[Federal Register: June 8, 2007 (Volume 72, Number 110)]
[Rules and Regulations]
[Page 31948-31963]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr08jn07-17]
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 64
[CC Docket No. 96-115, WC Docket No. 04-36; FCC 07-22]
Customer Proprietary Network Information
AGENCY: Federal Communications Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Commission adopted rules to implement section 222 of the
Communications Act of 1934, as amended, which governs carriers' use and
disclosure of customer proprietary network information. In this
document, the Commission responds to the practice of ``pretexting'' by
strengthening its rules to protect the privacy of customer proprietary
network information (CPNI) that is collected and held by providers of
communications services.
DATES: Revised paragraph (o) of Sec. 64.2003, new paragraphs (a), (b),
(d), (m), (q), and (r) of Sec. 64.2003, revised paragraph (c)(3) of
Sec. 64.2005, revised paragraph (b) of Sec. 64.2007, revised
paragraph (e) of 64.2009, and new Sec. Sec. 64.2010 and 64.2011
contain information collection requirements that have not been approved
by the Office of Management and Budget (OMB). The Commission will
publish a document in the Federal Register announcing the effective
date. Written comment by the public on the modified information
collection requirements are due August 7, 2007. Paragraphs (c), (e)
through (l), (n), and (p) of Sec. 64.2003 do not contain information
collection requirements that have not been approved by OMB and
therefore are effective on June 8, 2007.
FOR FURTHER INFORMATION CONTACT: Adam Kirschenbaum, (202) 418-7280,
Wireline Competition Bureau.
For additional information concerning the Paperwork Reduction Act
information collection requirements contained in this document, contact
Judith B. Herman at (202) 418-0214, or via e-mail at
Judith-B.Herman@fcc.gov.
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report
and Order (Order) in CC Docket No. 96-115 and WC Docket No. 04-36, FCC
07-22, adopted March 13, 2007, and released April 2, 2007. The complete
text of this document is available for inspection and copying during
normal business hours in the FCC Reference Information Center, Portals
II, 445 12th Street, SW., Room CY-A257, Washington, DC 20554. This
document may also be purchased from the Commission's duplicating
contractor, Best Copy and Printing, Inc., 445 12th Street, SW., Room
CY-B402, Washington, DC 20554, telephone (800) 378-3160 or (202) 863-
2893, facsimile (202) 863-2898, or via e-mail at http://www.bcpiweb.com.
It is also available on the Commission's Web site at
http://www.fcc.gov.
In addition to filing comments with the Office of the Secretary, a
copy of any comments on the Paperwork Reduction Act information
collection requirements contained herein should be submitted to Judith
B. Herman, Federal Communications Commission, Room 1-C804, 445 12th
Street, SW., Washington, DC 20554, or via the Internet to
Judith-B.Herman@fcc.gov.
Synopsis of the Report and Order
1. On August 30, 2005, the Electronic Privacy Information Center
(EPIC) filed a petition with the Commission asking the Commission to
investigate telecommunications carriers' current security practices and
to initiate a rulemaking proceeding to consider establishing more
stringent security standards for telecommunications carriers to govern
the disclosure of CPNI. In particular, EPIC proposed that the
Commission consider requiring the use of consumer-set passwords,
creating audit trails, employing encryption, limiting data retention,
and improving notice procedures. On February 14, 2006, the Commission
released the EPIC CPNI Notice, 71 FR 13317 (March 15, 2006), in which
it sought comment on (a) the nature and scope of the problem identified
by EPIC, including pretexting, and (b) what additional steps, if any,
the Commission should take to protect further the privacy of CPNI.
Specifically, the Commission sought comment on the five EPIC proposals
listed above. In addition, the Commission tentatively concluded that it
should amend its rules to require carriers annually to file their
section 64.2009(e) certifications with the Commission. It also sought
comment on whether it should require carriers to obtain a customer's
opt-in consent before the carrier shares CPNI with its joint venture
partners and independent contractors; whether to impose rules relating
to how carriers verify customers' identities; whether to adopt a set of
security requirements that could
[[Page 31949]]
be used as the basis for liability if a carrier failed to implement
such requirements, or adopt a set of security requirements that a
carrier could implement to exempt itself from liability; whether VoIP
service providers or other IP-enabled service providers should be
covered by any new rules the Commission adopts in the present
rulemaking; and other specific proposals that might increase the
protection of CPNI.
2. In this Order, the Commission responds to the practice of
``pretexting'' by strengthening its rules to protect the privacy of
customer proprietary network information (CPNI) that is collected and
held by providers of communications services (hereinafter,
communications carriers or carriers). Section 222 of the Communications
Act requires telecommunications carriers to take specific steps to
ensure that CPNI is adequately protected from unauthorized disclosure.
In the Order, the Commission strengthens its privacy rules by adopting
additional safeguards to protect customers' CPNI against unauthorized
access and disclosure.
3. The Order is directly responsive to the actions of data brokers,
or pretexters, to obtain unauthorized access to CPNI. As EPIC pointed
out in its petition that led to this rulemaking proceeding, numerous
Web sites advertise the sale of personal telephone records for a price.
These data brokers have been able to obtain private and personal
information, including what calls were made to and/or from a particular
telephone number and the duration of such calls. In many cases, the
data brokers claim to be able to provide this information within fairly
quick time frames, ranging from a few hours to a few days. The
additional privacy safeguards the Commission adopts in the Order will
sharply limit pretexters' ability to obtain unauthorized access to this
type of personal customer information from carriers the Commission
regulates.
4. The Commission finds that the release of call detail over the
telephone presents an immediate risk to privacy and therefore it
prohibits carriers from releasing call detail information based on
customer-initiated telephone contact except under three circumstances.
First, a carrier can release call detail information if the customer
provides the carrier with a pre-established password. Second, a carrier
may, at the customer's request, send call detail information to the
customer's address of record. Third, a carrier may call the telephone
number of record and disclose call detail information. A carrier may
disclose non-call detail CPNI to a customer after the carrier
authenticates the customer.
5. The Commission does not intend for the prohibition on the
release of call detail over the telephone for customer-initiated
telephone contact to hinder routine carrier-customer relations
regarding service/billing disputes and questions. If a customer is able
to provide to the carrier, during a customer-initiated telephone call,
all of the call detail information necessary to address a customer
service issue (i.e., the telephone number called, when it was called,
and, if applicable, the amount charged for the call), then the carrier
is permitted to proceed with its routine customer care procedures. The
Commission believes that if a customer is able to provide this
information to the carrier, without carrier assistance, then the
carrier does not violate the Commission's rules if the carrier takes
routine customer service actions related to such information. The
Commission additionally clarifies that, under these circumstances,
carriers may not disclose to the customer any call detail information
about the customer account other than the call detail information that
the customer provides without the customer first providing a password.
The Commission's rule is intended to prevent pretexter phishing and
other pretexter methods for gaining unauthorized access to customer
account information.
6. The Commission also requires carriers to password protect online
access to CPNI. Although section 222 of the Act imposes a duty on
carriers to protect the privacy of CPNI, data brokers and others have
been able to access CPNI online without the account holder's knowledge
or consent. The Commission agrees with EPIC that the apparent ease with
which data brokers have been able to access CPNI online demonstrates
the insufficiency of carriers' customer authentication procedures. In
particular, the record evidence demonstrates that some carriers permit
customers to establish online accounts by providing readily available
biographical information. Thus, a data broker may obtain online account
access easily without the customer's knowledge. Therefore, the
Commission agrees with EPIC and others that use of such identifiers is
an insufficient mechanism for preventing data brokers from obtaining
unauthorized online access to CPNI.
7. The Commission continues to allow carriers to provide customers
with access to CPNI at a carrier's retail location if the customer
presents a valid photo ID and the valid photo ID matches the name on
the account. The Commission agrees with the Attorneys General and finds
that this is a secure authentication practice because it enables the
carrier to make a reasonable judgment about the customer's identity.
8. The Commission requires carriers to notify customers immediately
of certain account changes, including whenever a password, customer
response to a carrier-designed back-up means of authentication, online
account, or address of record is created or changed. The Commission
agrees with the New Jersey Ratepayer Advocate that this notification is
an important tool for customers to monitor their account's security.
This notification may be through a carrier-originated voicemail or text
message to the telephone number of record, or by mail to the address of
record, as to reasonably ensure that the customer receives this
notification. The Commission believes this measure is appropriate to
protect customers from data brokers that might otherwise manage to
circumvent the authentication protections the Commission adopts in this
Order, and to take appropriate action in the event of pretexter
activity. Further, the Commission finds that this notification
requirement will also empower customers to provide carriers with timely
information about pretexting activity, which the carriers may not be
able to identify easily.
9. The Commission does make an exception to the rules that it
adopts for certain business customers. The Commission agrees with
commenters who argue that privacy concerns of telecommunications
consumers are greatest when using personal telecommunications services.
Indeed, the fraudulent practices described by EPIC have mainly targeted
individual consumers, and the record indicates that the proprietary
information of wireline and wireless business account customers already
is subject to stringent safeguards, which are privately negotiated by
contract. Therefore, if the carrier's contract with a business customer
is serviced by a dedicated account representative as the primary
contact, and specifically addresses the carrier's protection of CPNI,
the Commission does not extend its carrier authentication rules to
cover these business customers, because businesses are typically able
to negotiate the appropriate protection of CPNI in their service
agreements. However, nothing in the Order exempts carriers serving
wireline enterprise and wireless business account customers from
section 222 or the remainder of the Commission's CPNI rules.
10. The Commission agrees with EPIC that carriers should be
required to notify a customer whenever a security breach
[[Page 31950]]
results in that customer's CPNI being disclosed to a third party
without that customer's authorization. However, the Commission also
appreciates law enforcement's concern about delaying customer
notification in order to allow law enforcement to investigate crimes.
Therefore, the Commission adopts a rule that it believes balances a
customer's need to know with law enforcement's ability to undertake an
investigation of suspected criminal activity, which itself might
advance the goal of consumer protection.
11. The Commission declines to specify the precise content of the
notice that must be provided to customers in the event of a security
breach of CPNI. The notice requirement the Commission adopts in this
proceeding is general, and the Commission recognizes that numerous
types of circumstances--including situations other than pretexting--
could result in the unauthorized disclosure of a customer's CPNI to a
third party. Thus, the Commission leaves carriers the discretion to
tailor the language and method of notification to the circumstances.
Finally, the Commission expects carriers to cooperate fully in any law
enforcement investigation of such unauthorized release of CPNI or
attempted unauthorized access to an account consistent with statutory
and Commission requirements.
12. The Commission agrees with commenters that techniques for fraud
vary and tend to become more sophisticated over time, and that carriers
need leeway to engage emerging threats. The Commission therefore
clarifies that carriers are free to bolster their security measures
through additional measures to meet their section 222 obligations to
protect the privacy of CPNI. The Commission also codifies the existing
statutory requirement contained in section 222 of the Act that carriers
take reasonable measures to discover and protect against activity that
is indicative of pretexting. Adoption of the rules in this Order does
not relieve carriers of their fundamental duty to remain vigilant in
their protection of CPNI, nor does it necessarily insulate them from
enforcement action for unauthorized disclosure of CPNI.
