You are on page 1of 58

McClure Services LLC

CUSTOMER PROPRIETARY
NETWORK INFORMATION
(CPNI) MANUAL

Adopted: September 17, 2015

Created and Prepared by:

This manual and its contents are for the internal use only of the telephone company above and should not be
redistributed without the consent of the Vantage Point Solutions.
McClure Services LLC

CUSTOMER PROPRIETARY NETWORK


INFORMATION (CPNI) MANUAL
(For McClure Services, LLC Internal Use Only)

This manual was developed by Vantage Point Solutions, Inc.


(VPS), based on the Federal Communications Commission (FCC)
rules adopted on March 13, 2007, and the associated Order
released on April 2, 2007. These rules took effect is on
December 8, 2007.

Please contact VPS with any questions or concerns:

Wendy Harper, Senior Financial Analyst: (605) 995-1756


Wendy.Harper@VantagePnt.com

JoAnn Hohrman, Senior Financial Analyst: (605) 995-1764


JoAnn.Hohrman@VantagePnt.com

Doug Eidahl, VP of Regulatory & Legal: (605) 995-1750


Doug.Eidahl@VantagePnt.com

2-Cover Sheet MS.doc Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Table of Contents

Section
Executive Summary ......................................................................................1

CPNI Background .........................................................................................2

Definitions ......................................................................................................3

CPNI Responsibilities ....................................................................................4


Company Responsibilities .................................................................... 4.1
CPNI Compliance Officer Responsibilities ....................................... 4.2
Employee Responsibilities.................................................................... 4.3

CPNI Disciplinary Procedures .....................................................................5

Authorized Account Contacts .......................................................................6

Customer Authentication Procedures .........................................................7

Password Protection Procedures .................................................................8

On-line Account Access Requirements .......................................................9

Account Change/Activity Notification ..................................................... 10

Business Customer Exemption ................................................................. 11

Reporting Procedures ................................................................................. 12

Opt-In & Opt-Out Approval Requirements ............................................ 13

Frequently Asked Questions ...................................................................... 14

3-TOC MS.doc Page 1 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


Marketing Opportunities .......................................................................... 15

SAMPLE Customer Memo & Forms1 ..................................................... 16


Customer Notice Memo...................................................................... 16.1
Authorized Account Contacts............................................................ 16.2
Password Set Up ................................................................................. 16.3
Opt-In Notice ....................................................................................... 16.4
Opt-Out Notice .................................................................................... 16.5
Notice of Change/Activity .................................................................. 16.6

Certifications ............................................................................................... 17

CPNI Compliance Officer .................................................................. 17.1


Employee Acknowledgement of CPNI Compliance ........................ 17.2
Sample Annual Certification Letter ................................................. 17.3

Appendices .................................................................................................. 18
Appendix A - Section 222 of the 1996 Telecom Act
Appendix B - FCC Title 47 CPNI Rules:
64.2003 (Definitions)
64.2005 (Use of CPNI without Customer Approval)
64.2007 (Approval Required for Use of CPNI)
64.2008 (Notice Required for Use of CPNI)
64.2009 (Safeguards Required for Use of CPNI)
64.2010 (Safeguards of the Disclosure of CPNI)
64.2011 (Notification of CPNI Security Breaches)
Appendix C - FCC Rule Amendments:
FCC 1st Report & Order, Executive Summary, April 2, 2007
Appendix B of the FCC 1st Report & Order, April 2, 2007

1
All forms should be discussed with the Companys billing software vendor for tracking capabilities within
its system and non-duplication of any automated forms the software may generate. These are SAMPLES
of what may be used, however similar forms may exist within the software. The Company should work
closely with its vendor regarding the way the Company chooses to implement CPNI procedures.

3-TOC MS.doc Page 2 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Executive Summary

Federal Communication Commission (FCC) Customer Proprietary Network Information


(CPNI) rules require that MCCLURE SERVICES LLC (Company) and its employees
must take reasonable measures to discover and protect CPNI.

CPNI is information that is obtained due to the carrier-customer relationship and is not
public knowledge. CPNI includes call detail and non-call detail. CPNI call detail
information examples include, but are not limited to, information such as the calling
number, called number, and the length of time for a call. Non-call detail information is
account information contained in the bills to a customer pertaining to local exchange
and/or toll services, such as calling features, calling plan subscribed to, dollar amounts,
etc.

The Company must train its personnel as to when they are and are not authorized to use
or distribute CPNI, and the Company must have an express disciplinary process in place
to be used in the event that a CPNI breach occurs.

The Company must have an officer sign a compliance certificate on an annual basis (due
March 1st of each year for the prior year), which includes an explanation of any actions
taken against data brokers, as well as a summary of all consumer complaints received in
the previous year regarding the unauthorized release of CPNI.

In addition, the Company must establish a supervisory review process regarding carrier
compliance for outbound marketing situations and must also maintain records of carrier
compliance. Specifically, sales personnel must obtain supervisory approval by the CPNI
Compliance Officer of any proposed outbound marketing request for customer approval.

The Company is required to notify both law enforcement and customers in the event of a
CPNI breach within seven days of the discovered breach; however law enforcement must
be notified seven days before the customer is notified or longer if law enforcement
requests a delay in notifying the customer.

The Company prohibits its employees from releasing call detail information to customers
during customer-initiated telephone contact, except when the authorized customer
provides a password. Further, if the authorized customer does not provide a pre-
established password, the FCC prohibits the release of call detail information except by
sending the information to an address of record, or by calling the customer at the
telephone number of record. As an alternative, the customer may come into the office
and show valid, government-issued photo identification in order to be authenticated.
Section1-ExecSumm MS.doc Page 1 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


The Company also requires password protection for any online account access. All
account information accessed online must have a password input before obtaining access
to any of the account information. (Note: Password, whether for call detail or online
access, must not be based on readily available historical information such as a social
security number, mothers maiden name, etc.)

The Company is required to notify the customer immediately when a password, customer
response to a security question is utilized for the authentication for lost or forgotten
passwords, online account, or address of record is created or changed. This notification
must be generic and not state the specifics of the change or activity. For example if the
address of record was changed, the Company must not provide the new address, but only
state the address was changed.

The Company must obtain opt-in consent from a customer before disclosing a customers
CPNI to a joint venture partner, independent contractor, or a third party for the purpose of
marketing communications-related services to that customer.

For business customers, if the Company has established a dedicated account


representative for a particular business customer and the Company has a contractual
agreement with that business customer that specifically addresses the carriers protection
of CPNI, then the contract CPNI requirements shall replace the FCC CPNI requirements
contained in this manual.

The opt-out and opt-in approval requirements must be followed for marketing related
services to the customer or for distribution to Company affiliates or third parties.

When customer approval of CPNI use is necessary, it may be obtained through written,
oral, or electronic methods. The Company must maintain records of approval, whether
oral, written, or electronic. The Company must implement a system by which the status
of a customers CPNI approval can be clearly established prior to the use of CPNI.

The company must provide notification to the customer of the customers right to restrict
use of, disclosure of, and access to that customers CPNI. The company must maintain
records of notification.

Section1-ExecSumm MS.doc Page 2 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

CPNI Background

CPNI Definition
CPNI is defined as (A) information that relates to the quantity, technical configuration,
type, destination, location, and amount of use of a telecommunications service subscribed
to by any customer of a telecommunications carrier, and that is made available to the
carrier by the customer solely by virtue of the carrier-customer relationship; and (B)
information contained in the bills pertaining to telephone exchange service or telephone
toll service received by a customer of a carrier.1

Practically speaking, CPNI includes information such as the phone numbers called by a
consumer; the frequency, duration, and timing of such calls; and any services purchased
by the consumer, such as call waiting. CPNI, therefore, includes some highly-sensitive
personal information.

Section 222 of the Telecom Act of 1996


In the Telecom Act, Congress created a framework to govern telecommunications
carriers protection and use of information obtained by virtue of providing a
telecommunications service. The Section 222 framework calibrates the protection of
such information from disclosure based on the sensitivity of the information. It places
fewer restrictions on the dissemination of information that is not highly sensitive and on
information that the customer authorizes to be released, than on the dissemination of
more sensitive information the carrier has gathered about particular customers. Congress
has accorded CPNI the greatest level of protection under the framework of Section 222.

Section 222 reflects the balance Congress sought to achieve between giving each
customer ready access to his or her own CPNI, and protecting customers from
unauthorized use or disclosure of CPNI. Every telecommunications carrier has a general
duty, pursuant to Section 222(a), to protect the confidentiality of CPNI. In addition,
Section 222(c)(1) provides that a carrier may only use, disclose, or permit access to
customers CPNI in limited circumstances:
(1) as required by law;2
(2) with the customers approval; or

1
47 U.S.C. 222(h)(1)
2
See, e.g., Implementation of the Telecommunications Act of 1996: Telecommunications carriers Use of
Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115,
Declaratory Ruling, 21 FCC Rcd 9990 (2006) (clarifying that Section 222 does not prevent a
telecommunications carrier from complying with the obligation in 42 U.S.C. 13032 to report violations of
specific federal statutes relating to child pornography).

Section2-CPNI Background MS.doc Page 1 of 3 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


(3) in its provision of the telecommunications service from which such
information is derived, or services necessary to, or used in the provision of,
such telecommunications service.

Section 222 also guarantees that customers have a right to obtain access to, and compel
disclosure of, their own CPNI.

CPNI Order of 1998


In 1998, the Federal Communications Commission (FCC or Commission) released the
CPNI Order in which it adopted a set of rules implementing Section 222. In this Order,
the Commission outlined the extent to which Section 222 permits carriers to use CPNI to
render the telecommunications service from which the CPNI was derived. Beyond such
use, the Commissions rules require carriers to obtain a customers knowing consent
before using or disclosing CPNI. Under these rules, telecommunications carriers must
receive Opt-Out consent before disclosing CPNI to joint venture partners and
independent contractors for the purposes of marketing communications-related services
to customers. In addition, the Commission also adopted a set of rules designed to ensure
that telecommunications carriers establish effective safeguards to protect against
unauthorized use or disclosure of CPNI. Among these safeguards are rules that:
require carriers to design their customer service records in such a way that the
status of a customers CPNI approval can be clearly established;
require telecommunications carriers to train their personnel as to when they
are and are not authorized to use CPNI;
require carriers to have an express disciplinary process in place;
require carriers to maintain records that track access to customer CPNI
records and to maintain such records for a period of at least one year;
require the establishment of a supervisory review process for outbound
marketing campaigns; and
require each carrier to certify annually regarding its compliance with the
carriers CPNI requirements and to make this certification publicly available.

Temporary Opt-Out Clarification - 2001


In a 2001 clarification to the above Order, the FCC permitted carriers to rely on Opt-Out
measures for customer approval of using their CPNI for marketing.

Opt-In Requirement - 2002


In 2002, the FCC then issued rules requiring Opt-In measures for customer approval for
carriers release of CPNI to Third Parties; however, Opt-Out provisions were allowed for
the release of CPNI to Affiliated Parties.

EPIC Petition - 2005


In 2005, Electronic Privacy Information Center (EPIC) filed a petition with the
Commission asking the Commission to investigate telecommunications carriers current
security practices and to initiate a rulemaking proceeding to consider establishing more

Section2-CPNI Background MS.doc Page 2 of 3 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


stringent security standards for telecommunications carriers to govern the disclosure of
CPNI. In particular, EPIC proposed that the Commission consider requiring the use of
consumer-set passwords, creating audit trails, employing encryption, limiting data
retention, and improving notice procedures.

CPNI Report and Order of 2007


In April 2007, the FCC released its Report and Order and Further Notice of Proposed
Rulemaking regarding Telecommunications Carriers Use of CPNI and Other Customer
Information, on which this manual is based. The manual will be updated when
necessary.

CPNI Summary
Since the CPNI Order of 1998, telecommunications carriers have sued many people
whom they accuse of fraudulently obtaining phone records. These people are referred to
as pretexters. Pretexting is a practice where an individual impersonates another
person and employs false pretenses, or otherwise uses trickery to obtain records. For
example, in one of the cases filed by Cingular, Cingular stated that the defendant
pretexter posed as an employee of Cingular and as a customer of Cingular in order to
induce Cingulars customer service representatives to provide them with the call records
of a targeted customer.

