 


109 HR 4943 RH: Prevention of Fraudulent Access to Phone Records Act
U.S. House of Representatives
2006-03-16
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


 
IB 
Union Calendar No. 217 
109th CONGRESS 2d Session 
H. R. 4943 
[Report No. 109-398] 
IN THE HOUSE OF REPRESENTATIVES 
 
March 14, 2006 
Mr. Barton of Texas (for himself, Mr. Dingell, Mr. Upton, Mr. Markey, Mr. Stearns, Ms. Schakowsky, Mr. Gillmor, Mr. Gene Green of Texas, Mr. Shimkus, Mr. Ross, Mrs. Wilson of New Mexico, Mr. Brown of Ohio, Mr. Fossella, Ms. Baldwin, Mr. Buyer, Mrs. Capps, Mrs. Bono, Mr. Doyle, Mr. Walden of Oregon, Ms. Solis, Mr. Burgess, Mr. Rush, Mr. Waxman, Mr. Stupak, Mr. Gordon, Mr. Inslee, Mrs. Emerson, Mr. Lipinski, and Mr. Wilson of South Carolina) introduced the following bill; which was referred to the Committee on Energy and Commerce 
 

March 16, 2006
Additional sponsor: Mr. Shadegg

 
March 16, 2006 
Committed to the Committee of the Whole House on the State of the Union and ordered to be printed 
 
A BILL 
To prohibit fraudulent access to telephone records. 
 
 
1.Short titleThis Act may be cited as the Prevention of Fraudulent Access to Phone Records Act. 
IFederal Trade Commission Provisions 
101.Fraudulent access to customer telephone records 
(a)Prohibition on obtaining customer information by false pretensesIt shall be unlawful for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer proprietary network information relating to any other person by— 
(1)making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a telecommunications carrier; or 
(2)providing any document or other information to an officer, employee, or agent of a telecommunications carrier that the person knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation. 
(b)Prohibition on solicitation of a person to obtain customer information under false pretensesIt shall be unlawful to request a person to obtain from a telecommunications carrier customer proprietary network information relating to any third person, if the person making such a request knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subsection (a). 
(c)Prohibition on sale or other disclosure of customer information obtained under false pretensesIt shall be unlawful for any person to sell or otherwise disclose to any person customer proprietary network information relating to any other person if the person selling or disclosing obtained such information in the manner described in subsection (a). 
102.ExemptionNo provision of section 101 shall be construed so as to prevent any action by a law enforcement agency, or any officer, employee, or agent of such agency, from obtaining or attempting to obtain customer proprietary network information from a telecommunications carrier in connection with the performance of the official duties of the agency, in accordance with other applicable laws. 
103.Enforcement by the Federal Trade CommissionA violation of section 101 shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). The Federal Trade Commission shall enforce this title in the same manner, by the same means, and with the same jurisdiction as though all applicable terms and provisions of the Federal Trade Commission Act were incorporated into and made a part of this title. 
104.DefinitionsAs used in this title— 
(1)the term customer proprietary network information has the meaning given such term in section 222(j)(1) of the Communications Act of 1934 (47 U.S.C. 222(j)(1)) (as redesignated by section 203 of this Act); 
(2)the term telecommunications carrier— 
(A)has the meaning given such term in section 3(44) of the Communications Act of 1934 (47 U.S.C. 153(44)); and 
(B)includes any provider of real-time Internet protocol-enabled voice communications; and 
(3)the term real-time Internet protocol-enabled voice communications means any service that is treated by the Federal Communications Commission as a telecommunications service provided by a telecommunications carrier for purposes of section 222 of the Communications Act of 1934 (47 U.S.C. 222) under regulations promulgated pursuant to subsection (h) of such section. 
IIFederal Communications Commission Provisions 
201.FindingsThe Congress finds the following: 
(1)As our Nation’s communications networks become more ubiquitous and increasingly sophisticated, more individuals and industries will be using such networks in greater amounts to communicate and conduct commercial transactions. 
(2)The ease of gathering and compiling sensitive personal information as a result of such communications is becoming more efficient and commonplace due to advances in digital technology and the widespread use of the Internet. 
(3)Ensuring the privacy of sensitive individual telephone calling records, both wireline and wireless, is of utmost importance. The information gathered and retained by communications providers can convey details about intimate aspects of an individual’s life, including who they call, when they call, the duration of such calls, the frequency of their communications, information about their purchases, informational inquiries, political or religious interests, or other affiliations. 
(4)Disclosure of personal telephone records can also lead to harassment, intimidation, physical harm, and identity theft. 
(5)The government has a compelling interest in protecting sensitive personal information contained in customer telephone records and ensuring that commercial interests adequately protect such records in order to preserve individual freedom, safeguard personal privacy, and ensure trust in electronic commerce. 
(6)Because customers have a proprietary interest in their sensitive personal information, customers should have some control over the use and disclosure of telephone calling records. 
(7)A telecommunications carrier may use aggregated data it has obtained from its customer databases to improve services, solicit new business, or market additional services to its customers. 
(8)A telecommunications carrier may communicate to all consumers in order to broadly solicit new business, and may also target specific communications to its own existing customers, without use or disclosure of detailed customer calling records and thus without the threat of compromising customer privacy. 
(9)The risk of compromising customer privacy is raised and increased whenever additional entities or persons are permitted use of, or access to, or receive disclosure of, customer calling records beyond the carrier with which the customer has an established business relationship. 
(10)A telecommunications carrier which obtains or possesses a customer’s calling records has a duty to safeguard the confidentiality of such customer's personal information. Detailed customer calling records describing the customer’s use of telecommunications services should not be publicly available or offered for commercial sale. 
202.Expanded protection for detailed customer records 
(a)Confidentiality of Customer InformationParagraph (1) of section 222(c) of the Communications Act of 1934 (47 U.S.C. 222(c)(1)) is amended to read as follows: 
 