13. The Commission modifies its rules to require telecommunications
carriers to obtain opt-in consent from a customer before disclosing
that customer's CPNI to a carrier's joint venture partner or
independent contractor for the purpose of marketing communications-
related services to that customer. While the Commission realizes that
this is a change in Commission policy, it finds that new circumstances
force it to reassess its existing regulations. As the Commission has
found previously, the Commission has a substantial interest in
protecting customer privacy. Based on this and in light of new privacy
concerns, the Commission now finds that an opt-in framework for the
sharing of CPNI with joint venture partners and independent contractors
for the purposes of marketing communications-related services to a
customer both directly advances its interest in protecting customer
privacy and is narrowly tailored to achieve its goal of privacy
protection. Specifically, an opt-in regime will more effectively limit
the circulation of a customer's CPNI by maintaining it in a carrier's
possession unless a customer provides informed consent for its release.
Moreover, the Commission finds that an opt-in regime will provide
necessary informed customer choice concerning these information sharing
relationships with other companies.
14. To the extent that carriers voluntarily obtained opt-in
approval from their customers for the disclosure of customers' CPNI to
a joint venture partner or independent contractor for the purposes of
marketing communications-related services to a customer prior to the
adoption of this Order, those carriers can continue to use those
approvals.
15. The Commission adopts the Commission's tentative conclusion and
amends its rules to require carriers to file their annual CPNI
certification with the Commission, including an explanation of any
actions taken against data brokers and a summary of all customer
complaints received in the past year concerning the unauthorized
release of CPNI. The Commission finds that this amendment to the
Commission's rules is an appropriate measure and will ensure that
carriers regularly focus their attention on their duty to safeguard
CPNI. Additionally, the Commission finds that this modification to its
rules will remind carriers of the Commission's oversight and high
priority regarding carrier performance in this area. Further, with this
filing, the Commission will be better able to monitor the industry's
response to CPNI privacy issues and to take any necessary steps to
ensure that carriers are managing customer CPNI securely.
16. The Commission extends the application of the Commission's CPNI
rules to providers of interconnected VoIP service. In the IP-Enabled
Services Notice and the EPIC CPNI Notice, the Commission sought comment
on whether to extend the CPNI requirements to VoIP service providers.
Since the Commission has not decided whether interconnected VoIP
services are telecommunications services or information services as
those terms are defined in the Act, nor does it do so in this Order,
the Commission analyzes the issues addressed in this Order under its
Title I ancillary jurisdiction to encompass both types of service. If
the Commission later classifies interconnected VoIP service as a
telecommunications service, the providers of interconnected VoIP
services would be subject to the requirements of section 222 and the
Commission's CPNI rules as telecommunications carriers under Title II.
17. The Commission concludes that it has authority under Title I of
the Act to impose CPNI requirements on providers of interconnected VoIP
service. Ancillary jurisdiction may be employed, in the Commission's
discretion, when Title I of the Act gives the Commission subject matter
jurisdiction over the service to be regulated and the assertion of
jurisdiction is ``reasonably ancillary to the effective performance of
[its] various responsibilities.'' Both predicates for ancillary
jurisdiction are satisfied here. First, as the Commission concluded in
the Interim USF Order and VoIP 911 Order, interconnected VoIP services
fall within the subject matter jurisdiction granted to it in the Act.
Second, the Commission analysis requires it to evaluate whether
imposing CPNI obligations is reasonably ancillary to the effective
performance of the Commission's various responsibilities. Based on the
record in this matter, the Commission finds that sections 222 and 1 of
the Act provide the requisite nexus, with additional support from
section 706.
18. The Commission takes seriously the protection of customers'
private information and commit to remaining vigilant to ensure
compliance with applicable privacy laws within its jurisdiction. One
way in which the Commission will help protect consumer privacy is
through strong enforcement measures. When investigating compliance with
the rules and statutory obligations, the Commission will consider
whether the carrier has taken reasonable precautions to prevent the
unauthorized disclosure of a customer's CPNI. Specifically, the
Commission hereby puts carriers on notice that the Commission
henceforth will infer from evidence that a pretexter has obtained
unauthorized access to a customer's CPNI that the carrier did not
sufficiently protect that customer's CPNI. A carrier then must
demonstrate that the steps it
[[Page 31951]]
has taken to protect CPNI from unauthorized disclosure, including the
carrier's policies and procedures, are reasonable in light of the
threat posed by pretexting and the sensitivity of the customer
information at issue. If the Commission finds at the conclusion of its
investigation that the carrier indeed has not taken sufficient steps
adequately to protect the privacy of CPNI, the Commission may sanction
it for this oversight, including through forfeiture.
19. The Commission offers additional guidance regarding the
Commission's expectations that will inform its investigations. The
Commission fully expects carriers to take every reasonable precaution
to protect the confidentiality of proprietary or personal customer
information. Of course, the Commission requires carriers to implement
the specific minimum requirements set forth in the Commission's rules.
The Commission further expects carriers to take additional steps to
protect the privacy of CPNI to the extent such additional measures are
feasible for a particular carrier. For instance, although the
Commission declines to impose audit trail obligations on carriers at
this time, the Commission expects carriers through audits or other
measures to take reasonable measures to discover and protect against
activity that is indicative of pretexting. Similarly, although the
Commission does not specifically require carriers to encrypt their
customers' CPNI, the Commission expects a carrier to encrypt its CPNI
databases if doing so would provide significant additional protection
against the unauthorized access to CPNI at a cost that is reasonable
given the technology a carrier already has implemented.
Final Paperwork Reduction Act Analysis
20. This Order contains modified information collection
requirements subject to the Paperwork Reduction Act of 1995 (PRA),
Public Law 104-13. It will be submitted to the Office of Management and
Budget (OMB) for review under section 3507(d) of the PRA. OMB, the
general public, and other Federal agencies are invited to comment on
the new information collection requirements contained in this
proceeding. In addition, pursuant to the Small Business Paperwork
Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), the
Commission previously sought specific comment on how it might ``further
reduce the information collection burden for small business concerns
with fewer than 25 employees.''
21. In the Order, the Commission assessed the burdens placed on
small businesses to notify customers of account changes, to notify law
enforcement and customers of unauthorized CPNI disclosure; to obtain
opt-in consent prior to sharing CPNI with joint venture partners and
independent contractors; to file annually a CPNI certification with the
Commission, including an explanation of any actions taken against data
brokers and a summary of all consumer complaints received in the past
year concerning the unauthorized release of CPNI, and to extend the
CPNI rules to providers of interconnected VoIP services, and found that
these requirements do not place a significant burden on small
businesses.
Final Regulatory Flexibility Analysis
22. As required by the Regulatory Flexibility Act of 1980, as
amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was
incorporated in the EPIC CPNI Notice in CC Docket No. 96-115 and the
IP-Enabled Services Notice in WC Docket 04-36. The Commission sought
written public comment on the proposals in both notices, including
comment on the IRFA. The Commission received comments specifically
directed toward the IRFA from three commenters in CC Docket No. 96-115
and from three commenters in WC Docket No. 04-36. These comments are
discussed below. This Final Regulatory Flexibility Analysis (FRFA)
conforms to the RFA.
A. Need for, and Objectives of, the Rules
23. The Order strengthens the Commission's rules to protect the
privacy of CPNI that is collected and held by providers of
communications services. Section 222 of the Communications Act requires
telecommunications carriers to take specific steps to ensure that CPNI
is adequately protected from unauthorized disclosure. The Order adopts
additional safeguards to protect customers' CPNI against unauthorized
access and disclosure.
B. Summary of Significant Issues Raised by Public Comments in Response
to the IRFA
24. Comments Received in Response to the EPIC CPNI Notice. In this
section, the Commission responds to comments filed in response to the
IRFA. To the extent the Commission received comments raising general
small business concerns during the proceeding, those comments are
discussed throughout the Order.
25. The Commission disagrees with Alexicon that small carriers are
less vulnerable to unauthorized attempts to access CPNI. In fact,
Alexicon itself points out that one of its client companies actually
experienced an unauthorized access attempt, and thus the Commission
finds the steps it takes in the Order are applicable to all carriers.
The Commission does, however, agree with commenters that argue the
Commission should not adopt many of EPIC's suggested requirements. The
Commission also agrees with commenters that argue for flexible rules to
allow carriers to determine proper authentication methods for its
customers. Therefore, the Commission does not adopt specific
authentication methods, or back-up authentication methods for lost or
forgotten passwords and instead adopts rules that provide limits on the
types of authentication methods that meet section 222's mandate to
protect CPNI. Further, the Commission agrees with commenters that small
carriers should be provided additional time to implement the
requirements that the Commission does adopt in the Order. Thus, the
Commission provides small carriers with an additional six month
implementation period for the online carrier authentication
requirements adopted in the Order.
26. Comments Received in Response to the IP-Enabled Services
Notice. In this section, the Commission responds to comments filed in
response to the IRFA. To the extent the Commission received comments
raising general small business concerns during the proceeding, those
comments are discussed throughout the Order.
27. The Commission disagrees with the SBA and Francois D. Menard
(Menard) that the Commission should postpone acting in this
proceeding--thereby postponing extending the application of the CPNI
rules to interconnected VoIP service providers--and instead should
reevaluate the economic impact and the compliance burdens on small
entities and issue a further notice of proposed rulemaking in
conjunction with a supplemental IRFA identifying and analyzing the
economic impacts on small entities and less burdensome alternatives.
The Commission believes the additional steps suggested by SBA and
Menard are unnecessary because small entities already have received
sufficient notice of the issues addressed in the Order and because the
Commission has considered the economic impact on small entities and
what ways are feasible to minimize the burdens imposed on those
entities, and, to the extent feasible, has implemented those less
burdensome alternatives.
[[Page 31952]]
C. Description and Estimate of the Number of Small Entities to Which
Rules Will Apply
28. The RFA directs agencies to provide a description of and, where
feasible, an estimate of the number of small entities that may be
affected by the rules adopted herein. The RFA generally defines the
term ``small entity'' as having the same meaning as the terms ``small
business,'' ``small organization,'' and ``small governmental
jurisdiction.'' In addition, the term ``small business'' has the same
meaning as the term ``small business concern'' under the Small Business
Act. A small business concern is one which: (1) Is independently owned
and operated; (2) is not dominant in its field of operation; and (3)
satisfies any additional criteria established by the Small Business
Administration (SBA).
29. Small Businesses. Nationwide, there are a total of
approximately 22.4 million small businesses, according to SBA data.
30. Small Organizations. Nationwide, there are approximately 1.6
million small organizations.
31. Small Governmental Jurisdictions. The term ``small governmental
jurisdiction'' is defined generally as ``governments of cities, towns,
townships, villages, school districts, or special districts, with a
population of less than fifty thousand.'' Census Bureau data for 2002
indicate that there were 87,525 local governmental jurisdictions in the
United States. The Commission estimates that, of this total, 84,377
entities were ``small governmental jurisdictions.'' Thus, the
Commission estimates that most governmental jurisdictions are small.