In addition to individual pretexters, data brokers are businesses that operate (often via a
website) by offering phone records as well as other personal information for a fee. The
data brokers retrieve the personal information through pretexting. Numerous complaints
have been filed with the Federal Trade Commission (FTC) against data brokers.
Additionally, numerous states have sued data brokers for pretexting phone records.
However, the data brokers have generally responded that there is no law prohibiting them
from selling phone records.

However, recently several telecommunications carriers have been fined for failing to
safeguard customer information and complying with FCC CPNI regulations. Even
small carriers have been given hefty fines in the range of $100,000.

Section2-CPNI Background MS.doc Page 3 of 3 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

CPNI-Related Terms and Definitions

Address of Record
Either postal or electronic (email) that the carrier has associated with the customers
account for at least 30 days.

Affiliate
A person that (directly or indirectly) owns or controls, is owned or controlled by, or is
under common ownership or control with, another person. For purposes of this
paragraph, the term own means to own an equity interest (or the equivalent thereof) of
more than 10 percent.

Breach
When a person, without authorization or exceeding authorization, has intentionally
gained access to, used, or disclosed CPNI.

Call Detail Information


Any information that pertains to the inbound and/or outbound calls. For example,
telephone records containing date, time, calling number, called number, length of call,
etc. This information is considered CPNI and requires the highest level of privacy,
according to the current FCC rules.

Customer
A person or entity to which the telecommunications carrier is currently providing
services.

Communications-related Services
Telecommunications services, information services typically provided by
telecommunications carriers, and services related to the provision or maintenance of
customer premises equipment.

Customer Authentication
By using not-readily available biographical information, the customers identity is
confirmed.

Section3-Definitions MS.doc Page 1 of 3 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


Customer Proprietary Network Information (CPNI)
Defined as (A) information that relates to the quantity, technical configuration, type,
destination, location, and amount of use of a telecommunications service subscribed to by
any customer of a telecommunications carrier, and that is made available to the carrier by
the customer solely by virtue of the carrier-customer relationship; and (B) information
contained in the bills pertaining to telephone exchange service or telephone toll service
received by a customer of a carrier.1

Practically speaking, CPNI includes information such as the phone numbers called by a
consumer; the frequency, duration, and timing of such calls; and any services purchased
by the consumer, such as calling features like call waiting or voicemail. CPNI, therefore,
includes some highly-sensitive personal information.

Data Brokers
Businesses that operate (often via a website) by offering phone records as well as other
personal information for a fee. The data brokers retrieve the personal information
through pretexting.

Existing Customer Relationship


Based on the provisioning of services requested by the customer that establishes a
business relationship between a company and its customer.

Independent Contractor
Third party company which the telephone company engages in business.

Information Service
Information services typically provided by telecommunications carriers, such as Internet
access or voice mail services. Information services in this paragraph do not include retail
consumer services provided using Internet websites (such as travel reservation services or
mortgage lending services), whether or not such services may otherwise be considered to
be information services.

Interconnected Voice Over Internet Protocol


A service that: (1) enables real-time, two-way voice communications; (2) requires a
broadband connection from the users location; (3) requires Internet protocol-compatible
customer premises equipment; and (4) permits users generally to receive calls that
originate on the public switched telephone network and to terminate calls to the public
switched telephone network.

Joint-Venture Partner
Another business in which the telephone company may be invested in ownership.

1
47 U.S.C. 222(h)(1)

Section3-Definitions MS.doc Page 2 of 3 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


Pretexting
Practice where an individual impersonates another person and employs false pretenses, or
otherwise uses trickery to obtain records.

Readily Available Biographic Information


Information that is created from the customers life history (i.e. social security number or
last four digits, home address, mothers maiden name, date of birth).

Section 222
Requires carriers to protect CPNI as part of the Telecommunications Act of 1996.

Telephone Number of Record


The telephone number associated with the underlying service and can not be a supplied
number as the customers contact information.

Valid Photo ID
Government-issued unexpired personal identification with a photograph (i.e. drivers
license or passport).

Section3-Definitions MS.doc Page 3 of 3 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Company Responsibilities

MCCLURE SERVICES LLC (MCCLURE ) has outlined the following


responsibilities for CPNI compliance based upon the FCC rules:

Create a CPNI Manual. A CPNI manual has been created for all employees of the
company to read, understand, and abide by for CPNI compliance. The CPNI manual
should be adopted by the Board of Directors.

Employee Acknowledgement and Disciplinary Actions. After employees have


received training on the CPNI rules and regulations, each MCCLURE employee
should sign the Employee Acknowledgement of CPNI Compliance Certification and
understand the disciplinary actions for unauthorized release of CPNI.

Designate a CPNI Compliance Officer (CPNI CO). A CPNI CO will be assigned


to overlook all MCCLURE CPNI compliance of the FCC rules. This CPNI CO will
sign the CPNI Compliance Certification Form after reading and thoroughly
understanding the CPNI manual. The CPNI CO duties are detailed in the Compliance
Officer Responsibilities section of this CPNI manual. See Section 5 for MCCLURE
s duties as assigned to the CPNI CO.

Network Security. MCCLURE is responsible for the safeguarding of CPNI when it


is stored in a database. Encryption is not required by the FCC; however, safeguard
measures must be taken to protect the stored CPNI information.

Note: The FCC stressed its expectation that carriers will take affirmative measures
to discover and protect against activity that is indicative of pretexting beyond what
is required by the FCCs current rules, and reminded carriers that the Telecom Act
imposes on them the duty of instituting effective measures to protect the privacy of
CPNI.1

1
Federal Communications Commission, First Report and Order Regarding Telecommunications
Carriers Use of Customer Proprietary Network Information and Other Customer Information, CC
Docket No. 96-115 and WC Docket No. 04-36, released April 2, 2007. (Page 21, #35)

Section4.1-CompanyRespons. MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Compliance Officer Responsibilities

MCCLURE SERVICES LLC (MCCLURE) has designated the following employee


as the CPNI Compliance Officer (CPNI CO):

____________________ (Mary Claire Cartwright)_


_________________________

CPNI CO responsibilities have been added to the designated employees job


responsibilities and duties. The CPNI CO responsibilities include:

Annual Compliance Certification Filing. MCCLURE CPNI Compliance Officer


will act as an agent of MCCLURE in certifying compliance with the FCC rules on an
annual basis, stating that he/she has personal knowledge that the company has
established operating procedures that are adequate to ensure compliance with the
FCCs CPNI rules. The CPNI CO will be required to make this filing annually with
the Enforcement Bureau on or before March 1st of each year for previous years data.

Companys Main CPNI Point of Contact. The CPNI CO will be the companys
main point of contact for employees, customers, and other parties.

Maintenance and Security of CPNI. The CPNI CO is responsible for ensuring


proper maintenance and security of the CPNI files.

Track CPNI Complaints. CPNI CO must track all customer complaints regarding
the unauthorized release of CPNI and include a summary of all those complaints that
were received during the past year in the annual certification filing.

Track Actions Taken Against Data Brokers. This summary needs to be included
in the annual certification filing with the FCC.

Track CPNI Breaches. CPNI CO must track all CPNI breaches and actions taken
against data brokers and maintain the records for a minimum period of 2 years.

Notification of Unauthorized Disclosure of CPNI. CPNI CO must notify law


enforcement within seven days of a suspected CPNI breach and then notify the
customer within seven days after notification to law enforcement. However, if law
enforcement requests additional time before notifying the customer the CPNI CO
must keep record of such instructions from the law enforcement.

Section4.2-CORespons. MS.doc Page 1 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


Review Company Marketing Procedures. CPNI CO must review CPNI
compliance in company marketing procedures by ensuring the appropriate Opt-Out
and Opt-In approval requirements are met. Keep details of all marketing campaigns
utilizing CPNI.

Review and Document Company CPNI Use. CPNI CO must review and document
all company use of CPNI ensuring proper utilization.

Train Employees on CPNI Requirements and Procedures. CPNI CO will be


responsible for training all company employees on CPNI requirements mandated by
the FCC and the company procedures.

Ensure Employees are CPNI Certified. CPNI CO will be responsible for ensuring
company employees have certified their knowledge of the companys CPNI
requirements.

Ensure Customer Notification of Account Changes/Activity. CPNI CO will be


responsible for ensuring customers have been notified of qualifying account changes
and/or account activity with in 48 hours of such change/activity.

Ensure Company Measures of CPNI Protection. CPNI CO will ensure company


has established and utilizes sufficient measures to discover and protect against
pretexting and unauthorized disclosure of CPNI. CPNI CO will also establish and
implement additional steps beyond the FCC rules to protect the privacy of CPNI to
the extent such measures are feasible.

Designate Assistant CPNI CO. The CPNI CO will designate an assistant CPNI CO
to help with the overseeing of CPNI compliance and will step in for the absence of
the CPNI CO.

Section4.2-CORespons. MS.doc Page 2 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Employee Responsibilities Regarding CPNI

MCCLURE SERVICES LLC Employee CPNI responsibilities include:

Assist CPNI Compliance Officer (CPNI CO) in ensuring maintenance and security of
the Companys CPNI files.

Notify CPNI CO of any CPNI-related complaints from customers.

Notify CPNI CO of any breaches of CPNI rules.

Review and follow CPNI requirements and procedures and sign Employee
Acknowledgement of CPNI Compliance Certification.

Assist in ensuring that customers are notified immediately of any account changes or
activity.

Notify CPNI CO of any CPNI violations.

Assist in ensuring that sufficient measures are used to discover and protect against
pretexting and unauthorized disclosures of CPNI.

Must authenticate customers before discussing non-call detail CPNI with a customer.

Must require the associated account password be supplied by the authorized account
customer before providing call detail to the customer. Or the other three means of
call detail release approved by the FCC may be utilized: Call back customer at
telephone of record, mail to address of record, or have customer come in with valid
government-issued photo ID.

Section4.3-EmployeeRespons. MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Disciplinary Procedures Relating to


Violations of CPNI Protection

MCCLURE SERVICES LLC (MCCLURE) has established the


following disciplinary procedures for CPNI violations and CPNI
breaches, whether intentional or unintentional. All employees of our
company are subject to the following disciplinary actions for CPNI
violations and CPNI breaches:

CPNI Violations include but are not limit to discussing products or services with a
customer outside the existing service relationship without the customers permission
and/or engaging in marketing efforts without observing the opt-out and opt-in approval
requirements.

Disciplinary Action for CPNI Violations: A first-time violation requires the employee
to re-read the CPNI manual and be re-trained on CPNI rules and procedures. Additional
violations may result in reassignment, suspension, and/or termination, based on the
seriousness and frequency of the CPNI violation(s).

CPNI Breaches occur when an employee acts without customer authority to intentionally
use, share, or disclose CPNI. Examples include distributing or selling CPNI to third
parties, or any action that harms the customer or the Company with the release of CPNI.

Disciplinary Action for CPNI Breaches: Depending on the occurrence and severity of
the breach, the disciplinary action for a CPNI breach may result in retraining,
reassignment, suspension, and termination.

Note: MCCLURE SERVICES LLC has the right to handle the disciplinary actions
regarding CPNI violations and CPNI breaches as the Company sees fit for the type of
violation or breach in regards to frequency and severity of the violation or breach
occurrence. CPNI is a confidential matter in our office and we expect employees to
take all necessary steps in order to protect our customers privacy.

Section5-DisciplinaryProc. MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solution For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Authorized Account Contacts

Authorized Account Contact


Employees may only discuss and/or provide CPNI information to an Authorized
Account Contact (AAC) for that particular account being discussed. If someone is
not listed on the account as an AAC (such as a spouse or child of an elderly customer),
the employee may use the Authorized Account Contacts form to add this person to the
account as an AAC only with the approval of the current AAC.

Note: Payments may be received from non-AACs, as long as the employee does not
provide CPNI information to them. (For example, the employee may not provide
specifics about the call detail records or dollar amounts of an invoice, however if the
person knows the dollar amount or wants to make the payment by placing so much
money on the account then that is acceptable). Also, if the customer can provide details
of a call, those provided details can be discussed but additional information can not be
provided.

