanation of any actions taken against data brokers, a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI, and a report detailing all instances where the TRS provider, or its agents, contractors, or subcontractors, used, disclosed, or permitted access to CPNI without complying with the procedures specified in this subpart. In the case of iTRS providers, this filing shall be included in the annual report filed with the Commission pursuant to § 64.606(g) of this part for data pertaining to the previous year. In the case of all other TRS providers, this filing shall be made annually with the Disability Rights Office of the Consumer and Governmental Affairs Bureau on or before March 1 in CG Docket No. 03-123 for data pertaining to the previous calendar year.
(f) TRS providers shall provide written notice within five business days to the Disability Rights Office of the Consumer and Governmental Affairs Bureau of the Commission of any instance where the opt-out mechanisms do not work properly, to such a degree that consumers' inability to opt-out is more than an anomaly.
(1) The notice shall be in the form of a letter, and shall include the TRS provider's name, a description of the opt-out mechanism(s) used, the problem(s) experienced, the remedy proposed and when it will be/was implemented, whether the relevant state commission(s) has been notified, if applicable, and whether the state commission(s) has taken any action, a copy of the notice provided to customers, and contact information.
(2) Such notice shall be submitted even if the TRS provider offers other methods by which consumers may opt-out.
[79 FR 40613, July 5, 2013]