1. Telecommunications Service Entities
a. Wireline Carriers and Service Providers
32. The Commission has included small incumbent local exchange
carriers in the present RFA analysis. As noted above, a ``small
business'' under the RFA is one that, inter alia, meets the pertinent
small business size standard (e.g., a telephone communications business
having 1,500 or fewer employees), and ``is not dominant in its field of
operation.'' The SBA's Office of Advocacy contends that, for RFA
purposes, small incumbent local exchange carriers are not dominant in
their field of operation because any such dominance is not ``national''
in scope. The Commission has therefore included small incumbent local
exchange carriers in this RFA analysis, although the Commission
emphasizes that this RFA action has no effect on Commission analyses
and determinations in other, non-RFA contexts.
33. Incumbent Local Exchange Carriers (LECs). Neither the
Commission nor the SBA has developed a small business size standard
specifically for incumbent local exchange services. The appropriate
size standard under SBA rules is for the category Wired
Telecommunications Carriers. Under that size standard, such a business
is small if it has 1,500 or fewer employees. According to Commission
data, 1,303 carriers have reported that they are engaged in the
provision of incumbent local exchange services. Of these 1,303
carriers, an estimated 1,020 have 1,500 or fewer employees and 283 have
more than 1,500 employees. Consequently, the Commission estimates that
most providers of incumbent local exchange service are small businesses
that may be affected by its action.
34. Competitive Local Exchange Carriers, Competitive Access
Providers (CAPs), ``Shared-Tenant Service Providers,'' and ``Other
Local Service Providers.'' Neither the Commission nor the SBA has
developed a small business size standard specifically for these service
providers. The appropriate size standard under SBA rules is for the
category Wired Telecommunications Carriers. Under that size standard,
such a business is small if it has 1,500 or fewer employees. According
to Commission data, 769 carriers have reported that they are engaged in
the provision of either competitive access provider services or
competitive local exchange carrier services. Of these 769 carriers, an
estimated 676 have 1,500 or fewer employees and 93 have more than 1,500
employees. In addition, 12 carriers have reported that they are
``Shared-Tenant Service Providers,'' and all 12 are estimated to have
1,500 or fewer employees. In addition, 39 carriers have reported that
they are ``Other Local Service Providers.'' Of the 39, an estimated 38
have 1,500 or fewer employees and one has more than 1,500 employees.
Consequently, the Commission estimates that most providers of
competitive local exchange service, competitive access providers,
``Shared-Tenant Service Providers,'' and ``Other Local Service
Providers'' are small entities that may be affected by its action.
35. Local Resellers. The SBA has developed a small business size
standard for the category of Telecommunications Resellers. Under that
size standard, such a business is small if it has 1,500 or fewer
employees. According to Commission data, 143 carriers have reported
that they are engaged in the provision of local resale services. Of
these, an estimated 141 have 1,500 or fewer employees and two have more
than 1,500 employees. Consequently, the Commission estimates that the
majority of local resellers are small entities that may be affected by
its action.
36. Toll Resellers. The SBA has developed a small business size
standard for the category of Telecommunications Resellers. Under that
size standard, such a business is small if it has 1,500 or fewer
employees. According to Commission data, 770 carriers have reported
that they are engaged in the provision of toll resale services. Of
these, an estimated 747 have 1,500 or fewer employees and 23 have more
than 1,500 employees. Consequently, the Commission estimates that the
majority of toll resellers are small entities that may be affected by
its action.
37. Payphone Service Providers (PSPs). Neither the Commission nor
the SBA has developed a small business size standard specifically for
payphone services providers. The appropriate size standard under SBA
rules is for the category Wired Telecommunications Carriers. Under that
size standard, such a business is small if it has 1,500 or fewer
employees. According to Commission data, 613 carriers have reported
that they are engaged in the provision of payphone services. Of these,
an estimated 609 have 1,500 or fewer employees and four have more than
1,500 employees. Consequently, the Commission estimates that the
majority of payphone service providers are small entities that may be
affected by its action.
38. Interexchange Carriers (IXCs). Neither the Commission nor the
SBA has developed a small business size standard specifically for
providers of interexchange services. The appropriate size standard
under SBA rules is for the category Wired Telecommunications Carriers.
Under that size standard, such a business is small if it has 1,500 or
fewer employees. According to Commission data, 316 carriers have
reported that they are engaged in the provision of interexchange
service. Of these, an estimated 292 have 1,500 or fewer employees and
24 have more than 1,500 employees. Consequently, the Commission
estimates that the majority of IXCs are small entities that may be
affected by its action.
39. Operator Service Providers (OSPs). Neither the Commission nor
the SBA has developed a small business size standard specifically for
operator service providers. The appropriate size standard under SBA
rules is for the category Wired Telecommunications
[[Page 31953]]
Carriers. Under that size standard, such a business is small if it has
1,500 or fewer employees. According to Commission data, 23 carriers
have reported that they are engaged in the provision of operator
services. Of these, an estimated 20 have 1,500 or fewer employees and
three have more than 1,500 employees. Consequently, the Commission
estimates that the majority of OSPs are small entities that may be
affected by its action.
40. Prepaid Calling Card Providers. Neither the Commission nor the
SBA has developed a small business size standard specifically for
prepaid calling card providers. The appropriate size standard under SBA
rules is for the category Telecommunications Resellers. Under that size
standard, such a business is small if it has 1,500 or fewer employees.
According to Commission data, 89 carriers have reported that they are
engaged in the provision of prepaid calling cards. Of these, 88 are
estimated to have 1,500 or fewer employees and one has more than 1,500
employees. Consequently, the Commission estimates that all or the
majority of prepaid calling card providers are small entities that may
be affected by its action.
41. 800 and 800-Like Service Subscribers. Neither the Commission
nor the SBA has developed a small business size standard specifically
for 800 and 800-like service (``toll free'') subscribers. The
appropriate size standard under SBA rules is for the category
Telecommunications Resellers. Under that size standard, such a business
is small if it has 1,500 or fewer employees. The most reliable source
of information regarding the number of these service subscribers
appears to be data the Commission collects on the 800, 888, and 877
numbers in use. According to the Commission's data, at the end of
January, 1999, the number of 800 numbers assigned was 7,692,955; the
number of 888 numbers assigned was 7,706,393; and the number of 877
numbers assigned was 1,946,538. The Commission does not have data
specifying the number of these subscribers that are not independently
owned and operated or have more than 1,500 employees, and thus is
unable at this time to estimate with greater precision the number of
toll free subscribers that would qualify as small businesses under the
SBA size standard. Consequently, the Commission estimates that there
are 7,692,955 or fewer small entity 800 subscribers; 7,706,393 or fewer
small entity 888 subscribers; and 1,946,538 or fewer small entity 877
subscribers.
b. International Service Providers
42. The Commission has not developed a small business size standard
specifically for providers of international service. The appropriate
size standards under SBA rules are for the two broad census categories
of ``Satellite Telecommunications'' and ``Other Telecommunications.''
Under both categories, such a business is small if it has $12.5 million
or less in average annual receipts.
43. The first category of Satellite Telecommunications ``comprises
establishments primarily engaged in providing point-to-point
telecommunications services to other establishments in the
telecommunications and broadcasting industries by forwarding and
receiving communications signals via a system of satellites or
reselling satellite telecommunications.'' For this category, Census
Bureau data for 2002 show that there were a total of 371 firms that
operated for the entire year. Of this total, 307 firms had annual
receipts of under $10 million, and 26 firms had receipts of $10 million
to $24,999,999. Consequently, the Commission estimates that the
majority of Satellite Telecommunications firms are small entities that
might be affected by its action.
44. The second category of Other Telecommunications ``comprises
establishments primarily engaged in (1) providing specialized
telecommunications applications, such as satellite tracking,
communications telemetry, and radar station operations; or (2)
providing satellite terminal stations and associated facilities
operationally connected with one or more terrestrial communications
systems and capable of transmitting telecommunications to or receiving
telecommunications from satellite systems.'' For this category, Census
Bureau data for 2002 show that there were a total of 332 firms that
operated for the entire year. Of this total, 259 firms had annual
receipts of under $10 million and 15 firms had annual receipts of $10
million to $24,999,999. Consequently, the Commission estimates that the
majority of Other Telecommunications firms are small entities that
might be affected by its action.
c. Wireless Telecommunications Service Providers
45. Below, for those services subject to auctions, the Commission
notes that, as a general matter, the number of winning bidders that
qualify as small businesses at the close of an auction does not
necessarily represent the number of small businesses currently in
service. Also, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated.
46. Wireless Service Providers. The SBA has developed a small
business size standard for wireless firms within the two broad economic
census categories of ``Paging'' and ``Cellular and Other Wireless
Telecommunications.'' Under both SBA categories, a wireless business is
small if it has 1,500 or fewer employees. For the census category of
Paging, Census Bureau data for 2002 show that there were 807 firms in
this category that operated for the entire year. Of this total, 804
firms had employment of 999 or fewer employees, and three firms had
employment of 1,000 employees or more. Thus, under this category and
associated small business size standard, the majority of firms can be
considered small. For the census category of Cellular and Other
Wireless Telecommunications, Census Bureau data for 2002 show that
there were 1,397 firms in this category that operated for the entire
year. Of this total, 1,378 firms had employment of 999 or fewer
employees, and 19 firms had employment of 1,000 employees or more.
Thus, under this second category and size standard, the majority of
firms can, again, be considered small.
47. Cellular Licensees. The SBA has developed a small business size
standard for wireless firms within the broad economic census category
``Cellular and Other Wireless Telecommunications.'' Under this SBA
category, a wireless business is small if it has 1,500 or fewer
employees. For the census category of Cellular and Other Wireless
Telecommunications, Census Bureau data for 2002 show that there were
1,397 firms in this category that operated for the entire year. Of this
total, 1,378 firms had employment of 999 or fewer employees, and 19
firms had employment of 1,000 employees or more. Thus, under this
category and size standard, the great majority of firms can be
considered small. Also, according to Commission data, 437 carriers
reported that they were engaged in the provision of cellular service,
Personal Communications Service (PCS), or Specialized Mobile Radio
(SMR) Telephony services, which are placed together in the data. The
Commission has estimated that 260 of these are small, under the SBA
small business size standard.
48. Common Carrier Paging. The SBA has developed a small business
size standard for wireless firms within the
[[Page 31954]]
broad economic census category, ``Cellular and Other Wireless
Telecommunications.'' Under this SBA category, a wireless business is
small if it has 1,500 or fewer employees. For the census category of
Paging, Census Bureau data for 2002 show that there were 807 firms in
this category that operated for the entire year. Of this total, 804
firms had employment of 999 or fewer employees, and three firms had
employment of 1,000 employees or more. Thus, under this category and
associated small business size standard, the majority of firms can be
considered small. In the Paging Third Report and Order, the Commission
developed a small business size standard for ``small businesses'' and
``very small businesses'' for purposes of determining their eligibility
for special provisions such as bidding credits and installment
payments. A ``small business'' is an entity that, together with its
affiliates and controlling principals, has average gross revenues not
exceeding $15 million for the preceding three years. Additionally, a
``very small business'' is an entity that, together with its affiliates
and controlling principals, has average gross revenues that are not
more than $3 million for the preceding three years. The SBA has
approved these small business size standards. An auction of
Metropolitan Economic Area licenses commenced on February 24, 2000, and
closed on March 2, 2000. Of the 985 licenses auctioned, 440 were sold.