Important Note: Any time that a customer requests access to information contained in
call detail records (such as the called number, length of call, etc.), a password is
required (or if a password is not supplied the other three methods discussed previously
that are approved by the FCC of calling back the number of record, mailing to the
address of record, or customer providing valid photo ID may be utilized). Employees
are forbidden from supplying call detail record information to anyone without the
account password, even if Caller ID indicates that the customer is calling from the
telephone number of record. However, other information, such as discussing calling
feature purchases, etc., may be disclosed without a password, but only after the
customer has been authenticated.

Section6-AACs MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Customer Authentication Procedures

Customer Authentication
For employees to authenticate an authorized account contact (AAC), the employee should
politely explain that the Federal Communications Commission (FCC) now requires
authentication in order to protect their privacy before discussing account information.
Then, explain that you could do this by asking a few questions to verify the customers
identity. Example questions to authenticate a customer include:

How long have you had your account with us?


What are the features and services you receive from us?
Are there any other names listed on the account?
What is your average month bill amount?

Note: The employee could also call back the telephone number of record; however
they must still verify this is the AAC they are talking with. For example if only the
husband is the AAC, and a woman answers or is the one calling for authentication the
employee should not discuss the CPNI with her but offer to establish the spouse as an
AAC once approved by the current AAC.

Section7-Authentication MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Password Protection Procedures

Establishing a Password

New Customers
MCCLURE SERVICES LLC (Company) requires new customers to establish a
password at the time of service initiation because the customer can be easily
authenticated at that time by showing government issued identification.

Existing Customers
Company will initially send a mass mailing to its authorized account customers
(AAC) in order to inform the AAC of the new password requirement for the
release of CPNI information and to allow the customers to fill out the Password
Set Up form and return it to the Company.

If existing AACs do not set up a password at the time of the initial mailing, but
later decide to establish one by either calling into the Company or stopping into
the Company office, employees must first authenticate the customer without
the use of readily available biographical information or account information. (See
authentication procedures in previous Section 7.)

Password Set Up
Customers must provide responses to the Password Set Up form, which
includes the actual password as well a couple security question answers in case
the password is forgotten.

Use of Password
When a customer calls or stops in and requests call detail information, employees should
politely explain to the customer that the FCC requires the customer to provide the
account password before this information may be disclosed. If the customer is unable to
provide the password, the employee should ask the account security questions to the
customer and if answered correctly, may then provide the requested call detail record
information and establish a new password.

If the customer is unable to provide the password and does not answer the two selected
security questions correctly, or if the customer refuses to set up a password, the employee

Section8-Passwords MS.doc Page 1 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


should explain the following options and may share the call detail records by only the
three following methods:

1. calling the customer back at the telephone number of record;


2. mailing or emailing the information to the address of record (address must be
on company file for at least 30 days); or
3. authenticating the customers identity in person with a valid government-
issued photo identification.

Section8-Passwords MS.doc Page 2 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

On-line Account Access Requirements

On-line Account Access

Because the Company is responsible to ensure the security and privacy of online account
access, the Company must appropriately authenticate both new and existing customers
seeking access to account information online. Therefore, the FCC requires the use of
passwords for on-line account review and billing access.

If a password is already in place, it is not required to establish a new password at this


time, unless it is based solely on readily available biographical information or
account information. For new customers, a carrier should request that a customer
establish an on-line password at the time of service initiation, which again can not be
based on readily available biographical information or account information.

Note: The FCC expects carriers to block access to the customers account if repeated
unsuccessful attempts are made when trying to log in.

Section9-OnlineAccess MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Account Change/Activity Notification Procedures

The FCC requires the Company to notify customers immediately of certain account
changes, including:

Password created

Password changed

Customer response to security questions were utilized

Online account password created

Online account password changed

Online account authentication response

Physical address of record changed

Email address of record changed

Authorized customer was added to the account

Company is also required to notify customer of a security breach within seven days after
the law enforcement has been notified (or longer only if law enforcement requests
additional time) as described in Section 12, Reporting Procedures.

Section10-Notifications MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Business Customer Exemption

Some business customer accounts contain privately negotiated proprietary information


safeguards, as established in an account contract. Therefore, if our contract with a
business customer is serviced by a dedicated account representative as the primary
contact, and specifically addresses MCCLURE SERVICES LLCs protection of the
business customers CPNI, the authentication rules do not have to be followed for that
particular business customer. However, the remainder of the CPNI rules still needs to be
followed.

Section11-BusinessExempt MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

CPNI Violation and Breach Reporting Procedures

Law Enforcement Notification


MCCLURE SERVICES LLC (MCCLURE) must notify law enforcement of a breach of
its customers CPNI no later than seven business days after a reasonable determination
of a breach, by sending electronic notification through a central reporting facility to the
United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI). The
FCC Enforcement Bureau will maintain a link to the reporting facility at
www.fcc.gov/eb/CPNI.

Customer Notification
Then, MCCLURE must notify the customer and/or disclose the breach publicly after
seven business days following notification to the USSS and the FBI, if the USSS and the
FBI have not requested that MCCLURE continue to postpone disclosure. However,
MCCLURE may notify the customer immediately or publicly disclose the breach
immediately after consultation with the relevant investigative agency, if MCCLURE
believes that there is an extraordinarily urgent need to notify a customer or class of
customers in order to avoid immediate and irreparable harm.

Maintenance of Records
Additionally, MCCLURE must maintain a record of any discovered breaches,
notifications to the USSS and the FBI regarding those breaches, and the USSS and FBI
responses to the notifications for a period of at least two years. This record must include,
if available, the date the breach was discovered, the date that MCCLURE notified the
USSS and the FBI, the date that MCCLURE notified the customer, a detailed description
of the CPNI that was breached, and the circumstances of the breach (including steps
taken by MCCLURE to prevent the breach, how the breach occurred, and the impact of
the breach).

Cooperation with Law Enforcement


MCCLURE employees must fully cooperate in any law enforcement investigation of
such unauthorized release of CPNI or attempted unauthorized access to an account,
consistent with statutory and FCC requirements.

Note: For carriers with breaches, the FCC can still issue forfeitures against them even if
all the CPNI rules are proven to have been met. It is important for our company to go
above and beyond all FCC CPNI protection rules, displaying our commitment to
protecting our customers CPNI.

Section12-Reporting MS.doc Page 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Opt-In and Opt-Out Requirements

Opting Background
A significant change was made by the FCC in its First Report & Order dated April 2, 2007, to the
prior CPNI opt-out rule. Previously, carriers were to send an opt-out form to the customers
informing them that their CPNI would be shared with joint venture or independent contractors for
marketing communications-related services. If they signed an opt-out form, the carrier could
not share that particular customers information with any other parties. With the new rules, the
old opt-out rule has been eliminated for sharing CPNI with a joint venture or third party. Now,
the customer must specifically opt-in or consent to sharing their CPNI with a third party for
marketing use.
Under the new rules, carriers can market enhancements to services the customer already has
based on CPNI without customer consent. For example, if a customer subscribes to local service,
the carrier does not need customer approval to use the CPNI to sell calling features for that local
service such as call waiting. However, for services outside the existing scope of business the
carrier must have customer permission to market the additional services and products based upon
CPNI whether in-house (subject to opt-out approval requirements) or to a third party (subject to
opt-in approval requirements). For example, if the customer has only local service with the
carrier and no long distance, the long distance service promotions can not be shared with that
customer without the customers permission. If the customer chooses to sign and return an opt-
out form, the carrier will not be able to use the customers CPNI to market any services outside
the existing scope of service with the carrier, unless the customer initiates a request to discuss a
particular service. The carrier also may not share the customers CPNI with any affiliates to
market services outside their existing services with the customer if an opt-out form as been
returned to the carrier, unless one-time approval has been given. Customers must be notified of
their right to opt-out of marketing endeavors for services and products outside the existing
relationship.

Opting Methods
There are two methods of opting approval:
1) Opt-Out Notice stating the carrier considers the customer to have given approval of CPNI
use for marketing unless the customer informs the company otherwise
2) Opt-In Notice requesting that the customer give permission to the company to use CPNI
for marketing
These approval methods must be utilized and followed before CPNI is shared either internally or
externally for marketing purposes. Company must track the opting notices, keep the signed
notices on file, and notate status in the company billing records. The company should not send
excessive notices to their customers in any fashion that could be considered badgering or
harassment.
Reminder: Names, addresses, and phone numbers are not considered CPNI. Companies may
market to all customers based on non-CPNI. Be sure the non-CPNI marketing campaign is

Section13-Opt-In Opt-Out MS.doc Page 1 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


approved by the CPNI Compliance Officer, as all marketing should be, and goes to each
customer selected by the chosen criteria.
Note: Company should give at least 30 days notice of opt-out opportunity to the customer before
utilizing the CPNI for marketing.

Section13-Opt-In Opt-Out MS.doc Page 2 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

CPNI Frequently Asked Questions

What is Customer Proprietary Network Information?


In general terms, CPNI is personal information contained in customer records. From a
telecommunication carriers standpoint, CPNI is most of the information collected by the
carrier for service provisioning and billing purposes. CPNI includes call detail
information, including calling numbers, called numbers, length of call, etc. Because of
the public nature of customer names, addresses, and phone numbers, these items are not
considered to be CPNI.

When are the New CPNI Rules Effective?


CPNI rules are already in effect and have been around for many years. However,
compliance with the updated FCC rules (from the Federal Communications Commission
Report and Order and Further Notice of Proposed Rulemaking issued on April 2, 2007)
was required six months after the effective date of the Order or upon approval by the
Office of Management and Budget (OMB), whichever was later. The Report & Order
was published in the Federal Register on June 8, 2007, so the updated CPNI rules became
effective on December 8, 2007 (six months from this date). However, small carriers
(defined as a small entity as discussed below) had an additional six months to comply
with the online password protection requirements.

Regarding the new online access CPNI rules, our company meets the definition of small
entity or a small business concern under the Regulatory Flexibility Act for Small
Business and therefore was eligible for an additional six month extension on these
particular rules. Therefore, the effective date was June 8, 2008.

Who Needs to Comply with CPNI Rules?


The CPNI rules apply to Telecommunications Carriers (all voice service entities), as
defined by the Communications Act of 1934, as amended, and including interconnected
Voice Over Internet Protocol (VoIP) providers. Therefore, the definition of
telecommunications carriers would include local exchange carriers (incumbent and
competitive), long distance carriers (or interexchange carriers), mobile (or cellular)
carriers, and VoIP providers.

Are passwords required for the use or release of all types of CPNI?
No, passwords are only required by the FCC for call detail CPNI; however, companies
may implement password protection on all CPNI in order to keep consistency for the
employees and customers. To release non call detail information, carriers are still subject
to Section 222 of the Telecom Act and therefore, must authenticate the customer prior to

Section14-FAQs-Revised 09 03 15 MS.docPage 1 of 6 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


disclosing non call detail CPNI. (The FCC is still reviewing comments regarding
whether passwords should also be required for certain non-call detail CPNI.)

What is readily available biographical information?


Readily available biographical information includes such things as the customers social
security number, or the last four digits of that number, the customers mothers maiden
name; a home address, or a date of birth.

Per the FCC, when are passwords required?


A password is required in order to release call detail CPNI information. However the
company can choose whether to tighten this requirement to non-call detail CPNI as well.
The FCC is still reviewing comments on whether to require a password on certain non
call detail CPNI as well, but to date passwords are required by the FCC only for call
detail information that is not provided by the customer.

What is call detail?


Call detail includes any information that pertains to the transmission of specific telephone
calls including, for outbound calls, the number called and the time, location, or duration
of any call. For inbound calls, call detail includes the number from which the call was
placed, as well as the time, location, or duration of any call.

Are there any other ways to release call detail CPNI if a customer does not
remember his/her password or does not desire to set one up?
Yes. An employee may release call detail CPNI without a password by only one of the
following three methods:

1. Call the customer back at the telephone number of record;


2. Mail or email the CPNI information to the address of record; or
3. Confirm the customers identity in person with a valid photo ID.

What is a valid photo ID?


A valid photo ID is a government-issued personal identification with a photograph, such
as a current drivers license, passport, or comparable identification.

What is meant by telephone number of record?


The telephone number of record is the telephone number associated with the underlying
service, rather than some other telephone number supplied as a customers contact
information.

