cpni filling documents - 2014 - rules and compliances

8/12/2019 CPNI Filling Documents - 2014 - Rules and Compliances

1/14

Author: Thiago D. Modelli Revision: CPNI2014.3 Created on: 2.28.2014Status: Draft Certification docket Modified on: N/ACPNI Policies & ProceduresAnnual statement of FCC CPNI rule compliance

1 |P a g e

This document is proprietary and confidential.

Copyright ownership of ESI. All rights reserved.

Annual statement of PCC CPNI rule

compliance - 2014


2/14


2 |P a g e



Revision HistoryVersion Date Author ModificationsD001 2.28.2014 Bob Russo Document initiationNew template execution


3/14


3 |P a g e



Table of contents

1. Introduction ____________________________________________________________________ 4

2. Stakeholders ____________________________________________________________________ 4

2.1. Companies & Affiliates ______________________________________________________________ 4

2.2. People & Roles _____________________________________________________________________ 4

3. Statement ______________________________________________________________________ 4

3.1. Duty to Protect CPNI ________________________________________________________________ 4

3.2. Our Own Use of CPNI ________________________________________________________________ 5

3.2.1. Marketing _______________________________________________________________________________ 53.2.2. Provision of services ______________________________________________________________________ 5

3.3. Authenticating customers before disclosing CPNI _________________________________________ 6

3.3.1. Telephone _______________________________________________________________________________ 7

3.3.2. In Person Authentication ___________________________________________________________________ 8

3.3.3. By mail _________________________________________________________________________________ 8

3.3.4. Online access ____________________________________________________________________________ 8

3.4. Customer Notification of CPNI Rights ___________________________________________________ 8

3.5. Training and Discipline ______________________________________________________________ 9

3.6. Record keeping ____________________________________________________________________ 9

3.7. Notification of account changes _______________________________________________________ 9

3.8. Unauthorized disclosure of CPNI ______________________________________________________ 9

4. Requirements, Baseline & Definition _______________________________________________ 10

4.1. 47 CFR 64 ________________________________________________________________________ 10

4.2. Definitions _______________________________________________________________________ 11

Attachment I ________________________________________________ Error! Bookmark not defined.


4/14


4 |P a g e



1. IntroductionCustomer proprietary network information (CPNI) is the data collected by telecommunications companies about

a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the typeof network a consumer subscribes to, and any other information that appears on the consumer's telephone bill.

The FCC regulations on the release of this information are strict. We must be sure that we release no call

information to any party that is not properly authorized. We can verify information that is given to us and if a

specific call is identified to us (such as from which number, the number dialed and the time of the call) we can

discuss that particular call but otherwise we cannot reveal phone numbers, IP addressing or routing details.

2. Stakeholders2.1. Companies & Affiliates ESI hosted Services, LLC499 ID: Estech Systems, Inc.2.2. People & Roles George PlattExecutive ReviewerCEO/President Karen boydLegal Counsel - Officer Bob RussoProcess CreatorNetwork Operations Manager Thiago ModelliProcess ownerDirector of Operations

3. StatementESI Hosted Services, LLC has created a CPNI Policy set containing procedures that it has adopted to ensure the

protection of CPNI. The handbook describes our procedures in greater detail and provides practical guidance on

how to protect against unauthorized disclosure or use of CPN. The policy documentation is distributed to our

employees during training and serves as an important reference tool for our employees.

3.1. Duty to Protect CPNIWe as a communications company recognize our duty to protect customer CPN!. We may not disclose CPNI

to unauthorized persons, nor may we use CPNI in certain ways without consent from our customers. Before

we can provide customers with their own CPNI, we must authenticate the customer.

We recognize that there are a few cases in which we can disclose CPNI without first obtaining customer

approval:

a. Administrative use: We may use CPNI to initiate, render, bill and collect for communications services.b. Protection of carrier and third parties: We may use CPNI to protect the interests of our company, such

as to prevent fraud or illegal use of our systems and network. Employees are notified of the steps to

take, if any, in these sorts of situations.


5/14


5 |P a g e



c. As required by law: We may disclose CPNI if we are required to by law, such as through legal process(subpoenas) or in response to requests by law enforcement. Employees are notified of any steps they

must take in these situations.