Fifty-seven companies claiming small business status won. Also,
according to Commission data, 375 carriers reported that they were
engaged in the provision of paging and messaging services. Of those,
the Commission estimates that 370 are small, under the SBA-approved
small business size standard.
49. Wireless Communications Services. This service can be used for
fixed, mobile, radiolocation, and digital audio broadcasting satellite
uses. The Commission established small business size standards for the
wireless communications services (WCS) auction. A ``small business'' is
an entity with average gross revenues of $40 million for each of the
three preceding years, and a ``very small business'' is an entity with
average gross revenues of $15 million for each of the three preceding
years. The SBA has approved these small business size standards. The
Commission auctioned geographic area licenses in the WCS service. In
the auction, there were seven winning bidders that qualified as ``very
small business'' entities, and one that qualified as a ``small
business'' entity.
50. Wireless Telephony. Wireless telephony includes cellular,
personal communications services (PCS), and specialized mobile radio
(SMR) telephony carriers. As noted earlier, the SBA has developed a
small business size standard for ``Cellular and Other Wireless
Telecommunications'' services. Under that SBA small business size
standard, a business is small if it has 1,500 or fewer employees.
According to Commission data, 445 carriers reported that they were
engaged in the provision of wireless telephony. The Commission has
estimated that 245 of these are small under the SBA small business size
standard.
51. Broadband Personal Communications Service. The broadband
Personal Communications Service (PCS) spectrum is divided into six
frequency blocks designated A through F, and the Commission has held
auctions for each block. The Commission defined ``small entity'' for
Blocks C and F as an entity that has average gross revenues of $40
million or less in the three previous calendar years. For Block F, an
additional classification for ``very small business'' was added and is
defined as an entity that, together with its affiliates, has average
gross revenues of not more than $15 million for the preceding three
calendar years.'' These standards defining ``small entity'' in the
context of broadband PCS auctions have been approved by the SBA. No
small businesses, within the SBA-approved small business size standards
bid successfully for licenses in Blocks A and B. There were 90 winning
bidders that qualified as small entities in the Block C auctions. A
total of 93 small and very small business bidders won approximately 40
percent of the 1,479 licenses for Blocks D, E, and F. On March 23,
1999, the Commission re-auctioned 347 C, D, E, and F Block licenses.
There were 48 small business winning bidders. On January 26, 2001, the
Commission completed the auction of 422 C and F Broadband PCS licenses
in Auction No. 35. Of the 35 winning bidders in this auction, 29
qualified as ``small'' or ``very small'' businesses. Subsequent events,
concerning Auction 35, including judicial and agency determinations,
resulted in a total of 163 C and F Block licenses being available for
grant.
52. Narrowband Personal Communications Services. To date, two
auctions of narrowband personal communications services (PCS) licenses
have been conducted. For purposes of the two auctions that have already
been held, ``small businesses'' were entities with average gross
revenues for the prior three calendar years of $40 million or less.
Through these auctions, the Commission has awarded a total of 41
licenses, out of which 11 were obtained by small businesses. To ensure
meaningful participation of small business entities in future auctions,
the Commission has adopted a two-tiered small business size standard in
the Narrowband PCS Second Report and Order. A ``small business'' is an
entity that, together with affiliates and controlling interests, has
average gross revenues for the three preceding years of not more than
$40 million. A ``very small business'' is an entity that, together with
affiliates and controlling interests, has average gross revenues for
the three preceding years of not more than $15 million. The SBA has
approved these small business size standards. In the future, the
Commission will auction 459 licenses to serve Metropolitan Trading
Areas (MTAs) and 408 response channel licenses. There is also one
megahertz of narrowband PCS spectrum that has been held in reserve and
that the Commission has not yet decided to release for licensing. The
Commission cannot predict accurately the number of licenses that will
be awarded to small entities in future auctions. However, four of the
16 winning bidders in the two previous narrowband PCS auctions were
small businesses, as that term was defined. The Commission assumes, for
purposes of this analysis that a large portion of the remaining
narrowband PCS licenses will be awarded to small entities. The
Commission also assumes that at least some small businesses will
acquire narrowband PCS licenses by means of the Commission's
partitioning and disaggregation rules.
53. 220 MHz Radio Service--Phase I Licensees. The 220 MHz service
has both Phase I and Phase II licenses. Phase I licensing was conducted
by lotteries in 1992 and 1993. There are approximately 1,515 such non-
nationwide licensees and four nationwide licensees currently authorized
to operate in the 220 MHz band. The Commission has not developed a
small business size standard for small entities specifically applicable
to such incumbent 220 MHz Phase I licensees. To estimate the number of
such licensees that are small businesses, the Commission applies the
small business size standard under the SBA rules applicable to
``Cellular and Other Wireless Telecommunications'' companies. This
category provides that a small business is a wireless company employing
no more than 1,500 persons. For the census category Cellular and Other
Wireless Telecommunications, Census Bureau data for 1997 show that
there were 977 firms in this category,
[[Page 31955]]
total, that operated for the entire year. Of this total, 965 firms had
employment of 999 or fewer employees, and an additional 12 firms had
employment of 1,000 employees or more. Thus, under this second category
and size standard, the majority of firms can, again, be considered
small. Assuming this general ratio continues in the context of Phase I
220 MHz licensees, the Commission estimates that nearly all such
licensees are small businesses under the SBA's small business size
standard. In addition, limited preliminary census data for 2002
indicate that the total number of cellular and other wireless
telecommunications carriers increased approximately 321 percent from
1997 to 2002.
54. 220 MHz Radio Service--Phase II Licensees. The 220 MHz service
has both Phase I and Phase II licenses. The Phase II 220 MHz service is
a new service, and is subject to spectrum auctions. In the 220 MHz
Third Report and Order, the Commission adopted a small business size
standard for ``small'' and ``very small'' businesses for purposes of
determining their eligibility for special provisions such as bidding
credits and installment payments. This small business size standard
indicates that a ``small business'' is an entity that, together with
its affiliates and controlling principals, has average gross revenues
not exceeding $15 million for the preceding three years. A ``very small
business'' is an entity that, together with its affiliates and
controlling principals, has average gross revenues that do not exceed
$3 million for the preceding three years. The SBA has approved these
small business size standards. Auctions of Phase II licenses commenced
on September 15, 1998, and closed on October 22, 1998. In the first
auction, 908 licenses were auctioned in three different-sized
geographic areas: three nationwide licenses, 30 Regional Economic Area
Group (EAG) Licenses, and 875 Economic Area (EA) Licenses. Of the 908
licenses auctioned, 693 were sold. Thirty-nine small businesses won
licenses in the first 220 MHz auction. The second auction included 225
licenses: 216 EA licenses and 9 EAG licenses. Fourteen companies
claiming small business status won 158 licenses.
55. 800 MHz and 900 MHz Specialized Mobile Radio Licenses. The
Commission awards ``small entity'' and ``very small entity'' bidding
credits in auctions for Specialized Mobile Radio (SMR) geographic area
licenses in the 800 MHz and 900 MHz bands to firms that had revenues of
no more than $15 million in each of the three previous calendar years,
or that had revenues of no more than $3 million in each of the previous
calendar years, respectively. These bidding credits apply to SMR
providers in the 800 MHz and 900 MHz bands that either hold geographic
area licenses or have obtained extended implementation authorizations.
The Commission does not know how many firms provide 800 MHz or 900 MHz
geographic area SMR service pursuant to extended implementation
authorizations, nor how many of these providers have annual revenues of
no more than $15 million. One firm has over $15 million in revenues.
The Commission assumes, for purposes here, that all of the remaining
existing extended implementation authorizations are held by small
entities, as that term is defined by the SBA. The Commission has held
auctions for geographic area licenses in the 800 MHz and 900 MHz SMR
bands. There were 60 winning bidders that qualified as small or very
small entities in the 900 MHz SMR auctions. Of the 1,020 licenses won
in the 900 MHz auction, bidders qualifying as small or very small
entities won 263 licenses. In the 800 MHz auction, 38 of the 524
licenses won were won by small and very small entities.
56. 700 MHz Guard Band Licensees. In the 700 MHz Guard Band Order,
the Commission adopted a small business size standard for ``small
businesses'' and ``very small businesses'' for purposes of determining
their eligibility for special provisions such as bidding credits and
installment payments. A ``small business'' as an entity that, together
with its affiliates and controlling principals, has average gross
revenues not exceeding $15 million for the preceding three years.
Additionally, a ``very small business'' is an entity that, together
with its affiliates and controlling principals, has average gross
revenues that are not more than $3 million for the preceding three
years. An auction of 52 Major Economic Area (MEA) licenses commenced on
September 6, 2000, and closed on September 21, 2000. Of the 104
licenses auctioned, 96 licenses were sold to nine bidders. Five of
these bidders were small businesses that won a total of 26 licenses. A
second auction of 700 MHz Guard Band licenses commenced on February 13,
2001 and closed on February 21, 2001. All eight of the licenses
auctioned were sold to three bidders. One of these bidders was a small
business that won a total of two licenses.
57. Rural Radiotelephone Service. The Commission has not adopted a
size standard for small businesses specific to the Rural Radiotelephone
Service. A significant subset of the Rural Radiotelephone Service is
the Basic Exchange Telephone Radio System (BETRS). The Commission uses
the SBA's small business size standard applicable to ``Cellular and
Other Wireless Telecommunications,'' i.e., an entity employing no more
than 1,500 persons. There are approximately 1,000 licensees in the
Rural Radiotelephone Service, and the Commission estimates that there
are 1,000 or fewer small entity licensees in the Rural Radiotelephone
Service that may be affected by the rules and policies adopted herein.
58. Air-Ground Radiotelephone Service. The Commission has not
adopted a small business size standard specific to the Air-Ground
Radiotelephone Service. The Commission will use SBA's small business
size standard applicable to ``Cellular and Other Wireless
Telecommunications,'' i.e., an entity employing no more than 1,500
persons. There are approximately 100 licensees in the Air-Ground
Radiotelephone Service, and the Commission estimates that almost all of
them qualify as small under the SBA small business size standard.
59. Aviation and Marine Radio Services. Small businesses in the
aviation and marine radio services use a very high frequency (VHF)
marine or aircraft radio and, as appropriate, an emergency position-
indicating radio beacon (and/or radar) or an emergency locator
transmitter. The Commission has not developed a small business size
standard specifically applicable to these small businesses. For
purposes of this analysis, the Commission uses the SBA small business
size standard for the category ``Cellular and Other
Telecommunications,'' which is 1,500 or fewer employees. Most
applicants for recreational licenses are individuals. Approximately
581,000 ship station licensees and 131,000 aircraft station licensees
operate domestically and are not subject to the radio carriage
requirements of any statute or treaty. For purposes of the Commission's
evaluations in this analysis, the Commission estimates that there are
up to approximately 712,000 licensees that are small businesses (or
individuals) under the SBA standard. In addition, between December 3,
1998 and December 14, 1998, the Commission held an auction of 42 VHF
Public Coast licenses in the 157.1875-157.4500 MHz (ship transmit) and
161.775-162.0125 MHz (coast transmit) bands. For purposes of the
auction, the Commission defined a ``small'' business as an entity that,
together with controlling interests and affiliates, has average gross
revenues for the preceding
[[Page 31956]]
three years not to exceed $15 million dollars. In addition, a ``very
small'' business is one that, together with controlling interests and
affiliates, has average gross revenues for the preceding three years
not to exceed $3 million dollars. There are approximately 10,672
licensees in the Marine Coast Service, and the Commission estimates
that almost all of them qualify as ``small'' businesses under the above
special small business size standards.