Section14-FAQs-Revised 09 03 15 MS.docPage 2 of 6 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


What is meant by address of record?
The address of record is the address, whether postal or electronic, that the carrier has
associated with the customers account for at least 30 days. Requiring that the address be
on file for 30 days will foreclose a pretexters ability to change an address of record for
the purpose of being sent call detail information immediately.

What are examples of CPNI that is non call detail information?


Some examples of CPNI that is non call detail would be remaining minutes of use on a
calling plan, account features, or dollar amounts billed.

May an employee rely on Caller ID as an authentication method?


No. Pretexters could easily replicate Caller ID numbers. The caller ID information is not
an authorized method of authentication.

What is account information?


Account information is the information related to a customers account, which includes
such things as account number or any component thereof, including the telephone
number associated with the account or the amount of the last bill.

How long do I have to report a CPNI breach to law enforcement?


The Company must report a CPNI breach within seven days to law enforcement.

How shall law enforcement be notified of a breach of CPNI?


The FCC Enforcement Bureau will maintain a link to the reporting facility at
www.fcc.gov/eb/CPNI.

How long do I have to report a CPNI breach to our customer?


The Company must report a CPNI breach to the customer seven days after it was
reported to law enforcement for investigation. If law enforcement requests a longer time
period before notifying a customer, the Company must abide but keep notes of such
request.

May I share CPNI with a spouse, child, or parent of the authorized account
customer?
Not unless that person is already listed as an Authorized Account Contact for that
particular account. CPNI may only be shared with the Authorized Account Contact.

May I share CPNI information with a person who provides the correct account
password, but is clearly not an Authorized Account Contact?
No. CPNI may only be shared with the Authorized Account Contact.

Section14-FAQs-Revised 09 03 15 MS.docPage 3 of 6 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


If a security question is utilized for a forgotten password, what must be done?
The FCC requires that the Company send notification to the address of record (best
choice) or leave a voice message or send a text message to the phone number of record
notifying the customer that security questions were utilized to gain account access. A
new account password will also need to be set-up.

What is meant by a customer response to a carrier-designed security means of


authentication?
A customer response to a carrier-designed security means of authentication is the
customers pre-selected answer to the carriers security authentication method in the
event that the customer lost or forgot his/her password.

If a customer calls with a question about a long distance call and wants to discuss
call detail information relating to that call, how should the employee handle the
call?
The employee should politely explain that the FCC requires our company to use a
password to access the customers call records in order to protect the customers privacy
and to prevent others from accessing the customers private account information. If the
customer then provides the password, the employee may begin discussion regarding the
call detail information. If the customer cannot provide the password, the employee may
then ask the customer to answer a security question. If the customer provides the correct
answer to the security question, the employee may then begin discussion regarding the
call detail information. (The employee may try another security question if the first
security question is not answered correctly.) If the customer has not previously set up a
password and security questions, then the employee should offer to assist the customer in
setting up a password by authenticating the customer (i.e., calling the customer back at
the telephone number of record, asking for answers to non-biographical or non-account
information questions, etc.) and then assisting them in setting up the password and
security questions. (Please see Sections 7-8 of the CPNI manual.) Note: If the customer
supplies the details of the call, those particular details may be discussed without a
password.

If the customer refuses to establish a password in the above scenario, what should
be done?
The employee should politely explain that the customer has the following three
alternatives in order to access the call detail information:
1. Company will call the customer back at the telephone number of record;
2. Company will mail the information to the address of record (postal or
electronic, but the address must be in the Company files for at least 30 days);
or
3. Customer may stop into the office and show a valid government-issued photo
ID.

Section14-FAQs-Revised 09 03 15 MS.docPage 4 of 6 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


What if a customer calls asking about calling features on the monthly bill?
Because this request is not for call detail information, which would require a password,
the employee should politely authenticate the customer by confirming that the person is
an Authorized Account Contact, by asking a few of the following suggested questions:

How long have you had your account with us?


What are the features you receive from us?
What are the services you receive from us?
Are there any other names listed on the account?
What is your average monthly bill amount?

How may our company use CPNI without prior customer approval?
A carrier may use CPNI without prior customer permission to market services within an
existing customer relationship, to perform mass marketing (such as bill inserts, direct
mail, newsletters), to provision products and services, for installation and repair services,
to comply with law enforcement, and to establish directory listings.

May our company distribute CPNI to a third party, joint-venture partner, or


independent contractor without the customers express permission?
No. This type of CPNI use would be subject to Opt-In Approval by the customer. All
customers must give permission before their CPNI can be released to a third party, joint-
venture partner or independent contractor.

What does Opt-In approval mean?


Opt-in approval means that the customer must give notice to the Company that they give
permission for their CPNI to be shared with joint-venture partners, independent
contractors, and/or third parties.

A customer has left our company and has gone to the competition for certain
services. May we use this customers CPNI to promote a win-back campaign for
these particular services?
No, the customers CPNI can not be used in this way, unless your company has sent an
Opt-Out Notification to the customer and the customer did not return a signed Opt-Out
form. However, mass marketing may be used to entice this type of customer back.

Some of our local exchange service customers do not currently have our affiliates
long distance service, may we share these customers CPNI with our long distance
affiliate to promote a targeted marketing campaign for the long distance service
and/or bundling of services?
Yes, except to any customers that have returned signed Opt-Out forms.

Section14-FAQs-Revised 09 03 15 MS.docPage 5 of 6 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


A customer called in with a question regarding his local service, may we promote
our affiliates DSL service without asking his permission?
Yes, except to any customers that have returned signed Opt-Out forms.

If a customer signs an opt-out, what does this mean?


This means that employees may not discuss any service with that customer, except the
particular ones requested by the customer, or within the customers existing scope of
services with the carrier.

How can my company market services or products without utilizing the Opt-Out
and Opt-In Forms?
Mass marketing (based on addresses and/or phone numbers of all customers, or based on
phone numbers and/or addresses contained in public sources for a specific exchange or
zip code) may be used to promote services or products as you would not be using CPNI
for this type of marketing. Also, employees asking permission of the customer to discuss
products and services would be another way.

Our affiliate just rolled out DSL service in one of our exchanges. May we share
CPNI with the affiliate to market this service to those customers without marketing
to our remaining customers?
Yes, to the customers that have not returned a signed Opt-Out form or if you base the
marketing on public information such as, name, address, and phone number (which are
not considered to be CPNI) for a particular zip code or phone exchange.

What is an existing customer relationship?


An existing customer relationship is based on the following categories of service:

Local voice and all related services


Long distance and all related services
Internet and all related services
Wireless phone and all related services
Bundles and all related services

See Up-Selling Opportunities in section 15 to help assist in determining the related


services.
.

Note: CATV CPNI is protected under a separate set of rules, US Code Title 47,
Chapter 5, Subchapter V-A, Part IV, Section 551.

Section14-FAQs-Revised 09 03 15 MS.docPage 6 of 6 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


MCCLURE SERVICES LLC
CPNI MANUAL

Marketing Opportunities Within Service Categories


In Order to Comply With CPNI Rules

(If Your Company Does Not Utilize the Opt-Out / Opt-In


Methods of Gaining Customer Approval to Use CPNI)

Marketing without prior customer approval may only be done when there is an existing
customer relationship. An existing customer relationship means that the customer
already has ordered a particular service or has initiated contact with the company to
discuss a particular service. Note: All employees, especially Customer Service
Representatives, installation and repair technicians, receptionists and any other
front desk and phone employees, need to be aware of the rules regarding what they
may discuss with a customer in order to market more services.

An existing customer relationship may include the following categories of service:

Local voice and all related services


o Customer Premises Equipment, such as telephones, fax machine,
head phones, etc.
o Second phone line
o Calling Features, such as Caller ID and Voicemail, etc.
o Key Systems

Long distance and all related services


o Alternative long distance plans
o Bundles of long distance minutes, including increase in minutes
plan or unlimited plan

Internet and all related services


o Customer Premises Equipment, such as modems and routers
o Mailboxes
o Virus Protection
o Static IP Addresses
o Spam Filtering
o Web Storage
o Upgrade from dial-up Internet to high-speed DSL
o Upgrade from lower bandwidth DSL to higher bandwidth DSL
o Wireless broadband

Section15-MarketingOpportunities MS.docPage 1 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


Bundles and all related services
o If customer currently has a voice and long distance bundle, those
are the only services (along with all the related services, such as
upgrades within that bundle) that can be discussed without the
employees approval to discuss other services.
o If customer currently has a voice and data bundle, those are the
only services (along with all the related services, such as upgrades
within that bundle) that can be discussed without the employees
approval to discuss other services.
o If customer currently has a voice and video bundle, those are the
only services (along with all the related services, such as upgrades
within that bundle) that can be discussed without the employees
approval to discuss other services.
o If customer currently has a voice, data, and video bundle, those
are the only services (along with all the related services, such as
upgrades within that bundle) that can be discussed without the
employees approval to discuss other services.
o If customer currently has a voice, data, and wireless bundle, those
are the only services (along with all the related services, such as
upgrades within that bundle) that can be discussed without the
employees approval to discuss other services.

Note: CATV CPNI is protected under a separate set of rules, US Code Title 47,
Chapter 5, Subchapter V-A, Part IV, Section 551.

Section15-MarketingOpportunities MS.docPage 2 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


Print on
Company MEMO
Letterhead

TO: MCCLURE SERVICES LLC Customer

FROM: Mary Claire Cartwright


CPNI Compliance Officer, MCCLURE SERVICES LLC (MCCLURE)

DATE: September 4, 2015

RE: Customer Notice Regarding CPNI Compliance

In order to help protect your privacy regarding customer proprietary network information (CPNI), the
Federal Communications Commission (FCC) has taken measures to strengthen the rules of
providing CPNI to customers, when requested. MCCLURE is in the process of implementing these
new FCC rules. In order for our company to be in compliance with the new FCC rules for CPNI, we
want to inform you, our valued customer, of the changes that pertain to you. CPNI includes the call
detail information such as the called number, time of call, length of call, etc.

With the new FCC rule revisions, CPNI will only be able to discuss account information with the
person(s) listed on the account or proven power of attorney. If call detail is requested by a customer
over the phone and the call is initiated by the customer, that customer will need to provide a
previously set password in order for our customer service representative (CSR) to supply the
requested information on the phone call. The password can not be historical background information
that would be available to someone else, such as the last four digits of your social security number,
mothers maiden name, your address, etc. If this password is not supplied and back-up questions
can not be answered, there are only three ways for the customer to obtain this requested detail:

1. Hang up and have the CSR call back the telephone number of record
2. Have the CSR mail the requested information to the address of record
3. The authorized customer on the account must come to the telephone office and show a valid
government issued photo ID

With these rules, if you would like to add someone to the account that can be authorized to make
such requests please let us know. Otherwise, only the person(s) listed on the account will be able to
obtain such call detail information in the manner addressed above and be able to discuss changes to
the account or certain account details. If a customer initiates a call to MCCLURE for account
changes that are non-call detail CPNI such as questions on your bill, the customer will be asked to
authenticate their self or possibly need to supply the password, depending on the FCC final ruling. In
order to assist in adding an authorized person(s) to your account such as a spouse or dependent,
please complete the attached form and return to the telephone office.

We apologize in advance for any inconvenience this may cause, however the new rules are for the
protection of your privacy in order to ensure that no one other than the authorized person is receiving
the requested detail and making account changes. Our service to you is not changing as your
privacy has always been important to us; we are only tightening our security of protecting your
private information, as mandated by the FCC.
Section16.1-SampleCustomerMemo MS.doc Page 1 of 2 Released: September 4, 2015
Along with the authorized person form, we have included a section to complete in order to begin the
process of setting up your password and back-up questions. Please complete this form and
return to our telephone office at your earliest convenience.

Due to the FCC rule revisions, you will also receive a Notice of Change/Activity form at the address
of record from our office anytime changes are made to your account such as an address change,
password change, back-up question used for lost or forgotten password, etc. The notice will inform
you of such change or activity and if this was not made by an authorized person, please contact our
office immediately.