3.2. Our Own Use of CPNIWe may use CPNI to provide or market services to our existing customers. We understand that we are

required to obtain customers approval prior to using CPNI in certain ways.

3.2.1. MarketingWe understand that we do not need to obtain customer approval before using CPNI to market services

to our existing customers within the categories of service to which the customer already subscribes.

We understand that we may not use CPNI to market services that are in a service category to which the

customer does not already subscribe without customer approval.We understand that we cannot use CPNI to solicit a customer to add a new category of service without first

obtaining the customer's approval.

We also understand that we do not need customer consent before using CPNI to market "adjunct to-basic"

services such as speed dialing, computer-provided directory assistance, call monitoring, call tracing, call

blocking, call return, repeat dialing, call tracking, call waiting, caller ID, call forwarding, and certain Centrex

features.

We understand that we may not use CPNI to identify or track customers that call competing service

providers.

We regularly review our marketing practices to determine when and how CPNI is used within the company,

and whether CPNI is being shared with other entities. We also review new marketing or sales campaigns to

ensure compliance with these CPNI policies and with the FCC's CPNI regulations. We will only share CPNI with

our affiliate ESI Hosted Services..

3.2.2. Provision of servicesWe understand that we do not need customer approval to use CPNI to provide CPE and call answering, voice

mail or messaging, voice storage and retrieval services, fax store and forward, and protocol conversion.


6/14


6 |P a g e



3.3. Authenticating customers before disclosing CPNIWe understand that we are required to objectively determine that our customers are who they say they arebefore disclosing CPNI to them. With this in mind, a workflow for such process has been attached as figure one

and the required process for each access method is expressed bellow.


7/14


7 |P a g e



Customer request CPNI

information

Does customer give

specific call information

You are free to dicuss details

for call

Yes

Is there a Kyako ticket

open concerning issue

No

You may enter details on

existing ticket

Yes

Can caller create Kyako

ticket under authorized

log-in

You may enter details on

created ticket.

No

Yes

Customers Person of Record must

make written request* or allow

authorized log-in to Kyako for caller

No

* Written request can come

from the billing address of

the account, or fromaccounts email address of

record

Fig. 1

3.3.1. TelephoneWe understand that when a customer calls, we may not release call detail information, or information

relating to the transmission of specific telephone calls until we have obtained the account password from the

caller, or have called the customer back at the telephone number of record to ensure that the customer is


8/14


8 |P a g e



who s/he says s/he is. Alternatively, we may offer to send the call detail information to the address of record

or provide it to the customer or authorized individual in person after s/he has produced valid photo

identification at our office.

We understand that we may disclose non-call detail information over the telephone after authenticating thecustomer by calling back the telephone number of record, checking valid photo identification, or by mailing

the information to the account address of record.

3.3.2. In Person AuthenticationWe understand that before we can disclose CPNI to customers in person, the customer must present valid

government-issued photo identification. The name on the photo identification must match the name on the

account. If the customer cannot present the required identification, we offer to provide the requested CPNI

by sending it to the account address of record.

Before providing the CPNI to the customer, we make a copy of the photo identification. This copy is then

placed in the customer's file, together with a copy of the CPNI provided to the customer. These records are

then kept in the customer file in accordance with our record-keeping policies.

3.3.3. By mailIf the customer requests CPNI through regular mail, or if the customer cannot comply with one of the

authentication methods above, we send the requested information to the customer's address of record only.

3.3.4. Online accessOnline access of CPNI data is available via password protected technics to authenticate the customer for

direct access. Secured password reset technics via registered account email has been implemented and

it is enforced following the same requirements as above.

3.4. Customer Notification of CPNI RightsWe provide a CPNI privacy policy to all customers online, via our website and support tools. This policy providesnotification to each customer of his/her right to restrict use of, disclosure of, and access to that customer's

CPNI. We provide additional copies of the CPNI privacy policy to all customers who request it and to all new

customers upon activation of service.