60. Offshore Radiotelephone Service. This service operates on
several UHF television broadcast channels that are not used for
television broadcasting in the coastal areas of states bordering the
Gulf of Mexico. There are presently approximately 55 licensees in this
service. The Commission is unable to estimate at this time the number
of licensees that would qualify as small under the SBA's small business
size standard for ``Cellular and Other Wireless Telecommunications''
services. Under that SBA small business size standard, a business is
small if it has 1,500 or fewer employees.
61. 39 GHz Service. The Commission created a special small business
size standard for 39 GHz licenses--an entity that has average gross
revenues of $40 million or less in the three previous calendar years.
An additional size standard for ``very small business'' is: an entity
that, together with affiliates, has average gross revenues of not more
than $15 million for the preceding three calendar years. The SBA has
approved these small business size standards. The auction of the 2,173
39 GHz licenses began on April 12, 2000 and closed on May 8, 2000. The
18 bidders who claimed small business status won 849 licenses.
Consequently, the Commission estimates that 18 or fewer 39 GHz
licensees are small entities that may be affected by the rules and
polices adopted herein.
62. Multipoint Distribution Service, Multichannel Multipoint
Distribution Service, and ITFS. Multichannel Multipoint Distribution
Service (MMDS) systems, often referred to as ``wireless cable,''
transmit video programming to subscribers using the microwave
frequencies of the Multipoint Distribution Service (MDS) and
Instructional Television Fixed Service (ITFS). In connection with the
1996 MDS auction, the Commission established a small business size
standard as an entity that had annual average gross revenues of less
than $40 million in the previous three calendar years. The MDS auctions
resulted in 67 successful bidders obtaining licensing opportunities for
493 Basic Trading Areas (BTAs). Of the 67 auction winners, 61 met the
definition of a small business. MDS also includes licensees of stations
authorized prior to the auction. In addition, the SBA has developed a
small business size standard for Cable and Other Program Distribution,
which includes all such companies generating $12.5 million or less in
annual receipts. According to Census Bureau data for 1997, there were a
total of 1,311 firms in this category, total, that had operated for the
entire year. Of this total, 1,180 firms had annual receipts of under
$10 million and an additional 52 firms had receipts of $10 million or
more but less than $25 million. Consequently, the Commission estimates
that the majority of providers in this service category are small
businesses that may be affected by the rules and policies adopted
herein. This SBA small business size standard also appears applicable
to ITFS. There are presently 2,032 ITFS licensees. All but 100 of these
licenses are held by educational institutions. Educational institutions
are included in this analysis as small entities. Thus, the Commission
tentatively conclude that at least 1,932 licensees are small
businesses.
63. Local Multipoint Distribution Service. Local Multipoint
Distribution Service (LMDS) is a fixed broadband point-to-multipoint
microwave service that provides for two-way video telecommunications.
The auction of the 1,030 Local Multipoint Distribution Service (LMDS)
licenses began on February 18, 1998 and closed on March 25, 1998. The
Commission established a small business size standard for LMDS licenses
as an entity that has average gross revenues of less than $40 million
in the three previous calendar years. An additional small business size
standard for ``very small business'' was added as an entity that,
together with its affiliates, has average gross revenues of not more
than $15 million for the preceding three calendar years. The SBA has
approved these small business size standards in the context of LMDS
auctions. There were 93 winning bidders that qualified as small
entities in the LMDS auctions. A total of 93 small and very small
business bidders won approximately 277 A Block licenses and 387 B Block
licenses. On March 27, 1999, the Commission re-auctioned 161 licenses;
there were 40 winning bidders. Based on this information, the
Commission concludes that the number of small LMDS licenses consists of
the 93 winning bidders in the first auction and the 40 winning bidders
in the re-auction, for a total of 133 small entity LMDS providers.
64. 218-219 MHz Service. The first auction of 218-219 MHz spectrum
resulted in 170 entities winning licenses for 594 Metropolitan
Statistical Area (MSA) licenses. Of the 594 licenses, 557 were won by
entities qualifying as a small business. For that auction, the small
business size standard was an entity that, together with its
affiliates, has no more than a $6 million net worth and, after federal
income taxes (excluding any carry over losses), has no more than $2
million in annual profits each year for the previous two years. In the
218-219 MHz Report and Order and Memorandum Opinion and Order, the
Commission established a small business size standard for a ``small
business'' as an entity that, together with its affiliates and persons
or entities that hold interests in such an entity and their affiliates,
has average annual gross revenues not to exceed $15 million for the
preceding three years. A ``very small business'' is defined as an
entity that, together with its affiliates and persons or entities that
hold interests in such an entity and its affiliates, has average annual
gross revenues not to exceed $3 million for the preceding three years.
The Commission cannot estimate, however, the number of licenses that
will be won by entities qualifying as small or very small businesses
under its rules in future auctions of 218-219 MHz spectrum.
65. 24 GHz--Incumbent Licensees. This analysis may affect incumbent
licensees who were relocated to the 24 GHz band from the 18 GHz band,
and applicants who wish to provide services in the 24 GHz band. The
applicable SBA small business size standard is that of ``Cellular and
Other Wireless Telecommunications'' companies. This category provides
that such a company is small if it employs no more than 1,500 persons.
According to Census Bureau data for 1997, there were 977 firms in this
category, total, that operated for the entire year. Of this total, 965
firms had employment of 999 or fewer employees, and an additional 12
firms had employment of 1,000 employees or more. Thus, under this size
standard, the great majority of firms can be considered small. These
broader census data notwithstanding, the Commission believes that there
are only two licensees in the 24 GHz band that were relocated from the
18 GHz band, Teligent and TRW, Inc. It is the Commisson's understanding
that Teligent and its related companies have less than 1,500 employees,
though this may change in the future. TRW is not a small entity. Thus,
only one incumbent licensee in the 24 GHz band is a small business
entity.
66. 24 GHz--Future Licensees. With respect to new applicants in the
24 GHz
[[Page 31957]]
band, the small business size standard for ``small business'' is an
entity that, together with controlling interests and affiliates, has
average annual gross revenues for the three preceding years not in
excess of $15 million. ``Very small business'' in the 24 GHz band is an
entity that, together with controlling interests and affiliates, has
average gross revenues not exceeding $3 million for the preceding three
years. The SBA has approved these small business size standards. These
size standards will apply to the future auction, if held.
2. Cable and OVS Operators
67. Cable and Other Program Distribution. This category includes
cable systems operators, closed circuit television services, direct
broadcast satellite services, multipoint distribution systems,
satellite master antenna systems, and subscription television services.
The SBA has developed small business size standard for this census
category, which includes all such companies generating $12.5 million or
less in revenue annually. According to Census Bureau data for 2002,
there were a total of 1,191 firms in this category that operated for
the entire year. Of this total, 1,087 firms had annual receipts of
under $10 million, and 43 firms had receipts of $10 million or more but
less than $25 million. Consequently, the Commission estimates that the
majority of providers in this service category are small businesses
that may be affected by the rules and policies adopted herein.
68. Cable System Operators. The Commission has developed its own
small business size standards for cable system operators, for purposes
of rate regulation. Under the Commission's rules, a ``small cable
company'' is one serving fewer than 400,000 subscribers nationwide. In
addition, a ``small system'' is a system serving 15,000 or fewer
subscribers.
69. Cable System Operators (Telecom Act Standard). The
Communications Act of 1934, as amended, also contains a size standard
for small cable system operators, which is ``a cable operator that,
directly or through an affiliate, serves in the aggregate fewer than 1
percent of all subscribers in the United States and is not affiliated
with any entity or entities whose gross annual revenues in the
aggregate exceed $250,000,000.'' The Commission has determined that
there are approximately 67,700,000 subscribers in the United States.
Therefore, an operator serving fewer than 677,000 subscribers shall be
deemed a small operator, if its annual revenues, when combined with the
total annual revenues of all its affiliates, do not exceed $250 million
in the aggregate. Based on available data, the Commission estimates
that the number of cable operators serving 677,000 subscribers or
fewer, totals 1,450. The Commission neither requests nor collects
information on whether cable system operators are affiliated with
entities whose gross annual revenues exceed $250 million, and therefore
is unable, at this time, to estimate more accurately the number of
cable system operators that would qualify as small cable operators
under the size standard contained in the Communications Act of 1934.
70. Open Video Services. Open Video Service (OVS) systems provide
subscription services. The SBA has created a small business size
standard for Cable and Other Program Distribution. This standard
provides that a small entity is one with $12.5 million or less in
annual receipts. The Commission has certified approximately 25 OVS
operators to serve 75 areas, and some of these are currently providing
service. Affiliates of Residential Communications Network, Inc. (RCN)
received approval to operate OVS systems in New York City, Boston,
Washington, DC, and other areas. RCN has sufficient revenues to assure
that they do not qualify as a small business entity. Little financial
information is available for the other entities that are authorized to
provide OVS and are not yet operational. Given that some entities
authorized to provide OVS service have not yet begun to generate
revenues, the Commission concludes that up to 24 OVS operators (those
remaining) might qualify as small businesses that may be affected by
the rules and policies adopted herein.
3. Internet Service Providers
71. Internet Service Providers. The SBA has developed a small
business size standard for Internet Service Providers (ISPs). ISPs
``provide clients access to the Internet and generally provide related
services such as Web hosting, Web page designing, and hardware or
software consulting related to Internet connectivity.'' Under the SBA
size standard, such a business is small if it has average annual
receipts of $21 million or less. According to Census Bureau data for
2002, there were 2,529 firms in this category that operated for the
entire year. Of these, 2,437 firms had annual receipts of under $10
million, and 47 firms had receipts of $10 million or more but less then
$25 million. Consequently, the Commission estimates that the majority
of these firms are small entities that may be affected by its action.
4. Other Internet-Related Entities
72. Web Search Portals. The Commission's action pertains to
interconnected VoIP services, which could be provided by entities that
provide other services such as e-mail, online gaming, Web browsing,
video conferencing, instant messaging, and other, similar IP-enabled
services. The Commission has not adopted a size standard for entities
that create or provide these types of services or applications.
However, the census bureau has identified firms that ``operate Web
sites that use a search engine to generate and maintain extensive
databases of Internet addresses and content in an easily searchable
format. Web search portals often provide additional Internet services,
such as e-mail, connections to other Web sites, auctions, news, and
other limited content, and serve as a home base for Internet users.''
The SBA has developed a small business size standard for this category;
that size standard is $6 million or less in average annual receipts.