Occasionally, MCCLURE would like to make you aware of additional products or services available
from us outside our current service relationship. For example, if you have our local exchange voice
service, you may be interested in our long distance packages. However, per the new FCC rules on
CPNI, you have the option of signing the attached Opt-Out form in order to exclude yourself from
such internal marketing services. We never sell your private information to outside entities; however
we would like the opportunity to continue to make you aware of additional products and service
available to you that you currently may not know about. By completing the attached Opt-Out form,
we will exclude you from such internal marketing opportunities based upon your specific account
information. If you wish to be excluded, please complete the attached Opt-Out form and return to
our office. Otherwise if you would like to continue hearing about our products and service that may
be of interest to you based upon your current account status, please disregard this Opt-Out form.

Thank you in advance for your assistance in completing the necessary forms attached and returning
to our office in order to help us comply with the new FCC rules for your CPNI protection. The new
procedures will help ensure your private information is protected. If you have any questions
regarding our new procedures for CPNI compliance, please contact me at (765) 588-1388

Enclosures (3)

Section16.1-SampleCustomerMemo MS.doc Page 2 of 2 Released: September 4, 2015


MCCLURE SERVICES LLC
Input Form

Current Authorized Account Contacts for (phone number): (800) 123-4567

Contact: John Doe

Contact: Jill Doe

Phone Company Information: McClure Services LLC


Kurz Purdue Technology Center
1281 Win Hentschel Blvd.
West Lafayette, IN 47906

Jack Doe
CPNI Compliance Officer
ABC Telephone Company

(800) 123-4567
Phone Number

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Input Released: October 15, 2007
MCCLURE SERVICES LLC
Authorized Account Contacts

Per the FCC rules regarding Customer Proprietary Network Information (CPNI)
as described in the attached notice, this form needs to be completed and
returned to our office.

The current authorized account contacts are listed below. Please mark whether
you would or would not like to add another contact to the account at this time. If
you do add another contact, please provide their name(s) in the lines below.

Reminder: Due to the CPNI FCC rules, we can only discuss certain account
information and call detail with such authorized contacts.

Current Authorized Account Contacts for (phone number): (800) 123-4567

Contact: John Doe


Contact: Jill Doe

No, at this time I do not want to add any additional authorized contacts to my account.

Yes, at this time I would like to add the following people as authorized contacts for my account.

Email Address*:

*The FCC does allow call detail CPNI to be sent to an email account of record.
However, this email address must be in the company files for at least 30 days
before CPNI can be sent to it. If you would like our company to have an "email
address of record" in our files, please provide the address.

Authorized By:
(Signature of authorized contact currently listed on the account)

Date:

Please use the enclosed envelope to return the completed form to our office at:
McClure Services LLC
Kurz Purdue Technology Center
1281 Win Hentschel Blvd.
West Lafayette, IN 47906
For questions regarding this form or the new CPNI company policies, please contact:
Jack Doe
CPNI Compliance Officer
ABC Telephone Company
(800) 123-4567
Phone Number

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Authorized Acct Contacts Released: October 15, 2007
MCCLURE SERVICES LLC
Password Set Up

Per the new FCC rules regarding Customer Proprietary Network Information (CPNI) as described in the
attached notice, this form needs to be completed and returned to our office.

Reminder: Due to the new CPNI FCC rules, if you request call detail information you must supply this
password before the information can be disclosed. If you do not remember the password, the security
questions below will be used for verification and a new password will be established. If a password can
not be supplied for call detail information, there are only a few ways mandated by the FCC in order to
obtain the information.
(1) Have the telephone representative call you back, but only at the telephone number of record
(2) Have the telephone representative mail you the requested call detail information, but only to the
address of record
(3) You, the authorized account customer, must come to the telephone office and show your valid
government issued photo ID

One Form must be completed per account, therefore if there are more than one authorized customers on
the account this password will be for all authorized customers.

Current Authorized Account Contacts for (phone number): (800) 123-4567


Contact: John Doe
Contact: Jill Doe

Authorized Customer Chosen Password*:


(Between 5-10 characters in length - Alpha, Numeric, or Alpha/Numeric Mixed - no spaces or symbols all

*This password can not be historical information such as based on your social security number,
address, etc. The FCC is trying to minimize the possibility of false identification for supplying call detail,
therefore do not use anything that someone else would be able to access.

Security Questions & Answers:

Chose two security questions and fill in the answer. This will be used to verify you as the authorized
customer if the password can not be remember. The telephone representative will ask you the chosen
questions and wait for the proper answer (that you complete below) before the password is re-established.

1. What was your first childhood pet's name?

2. Where were were born?

(You can use city and state, just state, just city, state abbreviation, zip code, city nick name,
etc. Just remember they way you have chosen to answer this.)

3. What is your favorite color?

4. As a child, what was your dream job?

5. What brand of shampoo do you use?

Authorized By:
(Signature of authorized contact currently listed on the account)

Date:

Please use the enclosed envelope to return the completed form to our office at:
McClure Services LLC
Kurz Purdue Technology Center
1281 Win Hentschel Blvd.
West Lafayette, IN 47906

For questions regarding this form or the new CPNI company policies, please contact:
Jack Doe
CPNI Compliance Officer
ABC Telephone Company

(800) 123-4567
Phone Number

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Password Set Up Released: October 15, 2007
MCCLURE SERVICES LLC
Opt-In Notice

As in the past and continuing into the future, our company respects your privacy and abides by the privacy rules
mandated by the Federal Communications Commission, state commission, and any other oversight telecom
agencies.

For the purpose of marketing additional products and services to you, we are requesting permission to share your
account and call information with our joint-venture partners, independent contractors, and/or other third parties. This
information will be used for marketing purposes only to better serve you with additional products and services that
may be of interest to you based upon your usage and features.

We would like the opportunity to continue to better serve you by notifying you of our additional products and services,
however you must opt-in in order to receive information regarding our additional products and services. If you agree
to this, please sign and return the portion below.

Please call our office if you have any questions on this notice:
Jack Doe
CPNI Compliance Officer
ABC Telephone Company

(800) 123-4567
Phone Number

OPT-IN CONSENT

Return this portion if you chose to opt-in of notification of MCCLURE SERVICES LLC
external marketing of services and products.

I have read the above notice and would like to Opt-In by granting permission to MCCLURE SERVICES LLC
for sharing my account information with joint-venture partners, independent contractors, and/or third parties
for the purpose of marketing.

Authorized Customer: John Doe

Street/Billing Address:

City, State, Zip Code:

Account Telephone Number: (800) 123-4567

Authorized By:
(Signature of authorized contact currently listed on the account)

Date:

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Opt-In Released: October 15, 2007
MCCLURE SERVICES LLC
Opt-Out Notice

As in the past and continuing into the future, our company respects your privacy and abides by the privacy
rules mandated by the Federal Communications Commission, state commission, and any other oversight
telecom agencies. We never sell your private account information or provide call detail information of your
telephone calls to outside entities for marketing purposes. The protection of your information is important
to us and our Company acknowledges that you have a right, and we have a duty, under federal law, to
protect the confidentiality of your CPNI.

Sometimes we would like to make you aware of additional products or services available from us and our
affiliates (Identify by name) outside the existing business relationship. For example, if you have our local
exchange voice service, you may be interest in our long distance packages. However, per the FCC new
rules on Customer Proprietary Network Information (CPNI), you have the option of being excluded from
such targeted marketing services by signing and returning the opt-out notification below. CPNI is
information created by virtue of the relationship between a carrier and a customer, including the quantity,
technical configuration, type, destination, location, and amount of use of a customer's telecommunications
services purchased (including specific calls a customer makes and receives) and related local and toll
billing information. It does not include published information such as one's name, address, or telephone
number.

We would like the opportunity to continue to better serve you by notifying you of our additional products
and services, however you have the right to opt-out of hearing about these products and services. If you
would like to continue being notified about the products and services based upon your current services
with us then please do nothing further. However, if you would like to "opt-out" the signed and returned
signature card will not allow us to inform you of the products and services outside of your existing scope of
service with us based upon the use of your CPNI.

Unless you provide us with notice that you wish to opt-out within 33 days of the date of this notice, we will
assume that you give our Company the right to utilize your CPNI for internal marketing campaigns. Please
be advised that if you do not opt out, your consent will remain valid until we receive your notice withdrawing
it. If you wish to withdraw your consent at any time, you may do so by calling us at 1-800-XXX-XXXX.
Furthermore, note that opting out will not affect the status of the services you currently have with our
Company. In addition, we can disclose your CPNI to comply with any laws, court order or subpoena or to
provide services to you, pursuant to your Customer Agreement.

Please call our office if you have any questions on this notice:
Jack Doe
CPNI Compliance Officer
ABC Telephone Company

(800) 123-4567 November 1, 2007


Phone Number

OPT-OUT NOTIFICATION

Return this portion if you chose to opt-out of notification of MCCLURE SERVICES LLC
internal targeted marketing of services and products that are outside of your existing service scope.

I have read this notice and would like to Opt-Out of the CPNI based marketing of products and services
that are outside of my existing scope of service offered by MCCLURE SERVICES LLC.

Authorized Customer: John Doe

Street/Billing Address:

City, State, Zip Code:

Account Telephone Number: (800) 123-4567

Authorized By:
(Signature of authorized contact currently listed on the account)

Date:

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Opt-Out Released: October 15, 2007
MCCLURE SERVICES LLC
Notice of Change/Activity

In order to help protect your privacy we must notify you of a recent change or activity on your account. The
following change or activity was made to your account:

Your address of record was changed.


Your email address of record was changed.
A new password was created.
The password was changed.
The security questions were utilized to re-issue a forgotten password.
A security question response was revised.
A security breach has occurred.
Other:

If you did not authorize this change or were unaware of the activity, please notify our office immediately.

Jack Doe
CPNI Compliance Officer
ABC Telephone Company

(800) 123-4567
Phone Number

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Notice of Change-Activity Released: October 15, 2007
MCCLURE SERVICES LLC
CPNI Compliance Officer Certification

I, Jack Doe , hereby acknowledge that I fully understand MCCLURE SERVICES LLC'
(CPNI Compliance Officer Printed Name)

obligations under the Customer Proprietary Network Information (CPNI) Federal Communications Commission (FCC)

rules and I do have personal knowledge of MCCLURE SERVICES LLC'soperating procedures for the protection of

CPNI. I have completed training on the CPNI rules and thoroughly understand MCCLURE SERVICESCPNI

Manual. I understand the CPNI rules and will go above and beyond the FCC mandated rules to help protect CPNI.

CPNI Compliance Officer:


(Signature of CPNI Compliance Officer)

(Date)

Approved By:
(Signature of Authorized Person - General Manager, Board President, ect.)

(Printed Name of Authorized Person)

(Title of Authorized Person)

(Date)

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, CPNI Compliance Certification Released: October 15, 2007
MCCLURE SERVICES LLC
Employee Acknowledgement of CPNI Compliance Certification

I, , hereby acknowledge receiving and reviewing MCCLURE SERVICES LLC'


(Employee Printed Name)
CPNI Manual. The CPNI training coordinated by the CPNI Compliance Officer of MCCLURE SERVICES LLC

has also been completed by me. I know and understand my responsibilities to protect CPNI and agree with the

disciplinary procedures established by MCCLURE SERVICES LLCregarding CPNI.

Employee:
(Signature of Employee)

(Printed Name of Employee)

(Employee Title)

(Date Singed)

(Date CPNI Manual Received)

(Date CPNI Training Completed)

CPNI Compliance Officer:


(Signature of CPNI Compliance Officer)

Jack Doe
(Printed Name of CPNI Compliance Officer)

(Date Witnessed)

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Employee Certification Released: October 15, 2007
MCCLURE SERVICES LLC
Annual Certification of CPNI
[As Required by FCC Rules in Section 64.2009(e)]

Reference: EB Docket No. 06-36

I, Jack Doe , hereby certify that I am an Officer of MCCLURE SERVICES LLC.


(CPNI Compliance Officer Printed Name)
I have personal knowledge that the Company has established procedures that are intended to comply with

the Customer Proprietary Network Information rules and requirements in Subpart U of Part 64 of the Federal

Communications Commission's Rules (47 C.F.R. 64.2001 through 64.2011. The attached Statement of CPNI

Compliance explains how the Company's procedures ensure that it is in compliance with the FCC rules.