The policy contains an opt-out customer approval notice. Customers who do not wish to allow us to use their

CPNI to market services outside their existing service categories, or who do not wish to allow us to share their

CPNI with affiliates, have 30 days to contact us to tell us that they do not approve of this use. If we do not hear

back from the customer within 30 days, we understand that we are free to use their CPNI for these purposes. We

understand that customers can change their option at any time by contacting us, and we notify our customers of

this right.

We maintain records of the customers who received the opt-out approval notice and records of the customers

who contacted us to opt out in accordance with our record-keeping policies.

We understand that we must provide written notice to the FCC within five (5) business days if our opt-out

mechanisms do not work properly to the degree that our customers' inability to opt out is more than an anomaly.


9/14


9 |P a g e



3.5. Training and DisciplineWe provide our internal policy and employee handbook to every new employee, and require new and

existing employees to sign acceptance of the employee handbook and any attached policy.Also, existingemployees are required to review and accept any existing or modified policies on a periodic basis, following

standard company policies for hand-book distribution and acceptance.

Violation by company employees of such CPNI requirements will lead to disciplinary action (including remedial

training, reprimands, unfavorable performance reviews, and probation), depending upon the circumstances of

the violation (including the severity of the violation, whether appropriate guidance was sought, and the extent to

which the violation was or was not deliberate or malicious.

Disciplinary records are maintained in the company files in accordance with our record-keeping policies.

3.6. Record keepingWe maintain the following records in our files for two (2) years:

a. Records relating to the annual mailing of the customer CPNI privacy policy;b. Records of customer approval or disapproval of CPNI use, or the limitation or revocation thereof;c. Records of disclosure or provision of CPNI to third parties for marketing purposes, including Buckland

Telephone Company's and affiliates' sales and marketing campaigns using customer CPNI, the CPNI used, and

what products and services were offered as part of the campaign;

d. Employee disciplinary records; ande. Records of discovered CPNI breaches, notifications to law enforcement regarding breaches, and any

responses from law enforcement regarding those breaches.

3.7.

Notification of account changesWe understand that we are required to notify customers when changes have been made to passwords, customer

responses to back-up means of authentication, or addresses of record by mailing a notification to the account

address of record. We do not reveal the changed account data in the notification

3.8. Unauthorized disclosure of CPNIWe understand that we must report CPNI breaches to law enforcement no later than seven (7) business days

after determining the breach has occurred, by sending electronic notification through the link at

http://www.fcc.gov/eb/CPNII to the central reporting facility, which will then notify the United States Secret

Service (USSS) and the Federal Bureau of Investigation (FBI).

We understand that we may not notify customers or the public of the breach earlier than seven (7) days after we

have notified law enforcement through the central reporting facility. If we wish to notify customers or the publicimmediately, where we feel that there is "an extraordinarily urgent need to notify" to avoid "immediate and

irreparable harm," we inform law enforcement of our desire to notify and comply with law enforcement's

directions.

Records relating to such notifications are kept in accordance with our record-keeping policies.

These records include: (i) the date we discovered the breach, (ii) the date we notified law enforcement, (iii) a

detailed description of the CPNI breached, and (iv) the circumstances of the breach.


10/14


10 |P a g e



During the course of the year, we compile information regarding pretexted attempts to gain improper access to

CPNI, including any breaches or attempted breaches. We include this information in our annual CPNI compliance

certification filed with the FCC.

4. Requirements, Baseline & Definition4.1. 47 CFR 64 64.2010 Safeguards on the disclosure of customer proprietary network information.

(a)Safeguarding CPNI.Telecommunications carriers must take reasonable measures to discover and protect

against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate

a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an

in-store visit.

(b)Telephone access to CPNI.Telecommunications carriers may only disclose call detail information over the

telephone, based on customer-initiated telephone contact, if the customer first provides the carrier with a

password, as described in paragraph (e) of this section, which is not prompted by the carrier asking for readily

available biographical information, or account information. If the customer does not provide a password, the

telecommunications carrier may only disclose call detail information by sending it to the customer's address of

record, or by calling the customer at the telephone number of record. If the customer is able to provide call

detail information to the telecommunications carrier during a customer-initiated call without the

telecommunications carrier's assistance, then the telecommunications carrier is permitted to discuss the call

detail information provided by the customer.