According to Census Bureau data for 1997, there were 195 firms in this
category that operated for the entire year. Of these, 172 had annual
receipts of under $5 million, and an additional nine firms had receipts
of between $5 million and $9,999,999. Consequently, the Commission
estimates that the majority of these firms are small entities that may
be affected by its action.
73. Data Processing, Hosting, and Related Services. Entities in
this category ``primarily * * * provid[e] infrastructure for hosting or
data processing services.'' The SBA has developed a small business size
standard for this category; that size standard is $21 million or less
in average annual receipts. According to Census Bureau data for 1997,
there were 3,700 firms in this category that operated for the entire
year. Of these, 3,477 had annual receipts of under $10 million, and an
additional 108 firms had receipts of between $10 million and
$24,999,999. Consequently, the Commission estimates that the majority
of these firms are small entities that may be affected by its action.
74. All Other Information Services. ``This industry comprises
establishments primarily engaged in providing other information
services (except new syndicates and libraries and archives).'' The
Commission's action pertains to interconnected VoIP services, which
could be provided by entities that provide other services such as
email, online gaming, web browsing, video conferencing, instant
messaging,
[[Page 31958]]
and other, similar IP-enabled services. The SBA has developed a small
business size standard for this category; that size standard is $6
million or less in average annual receipts. According to Census Bureau
data for 1997, there were 195 firms in this category that operated for
the entire year. Of these, 172 had annual receipts of under $5 million,
and an additional nine firms had receipts of between $5 million and
$9,999,999. Consequently, the Commission estimates that the majority of
these firms are small entities that may be affected by its action.
75. Internet Publishing and Broadcasting. ``This industry comprises
establishments engaged in publishing and/or broadcasting content on the
Internet exclusively. These establishments do not provide traditional
(non-Internet) versions of the content that they publish or
broadcast.'' The SBA has developed a small business size standard for
this new (2002) census category; that size standard is 500 or fewer
employees. To assess the prevalence of small entities in this category,
the Commission will use 1997 Census Bureau data for a relevant, now-
superseded census category, ``All Other Information Services.'' The SBA
small business size standard for that prior category was $6 million or
less in average annual receipts. According to Census Bureau data for
1997, there were 195 firms in the prior category that operated for the
entire year. Of these, 172 had annual receipts of under $5 million, and
an additional nine firms had receipts of between $5 million and
$9,999,999. Consequently, the Commission estimates that the majority of
the firms in this current category are small entities that may be
affected by its action.
76. Software Publishers. These companies may design, develop or
publish software and may provide other support services to software
purchasers, such as providing documentation or assisting in
installation. The companies may also design software to meet the needs
of specific users. The SBA has developed a small business size standard
of $21 million or less in average annual receipts for all of the
following pertinent categories: Software Publishers, Custom Computer
Programming Services, and Other Computer Related Services. For Software
Publishers, Census Bureau data for 1997 indicate that there were 8,188
firms in the category that operated for the entire year. Of these,
7,633 had annual receipts under $10 million, and an additional 289
firms had receipts of between $10 million and $24, 999,999. For
providers of Custom Computer Programming Services, the Census Bureau
data indicate that there were 19,334 firms that operated for the entire
year. Of these, 18,786 had annual receipts of under $10 million, and an
additional 352 firms had receipts of between $10 million and
$24,999,999. For providers of Other Computer Related Services, the
Census Bureau data indicate that there were 5,524 firms that operated
for the entire year. Of these, 5,484 had annual receipts of under $10
million, and an additional 28 firms had receipts of between $10 million
and $24,999,999. Consequently, the Commission estimates that the
majority of the firms in each of these three categories are small
entities that may be affected by its action.
5. Equipment Manufacturers
77. The equipment manufacturers described in this section are
merely indirectly affected by the Commission's current action, and
therefore are not formally a part of this RFA analysis. The Commission
has included them, however, to broaden the record in this proceeding
and to alert them to its decisions.
78. Wireless Communications Equipment Manufacturers. The SBA has
established a small business size standard for Radio and Television
Broadcasting and Wireless Communications Equipment Manufacturing.
Examples of products in this category include ``transmitting and
receiving antennas, cable television equipment, GPS equipment, pagers,
cellular phones, mobile communications equipment, and radio and
television studio and broadcasting equipment'' and may include other
devices that transmit and receive IP-enabled services, such as personal
digital assistants (PDAs). Under the SBA size standard, firms are
considered small if they have 750 or fewer employees. According to
Census Bureau data for 1997, there were 1,215 establishments in this
category that operated for the entire year. Of those, there were 1,150
that had employment of under 500, and an additional 37 that had
employment of 500 to 999. The percentage of wireless equipment
manufacturers in this category was approximately 61.35%, so the
Commission estimates that the number of wireless equipment
manufacturers with employment of under 500 was actually closer to 706,
with an additional 23 establishments having employment of between 500
and 999. Consequently, the Commission estimates that the majority of
wireless communications equipment manufacturers are small entities that
may be affected by its action.
79. Telephone Apparatus Manufacturing. This category ``comprises
establishments primarily engaged primarily in manufacturing wire
telephone and data communications equipment.'' Examples of pertinent
products are ``central office switching equipment, cordless telephones
(except cellular), PBX equipment, telephones, telephone answering
machines, and data communications equipment, such as bridges, routers,
and gateways.'' The SBA has developed a small business size standard
for this category of manufacturing; that size standard is 1,000 or
fewer employees. According to Census Bureau data for 1997, there were
598 establishments in this category that operated for the entire year.
Of these, 574 had employment of under 1,000, and an additional 17
establishments had employment of 1,000 to 2,499. Consequently, the
Commission estimates that the majority of these establishments are
small entities that may be affected by its action.
80. Electronic Computer Manufacturing. This category ``comprises
establishments primarily engaged in manufacturing and/or assembling
electronic computers, such as mainframes, personal computers,
workstations, laptops, and computer servers.'' The SBA has developed a
small business size standard for this category of manufacturing; that
size standard is 1,000 or fewer employees. According to Census Bureau
data for 1997, there were 563 establishments in this category that
operated for the entire year. Of these, 544 had employment of under
1,000, and an additional 11 establishments had employment of 1,000 to
2,499. Consequently, the Commission estimates that the majority of
these establishments are small entities that may be affected by its
action.
81. Computer Terminal Manufacturing. ``Computer terminals are
input/output devices that connect with a central computer for
processing.'' The SBA has developed a small business size standard for
this category of manufacturing; that size standard is 1,000 or fewer
employees. According to Census Bureau data for 1997, there were 142
establishments in this category that operated for the entire year, and
all of the establishments had employment of under 1,000. Consequently,
the Commission estimates that the majority or all of these
establishments are small entities that may be affected by it action.
82. Other Computer Peripheral Equipment Manufacturing. Examples of
[[Page 31959]]
peripheral equipment in this category include keyboards, mouse devices,
monitors, and scanners. The SBA has developed a small business size
standard for this category of manufacturing; that size standard is
1,000 or fewer employees. According to Census Bureau data for 1997,
there were 1061 establishments in this category that operated for the
entire year. Of these, 1,046 had employment of under 1,000, and an
additional six establishments had employment of 1,000 to 2,499.
Consequently, the Commission estimates that the majority of these
establishments are small entities that may be affected by its action.
83. Fiber Optic Cable Manufacturing. These establishments
manufacture ``insulated fiber-optic cable from purchased fiber-optic
strand.'' The SBA has developed a small business size standard for this
category of manufacturing; that size standard is 1,000 or fewer
employees. According to Census Bureau data for 1997, there were 38
establishments in this category that operated for the entire year. Of
these, 37 had employment of under 1,000, and one establishment had
employment of 1,000 to 2,499. Consequently, the Commission estimates
that the majority of these establishments are small entities that may
be affected by its action.
84. Other Communication and Energy Wire Manufacturing. These
establishments manufacture ``insulated wire and cable of nonferrous
metals from purchased wire.'' The SBA has developed a small business
size standard for this category of manufacturing; that size standard is
1,000 or fewer employees. According to Census Bureau data for 1997,
there were 275 establishments in this category that operated for the
entire year. Of these, 271 had employment of under 1,000, and four
establishments had employment of 1,000 to 2,499. Consequently, the
Commission estimates that the majority or all of these establishments
are small entities that may be affected by its action.
85. Audio and Video Equipment Manufacturing. These establishments
manufacture ``electronic audio and video equipment for home
entertainment, motor vehicle, public address and musical instrument
amplifications.'' The SBA has developed a small business size standard
for this category of manufacturing; that size standard is 750 or fewer
employees. According to Census Bureau data for 1997, there were 554
establishments in this category that operated for the entire year. Of
these, 542 had employment of under 500, and nine establishments had
employment of 500 to 999. Consequently, the Commission estimates that
the majority of these establishments are small entities that may be
affected by its action.
86. Electron Tube Manufacturing. These establishments are
``primarily engaged in manufacturing electron tubes and parts (except
glass blanks).'' The SBA has developed a small business size standard
for this category of manufacturing; that size standard is 750 or fewer
employees. According to Census Bureau data for 1997, there were 158
establishments in this category that operated for the entire year. Of
these, 148 had employment of under 500, and three establishments had
employment of 500 to 999. Consequently, the Commission estimates that
the majority of these establishments are small entities that may be
affected by its action.
87. Bare Printed Circuit Board Manufacturing. These establishments
are ``primarily engaged in manufacturing bare (i.e., rigid or flexible)
printed circuit boards without mounted electronic components.'' The SBA
has developed a small business size standard for this category of
manufacturing; that size standard is 500 or fewer employees. According
to Census Bureau data for 1997, there were 1,389 establishments in this
category that operated for the entire year. Of these, 1,369 had
employment of under 500, and 16 establishments had employment of 500 to
999. Consequently, the Commission estimates that the majority of these
establishments are small entities that may be affected by its action.
88. Semiconductor and Related Device Manufacturing. These
establishments manufacture ``computer storage devices that allow the
storage and retrieval of data from a phase change, magnetic, optical,
or magnetic/optical media.'' The SBA has developed a small business
size standard for this category of manufacturing; that size standard is
500 or fewer employees. According to Census Bureau data for 1997, there
were 1,082 establishments in this category that operated for the entire
year. Of these, 987 had employment of under 500, and 52 establishments
had employment of 500 to 999.
89. Electronic Capacitor Manufacturing. These establishments
manufacture ``electronic fixed and variable capacitors and
condensers.'' The SBA has developed a small business size standard for
this category of manufacturing; that size standard is 500 or fewer
employees. According to Census Bureau data for 1997, there were 128
establishments in this category that operated for the entire year. Of
these, 121 had employment of under 500, and four establishments had
employment of 500 to 999.
90. Electronic Resistor Manufacturing. These establishments
manufacture ``electronic resistors, such as fixed and variable
resistors, resistor networks, thermistors, and varistors.'' The SBA has
developed a small business size standard for this category of
manufacturing; that size standard is 500 or fewer employees. According
to Census Bureau data for 1997, there were 118 establishments in this
category that operated for the entire year. Of these, 113 had
employment of under 500, and 5 establishments had employment of 500 to
999.