Printed Name of
CPNI Compliance Officer: Jack Doe
(Printed Name of Compliance Officer)

CPNI Compliance Officer:


(Signature of CPNI Compliance Officer)

(Date)

Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Annual Certification Released: October 15, 2007
MCCLURE SERVICES LLC
CPNI MANUAL

Section 222 of the Telecom Act

PRIVACY OF CUSTOMER INFORMATION

(a) IN GENERAL - Every telecommunications carrier has a duty to protect the


confidentiality of proprietary information of, and relating to, other
telecommunication carriers, equipment manufacturers, and customers, including
telecommunication carriers reselling telecommunications services provided by a
telecommunications carrier.
(b) CONFIDENTIALITY OF CARRIER INFORMATION - A
telecommunications carrier that receives or obtains proprietary information from
another carrier for purposes of providing any telecommunications service shall
use such information only for such purpose, and shall not use such information for
its own marketing efforts.
(c) CONFIDENTIALITY OF CUSTOMER PROPRIETARY NETWORK
INFORMATION
(1). PRIVACY REQUIREMENTS FOR TELECOMMUNICATIONS
CARRIERS - Except as required by law or with the approval of the
customer, a telecommunications carrier that receives or obtains customer
proprietary network information by virtue of its provision of a
telecommunications service shall only use, disclose, or permit access to
individually identifiable customer proprietary network information in its
provision of
(A) the telecommunications service from which such information is
derived, or
(B) services necessary to, or used in, the provision of such
telecommunications service, including the publishing of
directories.
(2). DISCLOSURE ON REQUEST BY CUSTOMERS - A
telecommunications carrier shall disclose customer proprietary network
information, upon affirmative written request by the customer, to any
person designated by the customer.
(3). AGGREGATE CUSTOMER INFORMATION - A
telecommunications carrier that receives or obtains customer proprietary
network information by virtue of its provision of a telecommunications
service may use, disclose, or permit access to aggregate customer
information other than for the purposes described in paragraph (1). A
local exchange carrier may use, disclose, or permit access to aggregate
customer information other than for purposes described in paragraph (1)
only if it provides such aggregate information to other carriers or

Appendix A-Section 222 MS.doc Page 1 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only


persons on reasonable and nondiscriminatory terms and conditions upon
reasonable request therefore.
(d) EXCEPTIONS - Nothing in this section prohibits a telecommunications carrier
from using, disclosing, or permitting access to customer proprietary network
information obtained from its customers, either directly or indirectly through its
agents
(1). to initiate, render, bill, and collect for telecommunications services;
(2). to protect the rights or property of the carrier, or to protect users of those
services and other carriers from fraudulent, abusive, or unlawful use of,
or subscription to, such services; or
(3). to provide any inbound telemarketing, referral, or administrative
services to the customer for the duration of the call, if such call was
initiated by the customer and the customer approves of the use of such
information to provide such service.
(e) SUBSCRIBER LIST INFORMATION - Notwithstanding subsections (b), (c),
and (d), a telecommunications carrier that provides telephone exchange service
shall provide subscriber list information gathered in its capacity as a provider of
such service on a timely and unbundled basis, under nondiscriminatory and
reasonable rates, terms, and conditions, to any person upon request for the
purpose of publishing directories in any format.
(f) DEFINITIONS - As used in this section:
(1). CUSTOMER PROPRIETARY NETWORK INFORMATION - The
term `customer proprietary network information' means
(A) information that relates to the quantity, technical configuration,
type, destination, and amount of use of a telecommunications
service subscribed to by any customer of a telecommunications
carrier, and that is made available to the carrier by the customer
solely by virtue of the carrier-customer relationship; and
(B) information contained in the bills pertaining to telephone
exchange service or telephone toll service received by a
customer of a carrier; except that such term does not include
subscriber list information.
(2). AGGREGATE INFORMATION - The term `aggregate customer
information' means collective data that relates to a group or category of
services or customers, from which individual customer identities and
characteristics have been removed.
(3). SUBSCRIBER LIST INFORMATION - The term `subscriber list
information' means any information
(A) identifying the listed names of subscribers of a carrier and such
subscribers' telephone numbers, addresses, or primary
advertising classifications (as such classifications are assigned
at the time of the establishment of such service), or any
combination of such listed names, numbers, addresses, or
classifications; and
(B) that the carrier or an affiliate has published, caused to be
published, or accepted for publication in any directory format.

Appendix A-Section 222 MS.doc Page 2 of 2 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only




ELECTRONICCODEOFFEDERALREGULATIONS

eCFRdataiscurrentasofSeptember11,2015

Title47ChapterISubchapterBPart64SubpartU

Title47:Telecommunication
PART64MISCELLANEOUSRULESRELATINGTOCOMMONCARRIERS

SubpartUCustomerProprietaryNetworkInformation
Contents
64.2001Basisandpurpose.
64.2003Definitions.
64.2005Useofcustomerproprietarynetworkinformationwithoutcustomerapproval.
64.2007Approvalrequiredforuseofcustomerproprietarynetworkinformation.
64.2008Noticerequiredforuseofcustomerproprietarynetworkinformation.
64.2009Safeguardsrequiredforuseofcustomerproprietarynetworkinformation.
64.2010Safeguardsonthedisclosureofcustomerproprietarynetworkinformation.
64.2011Notificationofcustomerproprietarynetworkinformationsecuritybreaches.

SOURCE:63FR20338,Apr.24,1998,unlessotherwisenoted.

BacktoTop

64.2001Basisandpurpose.

(a)Basis.TherulesinthissubpartareissuedpursuanttotheCommunicationsActof1934,asamended.

(b)Purpose.Thepurposeoftherulesinthissubpartistoimplementsection222oftheCommunicationsActof1934,asamended,47U.S.C.
222.

BacktoTop

64.2003Definitions.

(a)Accountinformation.Accountinformationisinformationthatisspecificallyconnectedtothecustomer'sservicerelationshipwiththecarrier,
includingsuchthingsasanaccountnumberoranycomponentthereof,thetelephonenumberassociatedwiththeaccount,orthebill'samount.

(b)Addressofrecord.Anaddressofrecord,whetherpostalorelectronic,isanaddressthatthecarrierhasassociatedwiththecustomer's
accountforatleast30days.

(c)Affiliate.Thetermaffiliatehasthesamemeaninggivensuchterminsection3(1)oftheCommunicationsActof1934,asamended,47
U.S.C.153(1).

(d)Calldetailinformation.Anyinformationthatpertainstothetransmissionofspecifictelephonecalls,including,foroutboundcalls,thenumber
called,andthetime,location,ordurationofanycalland,forinboundcalls,thenumberfromwhichthecallwasplaced,andthetime,location,or
durationofanycall.

(e)Communicationsrelatedservices.Thetermcommunicationsrelatedservicesmeanstelecommunicationsservices,informationservices
typicallyprovidedbytelecommunicationscarriers,andservicesrelatedtotheprovisionormaintenanceofcustomerpremisesequipment.

(f)Customer.Acustomerofatelecommunicationscarrierisapersonorentitytowhichthetelecommunicationscarrieriscurrentlyproviding
service.

(g)Customerproprietarynetworkinformation(CPNI).Thetermcustomerproprietarynetworkinformation(CPNI)hasthesamemeaning
giventosuchterminsection222(h)(1)oftheCommunicationsActof1934,asamended,47U.S.C.222(h)(1).

(h)Customerpremisesequipment(CPE).Thetermcustomerpremisesequipment(CPE)hasthesamemeaninggiventosuchtermin
section3(14)oftheCommunicationsActof1934,asamended,47U.S.C.153(14).

(i)Informationservicestypicallyprovidedbytelecommunicationscarriers.Thephraseinformationservicestypicallyprovidedby
telecommunicationscarriersmeansonlythoseinformationservices(asdefinedinsection3(20)oftheCommunicationActof1934,asamended,47
U.S.C.153(20))thataretypicallyprovidedbytelecommunicationscarriers,suchasInternetaccessorvoicemailservices.Suchphraseinformation
servicestypicallyprovidedbytelecommunicationscarriers,asusedinthissubpart,shallnotincluderetailconsumerservicesprovidedusingInternet
Websites(suchastravelreservationservicesormortgagelendingservices),whetherornotsuchservicesmayotherwisebeconsideredtobe
informationservices.

(j)Localexchangecarrier(LEC).Thetermlocalexchangecarrier(LEC)hasthesamemeaninggiventosuchterminsection3(26)ofthe
CommunicationsActof1934,asamended,47U.S.C.153(26).

(k)Optinapproval.Thetermoptinapprovalreferstoamethodforobtainingcustomerconsenttouse,disclose,orpermitaccesstothe
customer'sCPNI.Thisapprovalmethodrequiresthatthecarrierobtainfromthecustomeraffirmative,expressconsentallowingtherequested
CPNIusage,disclosure,oraccessafterthecustomerisprovidedappropriatenotificationofthecarrier'srequestconsistentwiththerequirements
setforthinthissubpart.

(l)Optoutapproval.Thetermoptoutapprovalreferstoamethodforobtainingcustomerconsenttouse,disclose,orpermitaccesstothe
customer'sCPNI.Underthisapprovalmethod,acustomerisdeemedtohaveconsentedtotheuse,disclosure,oraccesstothecustomer'sCPNIif
thecustomerhasfailedtoobjecttheretowithinthewaitingperioddescribedin64.2008(d)(1)afterthecustomerisprovidedappropriatenotification
ofthecarrier'srequestforconsentconsistentwiththerulesinthissubpart.

(m)Readilyavailablebiographicalinformation.Readilyavailablebiographicalinformationisinformationdrawnfromthecustomer'slifehistory
andincludessuchthingsasthecustomer'ssocialsecuritynumber,orthelastfourdigitsofthatnumbermother'smaidennamehomeaddressor
dateofbirth.

(n)Subscriberlistinformation(SLI).Thetermsubscriberlistinformation(SLI)hasthesamemeaninggiventosuchterminsection222(h)(3)
oftheCommunicationsActof1934,asamended,47U.S.C.222(h)(3).

(o)Telecommunicationscarrierorcarrier.Thetermstelecommunicationscarrierorcarriershallhavethesamemeaningassetforthin
section3(44)oftheCommunicationsActof1934,asamended,47U.S.C.153(44).Forthepurposesofthissubpart,thetermtelecommunications
carrierorcarriershallincludeanentitythatprovidesinterconnectedVoIPservice,asthattermisdefinedinsection9.3oftheserules.

(p)Telecommunicationsservice.Thetermtelecommunicationsservicehasthesamemeaninggiventosuchterminsection3(46)ofthe
CommunicationsActof1934,asamended,47U.S.C.153(46).

(q)Telephonenumberofrecord.Thetelephonenumberassociatedwiththeunderlyingservice,notthetelephonenumbersuppliedasa
customer'scontactinformation.

(r)ValidphotoID.AvalidphotoIDisagovernmentissuedmeansofpersonalidentificationwithaphotographsuchasadriver'slicense,
passport,orcomparableIDthatisnotexpired.
[72FR31961,June8,2007]

BacktoTop

64.2005Useofcustomerproprietarynetworkinformationwithoutcustomerapproval.

(a)Anytelecommunicationscarriermayuse,disclose,orpermitaccesstoCPNIforthepurposeofprovidingormarketingserviceofferings
amongthecategoriesofservice(i.e.,local,interexchange,andCMRS)towhichthecustomeralreadysubscribesfromthesamecarrier,without
customerapproval.

(1)Ifatelecommunicationscarrierprovidesdifferentcategoriesofservice,andacustomersubscribestomorethanonecategoryofservice
offeredbythecarrier,thecarrierispermittedtoshareCPNIamongthecarrier'saffiliatedentitiesthatprovideaserviceofferingtothecustomer.

(2)Ifatelecommunicationscarrierprovidesdifferentcategoriesofservice,butacustomerdoesnotsubscribetomorethanoneofferingbythe
carrier,thecarrierisnotpermittedtoshareCPNIwithitsaffiliates,exceptasprovidedin64.2007(b).

(b)Atelecommunicationscarriermaynotuse,disclose,orpermitaccesstoCPNItomarkettoacustomerserviceofferingsthatarewithina
categoryofservicetowhichthesubscriberdoesnotalreadysubscribefromthatcarrier,unlessthatcarrierhascustomerapprovaltodoso,except
asdescribedinparagraph(c)ofthissection.