(c)Online access to CPNI.A telecommunications carrier must authenticate a customer without the use of readilyavailable biographical information, or account information, prior to allowing the customer online access to CPNI

related to a telecommunications service account. Once authenticated, the customer may only obtain online

access to CPNI related to a telecommunications service account through a password, as described in paragraph

(e) of this section, that is not prompted by the carrier asking for readily available biographical information, or

account information.

(d)In-store access to CPNI.A telecommunications carrier may disclose CPNI to a customer who, at a carrier's

retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the

customer's account information.

(e)Establishment of a Password and Back-up Authentication Methods for Lost or Forgotten Passwords.To

establish a password, a telecommunications carrier must authenticate the customer without the use of readily

available biographical information, or account information. Telecommunications carriers may create a back-up

customer authentication method in the event of a lost or forgotten password, but such back-up customer

authentication method may not prompt the customer for readily available biographical information, or account


11/14


11 |P a g e



information. If a customer cannot provide the correct password or the correct response for the back-up

customer authentication method, the customer must establish a new password as described in this paragraph.

(f)Notification of account changes.Telecommunications carriers must notify customers immediately whenever

a password, customer response to a back-up means of authentication for lost or forgotten passwords, online

account, or address of record is created or changed. This notification is not required when the customer initiates

service, including the selection of a password at service initiation. This notification may be through a carrier-

originated voicemail or text message to the telephone number of record, or by mail to the address of record,

and must not reveal the changed information or be sent to the new account information.

(g)Business customer exemption.Telecommunications carriers may bind themselves contractually to

authentication regimes other than those described in this section for services they provide to their business

customers that have both a dedicated account representative and a contract that specifically addresses the

carriers' protection of CPNI.

4.2. Definitions(a)Account information.Account information is information that is specifically connected to the customer's

service relationship with the carrier, including such things as an account number or any component thereof, the

telephone number associated with the account, or the bill's amount.

(b)Address of record.An address of record, whether postal or electronic, is an address that the carrier has

associated with the customer's account for at least 30 days.

(c)Affiliate.The term affiliate has the same meaning given such term in section 3(1) of the Communications Act

of 1934, as amended,47 U.S.C. 153(1).

(d)Call detail information.Any information that pertains to the transmission of specific telephone calls,

including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound

calls, the number from which the call was placed, and the time, location, or duration of any call.

(e)Communications-related services.The term communications-related services means telecommunications

services, information services typically provided by telecommunications carriers, and services related to theprovision or maintenance of customer premises equipment.

(f)Customer.A customer of a telecommunications carrier is a person or entity to which the telecommunications

carrier is currently providing service.
http://www.law.cornell.edu/uscode/text/47/153#1http://www.law.cornell.edu/uscode/text/47/153#1http://www.law.cornell.edu/uscode/text/47/153#1http://www.law.cornell.edu/uscode/text/47/153#1


12/14


12 |P a g e



(g)Customer proprietary network information (CPNI).The term customer proprietary networkinformation

(CPNI) has the same meaning given to such term in section 222(h)(1) of the Communications Act of 1934, as

amended,47 U.S.C. 222(h)(1).

(h)Customer premises equipment (CPE).The term customer premises equipment (CPE) has the same meaning

given to such term in section 3(14) of the Communications Act of 1934, as amended,47 U.S.C. 153(14).

(i)Information services typically provided by telecommunications carriers.The phrase information services

typically provided by telecommunications carriers means only those information services (as defined in section

3(20) of the Communication Act of 1934, as amended,47 U.S.C. 153(20))that are typically provided by

telecommunications carriers, such as Internet access or voice mail services. Such phrase information services

typically provided by telecommunications carriers, as used in this subpart, shall not include retail consumer

services provided using Internet Web sites (such as travel reservation services or mortgage lending services),

whether or not such services may otherwise be considered to be information services.

(j)Local exchange carrier (LEC).The term local exchange carrier (LEC) has the same meaning given to such term

in section 3(26) of the Communications Act of 1934, as amended,47 U.S.C. 153(26).

(k)Opt-in approval.The term opt-in approval refers to a method for obtaining customer consent to use,

disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the

customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the

customer is provided appropriate notification of the carrier's request consistent with the requirements set forth

in this subpart.