91. Electronic Coil, Transformer, and Other Inductor Manufacturing.
These establishments manufacture ``electronic inductors, such as coils
and transformers.'' The SBA has developed a small business size
standard for this category of manufacturing; that size standard is 500
or fewer employees. According to Census Bureau data for 1997, there
were 448 establishments in this category that operated for the entire
year. Of these, 446 had employment of under 500, and two establishments
had employment of 500 to 999.
92. Electronic Connector Manufacturing. These establishments
manufacture ``electronic connectors, such as coaxial, cylindrical, rack
and panel, pin and sleeve, printed circuit and fiber optic.'' The SBA
has developed a small business size standard for this category of
manufacturing; that size standard is 500 or fewer employees. According
to Census Bureau data for 1997, there were 347 establishments in this
category that operated for the entire year. Of these, 332 had
employment of under 500, and 12 establishments had employment of 500 to
999.
93. Printed Circuit Assembly (Electronic Assembly) Manufacturing.
These are establishments ``primarily engaged in loading components onto
printed circuit boards or who manufacture and ship loaded printed
circuit boards.'' The SBA has developed a small business size standard
for this category of manufacturing; that size standard is 500 or fewer
employees. According to Census Bureau data for 1997, there were 714
establishments in this category that operated for the entire year. Of
these, 673 had employment of under 500, and 24 establishments had
employment of 500 to 999.
[[Page 31960]]
94. Other Electronic Component Manufacturing. These are
establishments ``primarily engaged in loading components onto printed
circuit boards or who manufacture and ship loaded printed circuit
boards.'' The SBA has developed a small business size standard for this
category of manufacturing; that size standard is 500 or fewer
employees. According to Census Bureau data for 1997, there were 1,835
establishments in this category that operated for the entire year. Of
these, 1,814 had employment of under 500, and 18 establishments had
employment of 500 to 999.
95. Computer Storage Device Manufacturing. These establishments
manufacture ``computer storage devices that allow the storage and
retrieval of data from a phase change, magnetic, optical, or magnetic/
optical media.'' The SBA has developed a small business size standard
for this category of manufacturing; that size standard is 1,000 or
fewer employees. According to Census Bureau data for 1997, there were
209 establishments in this category that operated for the entire year.
Of these, 197 had employment of under 500, and eight establishments had
employment of 500 to 999.
D. Description of Projected Reporting, Recordkeeping and Other
Compliance Requirements
96. The Commission is requiring telecommunications carriers and
providers of interconnected VoIP service to collect certain information
and take other actions to comply with its rules regarding the use of
CPNI. For example, carriers must have an officer, as an agent of the
carrier, sign and file with the Commission a compliance certificate on
an annual basis stating that the officer has personal knowledge that
the carrier has established procedures that are adequate to ensure
compliance with the CPNI rules. The carrier must also provide a
statement accompanying the certificate explaining how its operating
procedures ensure that it is or is not in compliance with the CPNI
rules. Further, the carrier must include an explanation of any actions
taken against data brokers and a summary of all consumer complaints
received in the past year concerning the unauthorized release of CPNI.
Additionally, carriers must obtain opt-in approval before sharing CPNI
with their joint venture partners or independent contractors for the
purposes of marketing communications-related services to customers.
Also, carriers are required to maintain a record of any discovered
breaches, notifications to the United States Secret Service (USSS) and
the Federal Bureau of Investigation (FBI) regarding those breaches, as
well as the USSS and FBI response to those notifications for a period
of at least two years.
97. The Commission also imposes other requirements on
telecommunications carriers and providers of interconnected VoIP
service. Specifically, the Order prohibits carriers from releasing call
detail information over the phone during customer-initiated telephone
calls except by those methods provided for in the Order. The Order also
requires that a carrier not permit customers to gain access to an
online account without first properly authenticating the customer and,
for subsequent access, without a customer password or response to a
back-up authentication method for lost or forgotten passwords, neither
of which may be based on a carrier prompt for readily available
biographical information, or account information. For the rules
pertaining to online carrier authentication, the Commission provides
carriers that satisfy the definition of a ``small entity'' or a ``small
business concern'' under the RFA or SBA an additional six months to
implement these rules.
98. The Order also requires that carriers notify customers through
a carrier-originated voicemail or text message to the telephone number
of record, or by mail or email to the address of record whenever a
password, customer response to a back-up means of authentication for
lost or forgotten passwords, online account, or address of record is
created or changed. Further, the Order requires that carriers notify
the USSS and the FBI no later than seven days after a reasonable
determination of a CPNI breach.
E. Steps Taken to Minimize Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
99. The RFA requires an agency to describe any significant
alternatives that it has considered in reaching its proposed approach,
which may include (among others) the following four alternatives: (1)
The establishment of differing compliance or reporting requirements or
timetables that take into account the resources available to small
entities; (2) the clarification, consolidation, or simplification of
compliance or reporting requirements under the rule for small entities;
(3) the use of performance, rather than design, standards; and (4) an
exemption from coverage of the rule, or any part thereof, for small
entities.
100. The notices invited comment on a number of issues related to
small entities. For example, the Commission sought comment on the
effect the various proposals described in the EPIC CPNI Notice will
have on small entities, and on what effect alternative rules would have
on those entities. Additionally, the Commission invited comment on ways
in which the Commission can achieve its goal of protecting consumers
while at the same time imposing minimal burdens on small
telecommunications service providers. With respect to any of the
Commission consumer protection regulations already in place, the
Commission sought comment on whether it has adopted any provisions for
small entities that the Commission should similarly consider in this
proceeding? The Commission also invited comment on whether the problems
identified by EPIC were better or worse at smaller carriers. The
Commission invited comment on whether small carriers should be exempt
from password-related security procedures to protect CPNI. The
Commission invited comment on the benefits and burdens of recording
audit trails for the disclosure of CPNI on small carriers. The
Commission invited comment on whether requiring a small carrier to
encrypt its stored data would be unduly burdensome. The Commission
solicited comment on the cost to a small carrier of notifying a
customer upon release of CPNI. The Commission sought comment on whether
the Commission should amend its rules to require carriers to file
annual certifications concerning CPNI and whether this requirement
should extend to only telecommunications carriers that are not small
telephone companies as defined by the Small Business Administration,
and whether small carriers should be subject to different CPNI-related
obligations.
101. The Commission has considered each of the alternatives
described above, and in this Order, imposes minimal regulation on small
entities to the extent consistent with its goal of ensuring that
carriers and providers of interconnected VoIP service protect against
the unauthorized release of CPNI. Specifically, the Commission extended
the implementation date for the rules pertaining to online
authentication by six months so that small businesses will have
additional time to come into compliance with the Order's rules.
102. As stated above, the Commission must assess the interests of
small businesses in light of the overriding public interest of
protecting against the unlawful release of CPNI. The Order discusses
that CPNI is made up of very personal data. Therefore, the
[[Page 31961]]
Commission concluded that it was important for all telecommunications
carriers and providers of interconnected VoIP service, including small
businesses, to comply with the rules the Commission adopts in this
Order six months after the Order's effective date or on receipt of OMB
approval, as required by the Paperwork Reduction Act, whichever is
later. For example, the Commission concluded that carriers and
providers of interconnected VoIP service must stop releasing call
detail information based on customer-initiated telephone calls except
by those methods provided for in the Order. Additionally, the
Commission concluded that it was important for all telecommunications
carriers and providers of interconnected VoIP service to report
breaches of CPNI data to law enforcement. The Commission therefore
rejected solutions that would exempt small businesses. The record
indicated that exempting small carriers from these regulations would
compromise the Commission's goal of protecting all Americans from the
unauthorized release of CPNI.
103. Report to Congress: The Commission will send a copy of the
Order, including this FRFA, in a report to be sent to Congress and the
Government Accountability Office pursuant to the Congressional Review
Act. In addition, the Commission will send a copy of the Order,
including this FRFA, to the Chief Counsel for Advocacy of the SBA. A
copy of the Order and FRFA (or summaries thereof) will also be
published in the Federal Register.
Ordering Clauses
104. Accordingly, It is ordered that pursuant to sections 1, 4(i),
4(j), 222, and 303(r) of the Communications Act of 1934, as amended, 47
U.S.C. 151, 154(i)-(j), 222, 303(r), this Report and Order and Further
Notice of Proposed Rulemaking in CC Docket No. 96-115 and WC Docket No.
04-36 is adopted, and that Part 64 of the Commission's rules, 47 CFR
Part 64, is amended as set forth in Appendix B. The Order shall become
effective upon publication in the Federal Register subject to OMB
approval for new information collection requirements or six months
after the Order's effective date, whichever is later.
105. It Is Further Ordered that the Commission's Consumer and
Governmental Affairs Bureau, Reference Information Center, shall send a
copy of this Report and Order and Further Notice of Proposed
Rulemaking, including the Final Regulatory Flexibility Analysis and the
Initial Regulatory Flexibility Analysis, to the Chief Counsel for
Advocacy of the Small Business Administration.
List of Subjects in 47 CFR Part 64
Customer proprietary network information, Reporting and
recordkeeping requirements, Telecommunications.
Federal Communications Commission.
Marlene H. Dortch,
Secretary.
Final Rules
0
For the reasons discussed in the preamble, the FCC amends 47 CFR part
64 as follows:
PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS
0
1. The authority citation for part 64 continues to read as follows:
Authority: 47 U.S.C. 154, 254(k); secs. 403(b)(2)(B),(c), Pub.
L. 104-104, 110 Stat. 56. Interpret or apply 47 U.S.C. 201, 218,
222, 225, 226, 228, and 254(k) unless otherwise noted.
0
2. Revise Sec. 64.2003 to read as follows:
Sec. 64.2003 Definitions.
(a) Account information. ``Account information'' is information
that is specifically connected to the customer's service relationship
with the carrier, including such things as an account number or any
component thereof, the telephone number associated with the account, or
the bill's amount.
(b) Address of record. An ``address of record,'' whether postal or
electronic, is an address that the carrier has associated with the
customer's account for at least 30 days.
(c) Affiliate. The term ``affiliate'' has the same meaning given
such term in section 3(1) of the Communications Act of 1934, as
amended, 47 U.S.C. 153(1).
(d) Call detail information. Any information that pertains to the
transmission of specific telephone calls, including, for outbound
calls, the number called, and the time, location, or duration of any
call and, for inbound calls, the number from which the call was placed,
and the time, location, or duration of any call.
(e) Communications-related services. The term ``communications-
related services'' means telecommunications services, information
services typically provided by telecommunications carriers, and
services related to the provision or maintenance of customer premises
equipment.
(f) Customer. A customer of a telecommunications carrier is a
person or entity to which the telecommunications carrier is currently
providing service.
(g) Customer proprietary network information (CPNI). The term
``customer proprietary network information (CPNI)'' has the same
meaning given to such term in section 222(h)(1) of the Communications
Act of 1934, as amended, 47 U.S.C. 222(h)(1).
(h) Customer premises equipment (CPE). The term ``customer premises
equipment (CPE)'' has the same meaning given to such term in section
3(14) of the Communications Act of 1934, as amended, 47 U.S.C. 153(14).