(1)Awirelessprovidermayuse,disclose,orpermitaccesstoCPNIderivedfromitsprovisionofCMRS,withoutcustomerapproval,forthe
provisionofCPEandinformationservice(s).Awirelinecarriermayuse,discloseorpermitaccesstoCPNIderivedfromitsprovisionoflocal
exchangeserviceorinterexchangeservice,withoutcustomerapproval,fortheprovisionofCPEandcallanswering,voicemailormessaging,voice
storageandretrievalservices,faxstoreandforward,andprotocolconversion.

(2)Atelecommunicationscarriermaynotuse,discloseorpermitaccesstoCPNItoidentifyortrackcustomersthatcallcompetingservice
providers.Forexample,alocalexchangecarriermaynotuselocalserviceCPNItotrackallcustomersthatcalllocalservicecompetitors.

(c)Atelecommunicationscarriermayuse,disclose,orpermitaccesstoCPNI,withoutcustomerapproval,asdescribedinthisparagraph(c).

(1)Atelecommunicationscarriermayuse,disclose,orpermitaccesstoCPNI,withoutcustomerapproval,initsprovisionofinsidewiring
installation,maintenance,andrepairservices.

(2)CMRSprovidersmayuse,disclose,orpermitaccesstoCPNIforthepurposeofconductingresearchonthehealtheffectsofCMRS.

(3)LECs,CMRSproviders,andentitiesthatprovideinterconnectedVoIPserviceasthattermisdefinedin9.3ofthischapter,mayuseCPNI,
withoutcustomerapproval,tomarketservicesformerlyknownasadjuncttobasicservices,suchas,butnotlimitedto,speeddialing,computer
provideddirectoryassistance,callmonitoring,calltracing,callblocking,callreturn,repeatdialing,calltracking,callwaiting,callerI.D.,call
forwarding,andcertaincentrexfeatures.

(d)Atelecommunicationscarriermayuse,disclose,orpermitaccesstoCPNItoprotecttherightsorpropertyofthecarrier,ortoprotectusers
ofthoseservicesandothercarriersfromfraudulent,abusive,orunlawfuluseof,orsubscriptionto,suchservices.

[63FR20338,Apr.24,1998,asamendedat64FR53264,Oct.1,199967FR59211,Sept.20,200272FR31962,June8,2007]

BacktoTop

64.2007Approvalrequiredforuseofcustomerproprietarynetworkinformation.

(a)Atelecommunicationscarriermayobtainapprovalthroughwritten,oralorelectronicmethods.

(1)Atelecommunicationscarrierrelyingonoralapprovalshallbeartheburdenofdemonstratingthatsuchapprovalhasbeengivenin
compliancewiththeCommission'srulesinthispart.

(2)Approvalordisapprovaltouse,disclose,orpermitaccesstoacustomer'sCPNIobtainedbyatelecommunicationscarriermustremainin
effectuntilthecustomerrevokesorlimitssuchapprovalordisapproval.
(3)Atelecommunicationscarriermustmaintainrecordsofapproval,whetheroral,writtenorelectronic,foratleastoneyear.

(b)UseofOptOutandOptInApprovalProcesses.Atelecommunicationscarriermay,subjecttooptoutapprovaloroptinapproval,useits
customer'sindividuallyidentifiableCPNIforthepurposeofmarketingcommunicationsrelatedservicestothatcustomer.Atelecommunications
carriermay,subjecttooptoutapprovaloroptinapproval,discloseitscustomer'sindividuallyidentifiableCPNI,forthepurposeofmarketing
communicationsrelatedservicestothatcustomer,toitsagentsanditsaffiliatesthatprovidecommunicationsrelatedservices.A
telecommunicationscarriermayalsopermitsuchpersonsorentitiestoobtainaccesstosuchCPNIforsuchpurposes.Exceptforuseand
disclosureofCPNIthatispermittedwithoutcustomerapprovalundersection64.2005,orthatisdescribedinthisparagraph,orasotherwise
providedinsection222oftheCommunicationsActof1934,asamended,atelecommunicationscarriermayonlyuse,disclose,orpermitaccessto
itscustomer'sindividuallyidentifiableCPNIsubjecttooptinapproval.
[67FR59212,Sept.20,2002,asamendedat72FR31962,June8,2007]

BacktoTop

64.2008Noticerequiredforuseofcustomerproprietarynetworkinformation.

(a)Notification,Generally.(1)Priortoanysolicitationforcustomerapproval,atelecommunicationscarriermustprovidenotificationtothe
customerofthecustomer'srighttorestrictuseof,disclosureof,andaccesstothatcustomer'sCPNI.

(2)Atelecommunicationscarriermustmaintainrecordsofnotification,whetheroral,writtenorelectronic,foratleastoneyear.

(b)Individualnoticetocustomersmustbeprovidedwhensolicitingapprovaltouse,disclose,orpermitaccesstocustomers'CPNI.

(c)ContentofNotice.Customernotificationmustprovidesufficientinformationtoenablethecustomertomakeaninformeddecisionasto
whethertopermitacarriertouse,disclose,orpermitaccessto,thecustomer'sCPNI.

(1)Thenotificationmuststatethatthecustomerhasaright,andthecarrierhasaduty,underfederallaw,toprotecttheconfidentialityofCPNI.

(2)ThenotificationmustspecifythetypesofinformationthatconstituteCPNIandthespecificentitiesthatwillreceivetheCPNI,describethe
purposesforwhichCPNIwillbeused,andinformthecustomerofhisorherrighttodisapprovethoseuses,anddenyorwithdrawaccesstoCPNI
atanytime.

(3)ThenotificationmustadvisethecustomeroftheprecisestepsthecustomermusttakeinordertograntordenyaccesstoCPNI,andmust
clearlystatethatadenialofapprovalwillnotaffecttheprovisionofanyservicestowhichthecustomersubscribes.However,carriersmayprovidea
briefstatement,inclearandneutrallanguage,describingconsequencesdirectlyresultingfromthelackofaccesstoCPNI.

(4)Thenotificationmustbecomprehensibleandmustnotbemisleading.

(5)Ifwrittennotificationisprovided,thenoticemustbeclearlylegible,usesufficientlylargetype,andbeplacedinanareasoastobereadily
apparenttoacustomer.

(6)Ifanyportionofanotificationistranslatedintoanotherlanguage,thenallportionsofthenotificationmustbetranslatedintothatlanguage.

(7)Acarriermaystateinthenotificationthatthecustomer'sapprovaltouseCPNImayenhancethecarrier'sabilitytoofferproductsand
servicestailoredtothecustomer'sneeds.AcarrieralsomaystateinthenotificationthatitmaybecompelledtodiscloseCPNItoanypersonupon
affirmativewrittenrequestbythecustomer.

(8)AcarriermaynotincludeinthenotificationanystatementattemptingtoencourageacustomertofreezethirdpartyaccesstoCPNI.

(9)Thenotificationmuststatethatanyapproval,ordenialofapprovalfortheuseofCPNIoutsideoftheservicetowhichthecustomeralready
subscribesfromthatcarrierisvaliduntilthecustomeraffirmativelyrevokesorlimitssuchapprovalordenial.

(10)Atelecommunicationscarrier'ssolicitationforapprovalmustbeproximatetothenotificationofacustomer'sCPNIrights.

(d)NoticeRequirementsSpecifictoOptOut.Atelecommunicationscarriermustprovidenotificationtoobtainoptoutapprovalthrough
electronicorwrittenmethods,butnotbyoralcommunication(exceptasprovidedinparagraph(f)ofthissection).Thecontentsofanysuch
notificationmustcomplywiththerequirementsofparagraph(c)ofthissection.

(1)Carriersmustwaita30dayminimumperiodoftimeaftergivingcustomersnoticeandanopportunitytooptoutbeforeassumingcustomer
approvaltouse,disclose,orpermitaccesstoCPNI.Acarriermay,initsdiscretion,provideforalongerperiod.Carriersmustnotifycustomersasto
theapplicablewaitingperiodforaresponsebeforeapprovalisassumed.

(i)Inthecaseofanelectronicformofnotification,thewaitingperiodshallbegintorunfromthedateonwhichthenotificationwassentand

(ii)Inthecaseofnotificationbymail,thewaitingperiodshallbegintorunonthethirddayfollowingthedatethatthenotificationwasmailed.

(2)Carriersusingtheoptoutmechanismmustprovidenoticestotheircustomerseverytwoyears.

(3)Telecommunicationscarriersthatuseemailtoprovideoptoutnoticesmustcomplywiththefollowingrequirementsinadditiontothe
requirementsgenerallyapplicabletonotification:

(i)Carriersmustobtainexpress,verifiable,priorapprovalfromconsumerstosendnoticesviaemailregardingtheirserviceingeneral,orCPNI
inparticular

(ii)CarriersmustallowcustomerstoreplydirectlytoemailscontainingCPNInoticesinordertooptout

(iii)Optoutemailnoticesthatarereturnedtothecarrierasundeliverablemustbesenttothecustomerinanotherformbeforecarriersmay
considerthecustomertohavereceivednotice

(iv)CarriersthatuseemailtosendCPNInoticesmustensurethatthesubjectlineofthemessageclearlyandaccuratelyidentifiesthesubject
matteroftheemailand

(v)Telecommunicationscarriersmustmakeavailabletoeverycustomeramethodtooptoutthatisofnoadditionalcosttothecustomerand
thatisavailable24hoursaday,sevendaysaweek.Carriersmaysatisfythisrequirementthroughacombinationofmethods,solongasall
customershavetheabilitytooptoutatnocostandareabletoeffectuatethatchoicewhenevertheychoose.

(e)NoticeRequirementsSpecifictoOptIn.Atelecommunicationscarriermayprovidenotificationtoobtainoptinapprovalthroughoral,
written,orelectronicmethods.Thecontentsofanysuchnotificationmustcomplywiththerequirementsofparagraph(c)ofthissection.

(f)NoticeRequirementsSpecifictoOneTimeUseofCPNI.(1)Carriersmayuseoralnoticetoobtainlimited,onetimeuseofCPNIfor
inboundandoutboundcustomertelephonecontactsforthedurationofthecall,regardlessofwhethercarriersuseoptoutoroptinapprovalbased
onthenatureofthecontact.

(2)Thecontentsofanysuchnotificationmustcomplywiththerequirementsofparagraph(c)ofthissection,exceptthattelecommunications
carriersmayomitanyofthefollowingnoticeprovisionsifnotrelevanttothelimiteduseforwhichthecarrierseeksCPNI:

(i)Carriersneednotadvisecustomersthatiftheyhaveoptedoutpreviously,noactionisneededtomaintaintheoptoutelection

(ii)CarriersneednotadvisecustomersthattheymayshareCPNIwiththeiraffiliatesorthirdpartiesandneednotnamethoseentities,ifthe
limitedCPNIusagewillnotresultinuseby,ordisclosureto,anaffiliateorthirdparty

(iii)CarriersneednotdisclosethemeansbywhichacustomercandenyorwithdrawfutureaccesstoCPNI,solongascarriersexplainto
customersthatthescopeoftheapprovalthecarrierseeksislimitedtoonetimeuseand

(iv)CarriersmayomitdisclosureoftheprecisestepsacustomermusttakeinordertograntordenyaccesstoCPNI,aslongasthecarrier
clearlycommunicatesthatthecustomercandenyaccesstohisCPNIforthecall.
[67FR59212,Sept.20,2002]

BacktoTop

64.2009Safeguardsrequiredforuseofcustomerproprietarynetworkinformation.

(a)Telecommunicationscarriersmustimplementasystembywhichthestatusofacustomer'sCPNIapprovalcanbeclearlyestablishedprior
totheuseofCPNI.

(b)TelecommunicationscarriersmusttraintheirpersonnelastowhentheyareandarenotauthorizedtouseCPNI,andcarriersmusthavean
expressdisciplinaryprocessinplace.

(c)Allcarriersshallmaintainarecord,electronicallyorinsomeothermanner,oftheirownandtheiraffiliates'salesandmarketingcampaigns
thatusetheircustomers'CPNI.AllcarriersshallmaintainarecordofallinstanceswhereCPNIwasdisclosedorprovidedtothirdparties,orwhere
thirdpartieswereallowedaccesstoCPNI.Therecordmustincludeadescriptionofeachcampaign,thespecificCPNIthatwasusedinthe
campaign,andwhatproductsandserviceswereofferedasapartofthecampaign.Carriersshallretaintherecordforaminimumofoneyear.