(l)Opt-out approval.The term opt-out approval refers to a method for obtaining customer consent to use,

disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have

consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto

within the waiting period described in 64.2008(d)(1)after the customer is provided appropriate notification of

the carrier's request for consent consistent with the rules in this subpart.

(m)Readily available biographical information.Readily available biographical information is information

drawn from the customer's life history and includes such things as the customer's social security number, or thelast four digits of that number; mother's maiden name; home address; or date of birth.

(n)Subscriber list information (SLI).The term subscriber list information (SLI) has the same meaning given to

such term in section 222(h)(3) of the Communications Act of 1934, as amended,47 U.S.C. 222(h)(3).
http://www.law.cornell.edu/uscode/text/47/222#h_1http://www.law.cornell.edu/uscode/text/47/222#h_1http://www.law.cornell.edu/uscode/text/47/222#h_1http://www.law.cornell.edu/uscode/text/47/153#14http://www.law.cornell.edu/uscode/text/47/153#14http://www.law.cornell.edu/uscode/text/47/153#14http://www.law.cornell.edu/uscode/text/47/153#20http://www.law.cornell.edu/uscode/text/47/153#20http://www.law.cornell.edu/uscode/text/47/153#20http://www.law.cornell.edu/uscode/text/47/153#26http://www.law.cornell.edu/uscode/text/47/153#26http://www.law.cornell.edu/uscode/text/47/153#26http://www.law.cornell.edu/cfr/text/47/64.2008#d_1http://www.law.cornell.edu/cfr/text/47/64.2008#d_1http://www.law.cornell.edu/cfr/text/47/64.2008#d_1http://www.law.cornell.edu/uscode/text/47/222#h_3http://www.law.cornell.edu/uscode/text/47/222#h_3http://www.law.cornell.edu/uscode/text/47/222#h_3http://www.law.cornell.edu/uscode/text/47/222#h_3http://www.law.cornell.edu/cfr/text/47/64.2008#d_1http://www.law.cornell.edu/uscode/text/47/153#26http://www.law.cornell.edu/uscode/text/47/153#20http://www.law.cornell.edu/uscode/text/47/153#14http://www.law.cornell.edu/uscode/text/47/222#h_1


13/14


13 |P a g e



(o)Telecommunications carrier or carrier.The terms telecommunications carrier or carrier shall have the

same meaning as set forth in section 3(44) of the Communications Act of 1934, as amended,47 U.S.C. 153(44).

For the purposes of this subpart, the term telecommunications carrier or carrier shall include an entity thatprovides interconnected VoIP service, as that term is defined in section 9.3 of these rules.

(p)Telecommunications service.The term telecommunications service has the same meaning given to such

term in section 3(46) of the Communications Act of 1934, as amended,47 U.S.C. 153(46).

(q)Telephone number of record.The telephone number associated with the underlying service, not the

telephone number supplied as a customer's contact information.

(r)Valid photo ID.A valid photo ID is a government-issued means of personal identification with a photograph

such as a driver's license, passport, or comparable ID that is not expired.

[72 FR 31961,June 8, 2007]
http://www.law.cornell.edu/uscode/text/47/153#44http://www.law.cornell.edu/uscode/text/47/153#44http://www.law.cornell.edu/uscode/text/47/153#44http://www.law.cornell.edu/uscode/text/47/153#46http://www.law.cornell.edu/uscode/text/47/153#46http://www.law.cornell.edu/uscode/text/47/153#46http://frwebgate.access.gpo.gov/cgi-bin/getpage.cgi?dbname=2007_register&position=all&page=31961http://frwebgate.access.gpo.gov/cgi-bin/getpage.cgi?dbname=2007_register&position=all&page=31961http://frwebgate.access.gpo.gov/cgi-bin/getpage.cgi?dbname=2007_register&position=all&page=31961http://frwebgate.access.gpo.gov/cgi-bin/getpage.cgi?dbname=2007_register&position=all&page=31961http://www.law.cornell.edu/uscode/text/47/153#46http://www.law.cornell.edu/uscode/text/47/153#44


14/14


14 |P a g e