(i) Information services typically provided by telecommunications
carriers. The phrase ``information services typically provided by
telecommunications carriers'' means only those information services (as
defined in section 3(20) of the Communication Act of 1934, as amended,
47 U.S.C. 153(20)) that are typically provided by telecommunications
carriers, such as Internet access or voice mail services. Such phrase
``information services typically provided by telecommunications
carriers,'' as used in this subpart, shall not include retail consumer
services provided using Internet Web sites (such as travel reservation
services or mortgage lending services), whether or not such services
may otherwise be considered to be information services.
(j) Local exchange carrier (LEC). The term ``local exchange carrier
(LEC)'' has the same meaning given to such term in section 3(26) of the
Communications Act of 1934, as amended, 47 U.S.C. 153(26).
(k) Opt-in approval. The term ``opt-in approval'' refers to a
method for obtaining customer consent to use, disclose, or permit
access to the customer's CPNI. This approval method requires that the
carrier obtain from the customer affirmative, express consent allowing
the requested CPNI usage, disclosure, or access after the customer is
provided appropriate notification of the carrier's request consistent
with the requirements set forth in this subpart.
(l) Opt-out approval. The term ``opt-out approval'' refers to a
method for obtaining customer consent to use, disclose, or permit
access to the customer's CPNI. Under this approval method, a customer
is deemed to have consented to the use, disclosure, or access to the
customer's CPNI if the customer has failed to object thereto within the
waiting period described in Sec. 64.2008(d)(1) after the customer is
provided appropriate notification of the carrier's request for consent
consistent with the rules in this subpart.
(m) Readily available biographical information. ``Readily available
[[Page 31962]]
biographical information'' is information drawn from the customer's
life history and includes such things as the customer's social security
number, or the last four digits of that number; mother's maiden name;
home address; or date of birth.
(n) Subscriber list information (SLI). The term ``subscriber list
information (SLI)'' has the same meaning given to such term in section
222(h)(3) of the Communications Act of 1934, as amended, 47 U.S.C.
222(h)(3).
(o) Telecommunications carrier or carrier. The terms
``telecommunications carrier'' or ``carrier'' shall have the same
meaning as set forth in section 3(44) of the Communications Act of
1934, as amended, 47 U.S.C. 153(44). For the purposes of this subpart,
the term ``telecommunications carrier'' or ``carrier'' shall include an
entity that provides interconnected VoIP service, as that term is
defined in section 9.3 of these rules.
(p) Telecommunications service. The term ``telecommunications
service'' has the same meaning given to such term in section 3(46) of
the Communications Act of 1934, as amended, 47 U.S.C. 153(46).
(q) Telephone number of record. The telephone number associated
with the underlying service, not the telephone number supplied as a
customer's ``contact information.''
(r) Valid photo ID. A ``valid photo ID'' is a government-issued
means of personal identification with a photograph such as a driver's
license, passport, or comparable ID that is not expired.
0
3. Section 64.2005 is amended by revising paragraph (c)(3) to read as
follows:
Sec. 64.2005 Use of customer proprietary network information without
customer approval.
* * * * *
(c) * * *
(3) LECs, CMRS providers, and entities that provide interconnected
VoIP service as that term is defined in Sec. 9.3 of this chapter, may
use CPNI, without customer approval, to market services formerly known
as adjunct-to-basic services, such as, but not limited to, speed
dialing, computer-provided directory assistance, call monitoring, call
tracing, call blocking, call return, repeat dialing, call tracking,
call waiting, caller I.D., call forwarding, and certain centrex
features.
* * * * *
0
4. Section 64.2007 is amended by revising paragraph (b) to read as
follows:
Sec. 64.2007 Approval required for use of customer proprietary
network information.
* * * * *
(b) Use of Opt-Out and Opt-In Approval Processes. A
telecommunications carrier may, subject to opt-out approval or opt-in
approval, use its customer's individually identifiable CPNI for the
purpose of marketing communications-related services to that customer.
A telecommunications carrier may, subject to opt-out approval or opt-in
approval, disclose its customer's individually identifiable CPNI, for
the purpose of marketing communications-related services to that
customer, to its agents and its affiliates that provide communications-
related services. A telecommunications carrier may also permit such
persons or entities to obtain access to such CPNI for such purposes.
Except for use and disclosure of CPNI that is permitted without
customer approval under section Sec. 64.2005, or that is described in
this paragraph, or as otherwise provided in section 222 of the
Communications Act of 1934, as amended, a telecommunications carrier
may only use, disclose, or permit access to its customer's individually
identifiable CPNI subject to opt-in approval.
0
5. Section 64.2009 is amended by revising paragraph (e) to read as
follows:
Sec. 64.2009 Safeguards required for use of customer proprietary
network information.
* * * * *
(e) A telecommunications carrier must have an officer, as an agent
of the carrier, sign and file with the Commission a compliance
certificate on an annual basis. The officer must state in the
certification that he or she has personal knowledge that the company
has established operating procedures that are adequate to ensure
compliance with the rules in this subpart. The carrier must provide a
statement accompanying the certificate explaining how its operating
procedures ensure that it is or is not in compliance with the rules in
this subpart. In addition, the carrier must include an explanation of
any actions taken against data brokers and a summary of all customer
complaints received in the past year concerning the unauthorized
release of CPNI. This filing must be made annually with the Enforcement
Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining
to the previous calendar year.
* * * * *
0
6. Section 64.2010 is added to subpart U to read as follows:
Sec. 64.2010 Safeguards on the disclosure of customer proprietary
network information.
(a) Safeguarding CPNI. Telecommunications carriers must take
reasonable measures to discover and protect against attempts to gain
unauthorized access to CPNI. Telecommunications carriers must properly
authenticate a customer prior to disclosing CPNI based on customer-
initiated telephone contact, online account access, or an in-store
visit.
(b) Telephone access to CPNI. Telecommunications carriers may only
disclose call detail information over the telephone, based on customer-
initiated telephone contact, if the customer first provides the carrier
with a password, as described in paragraph (e) of this section, that is
not prompted by the carrier asking for readily available biographical
information, or account information. If the customer does not provide a
password, the telecommunications carrier may only disclose call detail
information by sending it to the customer's address of record, or by
calling the customer at the telephone number of record. If the customer
is able to provide call detail information to the telecommunications
carrier during a customer-initiated call without the telecommunications
carrier's assistance, then the telecommunications carrier is permitted
to discuss the call detail information provided by the customer.
(c) Online access to CPNI. A telecommunications carrier must
authenticate a customer without the use of readily available
biographical information, or account information, prior to allowing the
customer online access to CPNI related to a telecommunications service
account. Once authenticated, the customer may only obtain online access
to CPNI related to a telecommunications service account through a
password, as described in paragraph (e) of this section, that is not
prompted by the carrier asking for readily available biographical
information, or account information.
(d) In-store access to CPNI. A telecommunications carrier may
disclose CPNI to a customer who, at a carrier's retail location, first
presents to the telecommunications carrier or its agent a valid photo
ID matching the customer's account information.
(e) Establishment of a Password and Back-up Authentication Methods
for Lost or Forgotten Passwords. To establish a password, a
telecommunications carrier must authenticate the customer without the
use of readily available biographical information, or account
information.
[[Page 31963]]
Telecommunications carriers may create a back-up customer
authentication method in the event of a lost or forgotten password, but
such back-up customer authentication method may not prompt the customer
for readily available biographical information, or account information.
If a customer cannot provide the correct password or the correct
response for the back-up customer authentication method, the customer
must establish a new password as described in this paragraph.
(f) Notification of account changes. Telecommunications carriers
must notify customers immediately whenever a password, customer
response to a back-up means of authentication for lost or forgotten
passwords, online account, or address of record is created or changed.
This notification is not required when the customer initiates service,
including the selection of a password at service initiation. This
notification may be through a carrier-originated voicemail or text
message to the telephone number of record, or by mail to the address of
record, and must not reveal the changed information or be sent to the
new account information.
(g) Business customer exemption. Telecommunications carriers may
bind themselves contractually to authentication regimes other than
those described in this section for services they provide to their
business customers that have both a dedicated account representative
and a contract that specifically addresses the carriers' protection of
CPNI.
0
7. Section 64.2011 is added to subpart U to read as follows:
Sec. 64.2011 Notification of customer proprietary network information
security breaches.
(a) A telecommunications carrier shall notify law enforcement of a
breach of its customers' CPNI as provided in this section. The carrier
shall not notify its customers or disclose the breach publicly, whether
voluntarily or under state or local law or these rules, until it has
completed the process of notifying law enforcement pursuant to
paragraph (b) of this section.
(b) As soon as practicable, and in no event later than seven (7)
business days, after reasonable determination of the breach, the
telecommunications carrier shall electronically notify the United
States Secret Service (USSS) and the Federal Bureau of Investigation
(FBI) through a central reporting facility. The Commission will
maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni
.
(1) Notwithstanding any state law to the contrary, the carrier
shall not notify customers or disclose the breach to the public until 7
full business days have passed after notification to the USSS and the
FBI except as provided in paragraphs (b)(2) and (b)(3) of this section.
(2) If the carrier believes that there is an extraordinarily urgent
need to notify any class of affected customers sooner than otherwise
allowed under paragraph (b)(1) of this section, in order to avoid
immediate and irreparable harm, it shall so indicate in its
notification and may proceed to immediately notify its affected
customers only after consultation with the relevant investigating
agency. The carrier shall cooperate with the relevant investigating
agency's request to minimize any adverse effects of such customer
notification.
(3) If the relevant investigating agency determines that public
disclosure or notice to customers would impede or compromise an ongoing
or potential criminal investigation or national security, such agency
may direct the carrier not to so disclose or notify for an initial
period of up to 30 days. Such period may be extended by the agency as
reasonably necessary in the judgment of the agency. If such direction
is given, the agency shall notify the carrier when it appears that
public disclosure or notice to affected customers will no longer impede
or compromise a criminal investigation or national security. The agency
shall provide in writing its initial direction to the carrier, any
subsequent extension, and any notification that notice will no longer
impede or compromise a criminal investigation or national security and
such writings shall be contemporaneously logged on the same reporting
facility that contains records of notifications filed by carriers.
(c) Customer notification. After a telecommunications carrier has
completed the process of notifying law enforcement pursuant to
paragraph (b) of this section, it shall notify its customers of a
breach of those customers' CPNI.
(d) Recordkeeping. All carriers shall maintain a record,
electronically or in some other manner, of any breaches discovered,
notifications made to the USSS and the FBI pursuant to paragraph (b) of
this section, and notifications made to customers. The record must
include, if available, dates of discovery and notification, a detailed
description of the CPNI that was the subject of the breach, and the
circumstances of the breach. Carriers shall retain the record for a
minimum of 2 years.
(e) Definitions. As used in this section, a ``breach'' has occurred
when a person, without authorization or exceeding authorization, has
intentionally gained access to, used, or disclosed CPNI.
(f) This section does not supersede any statute, regulation, order,
or interpretation in any State, except to the extent that such statute,
regulation, order, or interpretation is inconsistent with the
provisions of this section, and then only to the extent of the
inconsistency.
[FR Doc. E7-10732 Filed 6-7-07; 8:45 am]
BILLING CODE 6712-01-P