(d)Telecommunicationscarriersmustestablishasupervisoryreviewprocessregardingcarriercompliancewiththerulesinthissubpartfor
outboundmarketingsituationsandmaintainrecordsofcarriercomplianceforaminimumperiodofoneyear.Specifically,salespersonnelmust
obtainsupervisoryapprovalofanyproposedoutboundmarketingrequestforcustomerapproval.

(e)Atelecommunicationscarriermusthaveanofficer,asanagentofthecarrier,signandfilewiththeCommissionacompliancecertificateon
anannualbasis.Theofficermuststateinthecertificationthatheorshehaspersonalknowledgethatthecompanyhasestablishedoperating
proceduresthatareadequatetoensurecompliancewiththerulesinthissubpart.Thecarriermustprovideastatementaccompanyingthecertificate
explaininghowitsoperatingproceduresensurethatitisorisnotincompliancewiththerulesinthissubpart.Inaddition,thecarriermustincludean
explanationofanyactionstakenagainstdatabrokersandasummaryofallcustomercomplaintsreceivedinthepastyearconcerningthe
unauthorizedreleaseofCPNI.ThisfilingmustbemadeannuallywiththeEnforcementBureauonorbeforeMarch1inEBDocketNo.0636,for
datapertainingtothepreviouscalendaryear.

(f)CarriersmustprovidewrittennoticewithinfivebusinessdaystotheCommissionofanyinstancewheretheoptoutmechanismsdonotwork
properly,tosuchadegreethatconsumers'inabilitytooptoutismorethanananomaly.

(1)Thenoticeshallbeintheformofaletter,andshallincludethecarrier'sname,adescriptionoftheoptoutmechanism(s)used,the
problem(s)experienced,theremedyproposedandwhenitwillbe/wasimplemented,whethertherelevantstatecommission(s)hasbeennotified
andwhetherithastakenanyaction,acopyofthenoticeprovidedtocustomers,andcontactinformation.

(2)Suchnoticemustbesubmittedevenifthecarrieroffersothermethodsbywhichconsumersmayoptout.

[63FR20338,Apr.24,1998,asamendedat64FR53264,Oct.1,199967FR59213,Sept.20,200272FR31962,June8,2007]

BacktoTop

64.2010Safeguardsonthedisclosureofcustomerproprietarynetworkinformation.

(a)SafeguardingCPNI.Telecommunicationscarriersmusttakereasonablemeasurestodiscoverandprotectagainstattemptstogain
unauthorizedaccesstoCPNI.TelecommunicationscarriersmustproperlyauthenticateacustomerpriortodisclosingCPNIbasedoncustomer
initiatedtelephonecontact,onlineaccountaccess,oraninstorevisit.

(b)TelephoneaccesstoCPNI.Telecommunicationscarriersmayonlydisclosecalldetailinformationoverthetelephone,basedoncustomer
initiatedtelephonecontact,ifthecustomerfirstprovidesthecarrierwithapassword,asdescribedinparagraph(e)ofthissection,thatisnot
promptedbythecarrieraskingforreadilyavailablebiographicalinformation,oraccountinformation.Ifthecustomerdoesnotprovideapassword,
thetelecommunicationscarriermayonlydisclosecalldetailinformationbysendingittothecustomer'saddressofrecord,orbycallingthecustomer
atthetelephonenumberofrecord.Ifthecustomerisabletoprovidecalldetailinformationtothetelecommunicationscarrierduringacustomer
initiatedcallwithoutthetelecommunicationscarrier'sassistance,thenthetelecommunicationscarrierispermittedtodiscussthecalldetail
informationprovidedbythecustomer.

(c)OnlineaccesstoCPNI.Atelecommunicationscarriermustauthenticateacustomerwithouttheuseofreadilyavailablebiographical
information,oraccountinformation,priortoallowingthecustomeronlineaccesstoCPNIrelatedtoatelecommunicationsserviceaccount.Once
authenticated,thecustomermayonlyobtainonlineaccesstoCPNIrelatedtoatelecommunicationsserviceaccountthroughapassword,as
describedinparagraph(e)ofthissection,thatisnotpromptedbythecarrieraskingforreadilyavailablebiographicalinformation,oraccount
information.

(d)InstoreaccesstoCPNI.AtelecommunicationscarriermaydiscloseCPNItoacustomerwho,atacarrier'sretaillocation,firstpresentsto
thetelecommunicationscarrieroritsagentavalidphotoIDmatchingthecustomer'saccountinformation.

(e)EstablishmentofaPasswordandBackupAuthenticationMethodsforLostorForgottenPasswords.Toestablishapassword,a
telecommunicationscarriermustauthenticatethecustomerwithouttheuseofreadilyavailablebiographicalinformation,oraccountinformation.
Telecommunicationscarriersmaycreateabackupcustomerauthenticationmethodintheeventofalostorforgottenpassword,butsuchbackup
customerauthenticationmethodmaynotpromptthecustomerforreadilyavailablebiographicalinformation,oraccountinformation.Ifacustomer
cannotprovidethecorrectpasswordorthecorrectresponseforthebackupcustomerauthenticationmethod,thecustomermustestablishanew
passwordasdescribedinthisparagraph.

(f)Notificationofaccountchanges.Telecommunicationscarriersmustnotifycustomersimmediatelywheneverapassword,customerresponse
toabackupmeansofauthenticationforlostorforgottenpasswords,onlineaccount,oraddressofrecordiscreatedorchanged.Thisnotificationis
notrequiredwhenthecustomerinitiatesservice,includingtheselectionofapasswordatserviceinitiation.Thisnotificationmaybethroughacarrier
originatedvoicemailortextmessagetothetelephonenumberofrecord,orbymailtotheaddressofrecord,andmustnotrevealthechanged
informationorbesenttothenewaccountinformation.

(g)Businesscustomerexemption.Telecommunicationscarriersmaybindthemselvescontractuallytoauthenticationregimesotherthanthose
describedinthissectionforservicestheyprovidetotheirbusinesscustomersthathavebothadedicatedaccountrepresentativeandacontractthat
specificallyaddressesthecarriers'protectionofCPNI.
[72FR31962,June8,2007]

BacktoTop

64.2011Notificationofcustomerproprietarynetworkinformationsecuritybreaches.

(a)Atelecommunicationscarriershallnotifylawenforcementofabreachofitscustomers'CPNIasprovidedinthissection.Thecarriershall
notnotifyitscustomersordisclosethebreachpublicly,whethervoluntarilyorunderstateorlocallawortheserules,untilithascompletedthe
processofnotifyinglawenforcementpursuanttoparagraph(b)ofthissection.

(b)Assoonaspracticable,andinnoeventlaterthanseven(7)businessdays,afterreasonabledeterminationofthebreach,the
telecommunicationscarriershallelectronicallynotifytheUnitedStatesSecretService(USSS)andtheFederalBureauofInvestigation(FBI)
throughacentralreportingfacility.TheCommissionwillmaintainalinktothereportingfacilityathttp://www.fcc.gov/eb/cpni.

(1)Notwithstandinganystatelawtothecontrary,thecarriershallnotnotifycustomersordisclosethebreachtothepublicuntil7fullbusiness
dayshavepassedafternotificationtotheUSSSandtheFBIexceptasprovidedinparagraphs(b)(2)and(b)(3)ofthissection.

(2)Ifthecarrierbelievesthatthereisanextraordinarilyurgentneedtonotifyanyclassofaffectedcustomerssoonerthanotherwiseallowed
underparagraph(b)(1)ofthissection,inordertoavoidimmediateandirreparableharm,itshallsoindicateinitsnotificationandmayproceedto
immediatelynotifyitsaffectedcustomersonlyafterconsultationwiththerelevantinvestigatingagency.Thecarriershallcooperatewiththerelevant
investigatingagency'srequesttominimizeanyadverseeffectsofsuchcustomernotification.

(3)Iftherelevantinvestigatingagencydeterminesthatpublicdisclosureornoticetocustomerswouldimpedeorcompromiseanongoingor
potentialcriminalinvestigationornationalsecurity,suchagencymaydirectthecarriernottosodiscloseornotifyforaninitialperiodofupto30
days.Suchperiodmaybeextendedbytheagencyasreasonablynecessaryinthejudgmentoftheagency.Ifsuchdirectionisgiven,theagency
shallnotifythecarrierwhenitappearsthatpublicdisclosureornoticetoaffectedcustomerswillnolongerimpedeorcompromiseacriminal
investigationornationalsecurity.Theagencyshallprovideinwritingitsinitialdirectiontothecarrier,anysubsequentextension,andanynotification
thatnoticewillnolongerimpedeorcompromiseacriminalinvestigationornationalsecurityandsuchwritingsshallbecontemporaneouslyloggedon
thesamereportingfacilitythatcontainsrecordsofnotificationsfiledbycarriers.

(c)Customernotification.Afteratelecommunicationscarrierhascompletedtheprocessofnotifyinglawenforcementpursuanttoparagraph(b)
ofthissection,itshallnotifyitscustomersofabreachofthosecustomers'CPNI.

(d)Recordkeeping.Allcarriersshallmaintainarecord,electronicallyorinsomeothermanner,ofanybreachesdiscovered,notificationsmade
totheUSSSandtheFBIpursuanttoparagraph(b)ofthissection,andnotificationsmadetocustomers.Therecordmustinclude,ifavailable,dates
ofdiscoveryandnotification,adetaileddescriptionoftheCPNIthatwasthesubjectofthebreach,andthecircumstancesofthebreach.Carriers
shallretaintherecordforaminimumof2years.

(e)Definitions.Asusedinthissection,abreachhasoccurredwhenaperson,withoutauthorizationorexceedingauthorization,has
intentionallygainedaccessto,used,ordisclosedCPNI.

(f)Thissectiondoesnotsupersedeanystatute,regulation,order,orinterpretationinanyState,excepttotheextentthatsuchstatute,
regulation,order,orinterpretationisinconsistentwiththeprovisionsofthissection,andthenonlytotheextentoftheinconsistency.

[72FR31963,June8,2007]

BacktoTop

Needassistance?
MCCLURE SERVICES LLC
CPNI MANUAL

Executive Summary of FCC CPNI Rules from


FCC Report and Order Dated April 2, 2007

The FCC takes the following actions to secure CPNI:

Carrier Authentication Requirements. We prohibit carriers from releasing call


detail information to customers during customer-initiated telephone contact except when
the customer provides a password. If a customer does not provide a password, we
prohibit the release of call detail information except by sending it to an address of record
or by the carrier calling the customer at the telephone of record. We also require carriers
to provide mandatory password protection for online account access. However, we permit
carriers to provide CPNI to customers based on in-store contact with a valid photo ID.

Notice to Customer of Account Changes. We require carriers to notify the


customer immediately when a password, customer response to a back-up means of
authentication for lost or forgotten passwords, online account, or address of record is
created or changed.

Notice of Unauthorized Disclosure of CPNI. We establish a notification process


for both law enforcement and customers in the event of a CPNI breach.

Joint Venture and Independent Contractor Use of CPNI. We modify our rules to
require carriers to obtain opt-in consent from a customer before disclosing a customers
CPNI to a carriers joint venture partners or independent contractors for the purposes of
marketing communications-related services to that customer.

Annual CPNI Certification. We amend the Commissions rules and require carriers to
file with the Commission an annual certification, including an explanation of any actions
taken against data brokers and a summary of all consumer complaints received in the
previous year regarding the unauthorized release of CPNI.

CPNI Regulations Applicable to Providers of Interconnected VoIP Service.


We extend the application of the CPNI rules to providers of interconnected VoIP service.

Enforcement Proceedings. We require carriers to take reasonable measures to


discover and protect against pretexting, and, in enforcement proceedings, will infer from
evidence of unauthorized disclosures of CPNI that reasonable precautions were not taken.

Business Customers. In limited circumstances, we permit carriers to bind themselves


contractually to authentication regimes other than those adopted in this Order for services
they provide to their business customers that have a dedicated account representative and
contracts that specifically address the carriers protection of CPNI.

Appendix C-1st RnO ExecSumm MS.docPage 1 of 1 Released: September 4, 2015

Prepared by Vantage Point Solutions For Internal Company Use Only