CPNI Compliance Policies of Computer 5*, Inc. d/b/a LocalTel Communications
Computer 5*, Inc. d/b/a LocalTel Communications ("LocalTel") has implemented the following policies and procedures to protect the confidentiality of Customer Proprietary Network Information ("CPNI") and to assure compliance with the rules of the Federal Communications Commission ("FCC") set forth in 47 C.F.R. Part 64, Subpart U, Section 2001 et seq.
CPNI is "(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier."
I. USE, DISCLOSURE OF, AND ACCESS TO CPNI
LocalTel will use, disclose, or permit access to individually identifiable CPNI only in its provision of the communications service from which such information is derived; for services necessary to, or used in, the provision of such communications service, including the publishing of directories; to initiate, render, bill and collect for telecommunications services; to protect the rights or property of LocalTel, or to protect users or other carriers or service providers from fraudulent or illegal use of, or subscription to, such services; to market services within the package of services to which the customer already subscribes, including, for local exchange customers, to market voice mail or services formerly known as adjunct-to-basic services (such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex features); to provide inbound marketing, referral or administrative services to the customer for the duration of the call, if the call was initiated by the customer and the customer approves of the carrier's use to provide such service; to provide inside wiring installation, maintenance, or repair services; as required by law (such as pursuant to a valid request from law enforcement or a court order or other appropriate authority); or as expressly authorized by the customer.
LocalTel does not use a customer's CPNI to market services in a category of service that it does not already provide to that subscriber. LocalTel does not use, disclose or permit access to CPNI to identify or track customers that call competing service providers.
All uses of CPNI for outbound marketing and any request for customer approval for such use must be pre-approved by a marketing supervisor or the CPNI Compliance Supervisor.
II. SAFEGUARDS AGAINST DISCLOSURE OF CPNI TO UNAUTHORIZED PARTIES
Above and beyond the specific FCC requirements, LocalTel will take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. If LocalTel becomes aware of new methods that are being used or could be used by third parties to attempt to obtain unauthorized access to a customer's CPNI, or of possible changes to LocalTel's existing policies that would strengthen protection of CPNI, LocalTel will evaluate whether existing policies should be supplemented or changed.
A. Inbound Calls to LocalTel Requesting CPNI
Call Detail Information (CDI) includes any information that pertains to the transmission of specific telephone calls, including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call. LocalTel will not provide CDI to an inbound caller except under the following conditions:
- A CSR can reveal CDI if the caller provides the Personal Identification Number (PIN) that LocalTel assigns to the customer's account. LocalTel issues a randomly-assigned 6- digit PIN for each account and prints the PIN on each invoice mailed to the customer's address of record. Because the PIN is randomly assigned, it is not expected to consist of any material portion of the customer's account number, telephone number, street address, zip code, social security number, date of birth, or other biographical or account information. PINs will also not consist of easily-guessed numbers such as 000000 or 123456. LocalTel will change a PIN upon the request of a customer (if customer provides current PIN or presents a photo ID at a company business office) or if it has reason to believe that the security of the PIN has been compromised.
- The CSR may offer to call the caller back at the customer's telephone number of record. The CSR may not rely on Caller ID information to assume that the caller is calling from such number; they must disconnect the inbound call and make a new outbound call to that number.
- The CSR may offer to send a copy of a bill or requested CDI to a mailing address of record for the account, but only if such address has been on file with LocalTel for at least 30 days.
B. Online Access to CPNI
Access to certain limited billing and usage information is available to customers via MyLocalTel.net. The first instance in which a customer seeks to obtain access, they are required to enter their account number and PIN (as described in section A above). After correct entry of this information, the user must enter an email address and a password for their online account. This password can only be changed online and only after the user has correctly entered their login ID and password, except for the process for resetting a password described below. In the event that a customer later forgets their password, they may submit a request to reset their password; to reset a password, the user must enter their account number and PIN. When establishing, changing or resetting a password, the portal instructs the user that passwords should not consist of any portion of their account number, telephone number, street address, zip code, social security number, date of birth, words, or easily-guessed strings of characters. If there are 5 or more failed attempts at access to an online account without an intervening successful login, the account will be locked for 15 minutes to protect it from serial access attempts by an unauthorized person.
C. In-Person Disclosure of CPNI at LocalTel Offices
LocalTel may disclose a customer's CPNI to an authorized person visiting a LocalTel office upon verifying that person's identity through a valid, non-expired government-issued photo ID (such as a driver's license, passport, or comparable ID) matching the customer's account information.
D. Notice of Account Changes
When a PIN or password is created or changed, LocalTel will send a notice to customer's address of record notifying them of the change. When an address of record is created or changed, LocalTel will send a notice to customer's former address of record notifying them of the change. These notice requirements do not apply when the customer initiates service. Each of the notices provided under this paragraph will not reveal the changed information and will direct the customer to notify LocalTel immediately if they did not authorize the change.
III. REPORTING CPNI BREACHES TO LAW ENFORCEMENT
Federal law imposes very specific requirements upon LocalTel in the event that we become aware of any breach of customer CPNI. A breach includes any instance in which any person has intentionally gained access to, used, or disclosed a LocalTel customer's CPNI beyond their authorization to do so. LocalTel is required to report breaches of CPNI to federal law enforcement. Federal law prohibits us from notifying customers until such enforcement agencies have had at least 7 full business days to investigate the breach, or longer at their request. Once we are authorized to do so, we will promptly inform affected customers of the breach.
IV. RECORD RETENTION
The LocalTel Compliance Supervisor is responsible for assuring that we maintain for at least two years a record, electronically or in some other manner, of any breaches discovered, notifications made to the USSS and the FBI pursuant to these procedures, and notifications of breaches made to customers. The record must include, if available, dates of discovery and notification, a detailed description of the CPNI that was the subject of the breach, and the circumstances of the breach.
LocalTel maintains a record, for a period of at least one year, of: (1) those limited circumstances in which CPNI is disclosed or provided to third parties, or where third parties were allowed access to CPNI (pursuant to a valid request from law enforcement, court order or other appropriate authority); (2) of supervisory review of outbound marketing that proposes to use CPNI or to request customer approval to disclose CPNI; and (3) its sales and marketing campaigns that use its customers' CPNI, including a description of each campaign, the specific CPNI that was used in the campaign, and the products and services offered as a part of the campaign.
LocalTel maintains a record of all customer complaints related to their handling of CPNI, and records of LocalTel's handling of such complaints, for at least two years. The CPNI Compliance Supervisor will assure that all complaints are reviewed and that LocalTel considers any necessary changes to its policies or practices to address the concerns raised by such complaints.
LocalTel will have an authorized corporate officer, as an agent of the company, sign a compliance certificate on an annual basis stating that the officer has personal knowledge that LocalTel has established operating procedures that are adequate to ensure its compliance with FCC's CPNI rules. The certificate for each year will be filed with the FCC Enforcement Bureau in EB Docket No. 06-36 by March 1 of the subsequent year, and will be accompanied by a summary or copy of this policy that explain how LocalTel's operating procedures ensure that it is in compliance with the FCC's CPNI rules. In addition, the filing must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. Confidential portions of these submissions shall be redacted from the public version of the filing and provided only to the FCC.
LocalTel requires CPNI training for all CSRs, technical support personnel and all personnel at retail offices that may receive requests for CPNI.