(1)Privacy requirements for telecommunications carriers 
(A)In generalExcept as required by law or as permitted under the following provisions of this paragraph, a telecommunications carrier that receives or obtains individually identifiable customer proprietary network information (including detailed customer telephone records) by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to such information or records in the provision by such carrier of— 
(i)the telecommunications service from which such information is derived; or 
(ii)services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories. 
(B)Requirements for disclosure of detailed informationA telecommunications carrier may only use detailed customer telephone records through, or disclose such records to, or permit access to such records by, a joint venture partner, independent contractor, or any other third party (other than an affiliate) if the customer has given express prior authorization for that use, disclosure, or access, and that authorization has not been withdrawn. 
(C)Requirements for affiliate use of both general and detailed informationA telecommunications carrier may not, except with the approval of a customer, use individually identifiable customer proprietary network information (including detailed customer telephone records) through, or disclose such information or records to, or permit access to such information or records by, an affiliate of such carrier in the provision by such affiliate of the services described in clause (i) or (ii) of subparagraph (A). 
(D)Requirements for partner and contractor use of general informationA telecommunications carrier may not, except with the approval of the customer, use individually identifiable customer proprietary network information (other than detailed customer telephone records) through, or disclose such information to, or permit access to such information by, a joint venture partner or independent contractor in the provision by such partner or contractor of the services described in clause (i) or (ii) of subparagraph (A). 
(E)Access to wireless telephone numbersA telecommunications carrier may not, except with prior express authorization from the customer, disclose the wireless telephone number of any customer or permit access to the wireless telephone number of any customer.. 
(b)Disclosure of detailed information on request by customerSection 222(c)(2) of such Act is amended by inserting (including a detailed customer telephone record) after customer proprietary network information. 
(c)Aggregate dataSection 222(c)(3) of such Act is amended by adding at the end the following new sentence: Aggregation of data that is conducted by a third party may be treated for purposes of this subsection as aggregation by the carrier if such aggregation is conducted in a secure manner under the control or supervision of the carrier..  
(d)Prohibition of sale of general or detailed informationSection 222(c) of such Act is further amended by adding at the end the following new paragraph: 
 
(4)Prohibition of sale of general or detailed informationExcept for the purposes for which use, disclosure, or access is permitted under subsection (d), it shall be unlawful for any person to sell, rent, lease, or otherwise make available for remuneration or other consideration the customer proprietary network information (including the detailed customer telephone records) of any customer.. 
(e)Exceptions to limitations on disclosures of detailed informationSection 222(d) of such Act is amended— 
(1)by striking its agents and inserting its joint venture partners, contractors, or agents; and  
(2)in paragraph (1), by inserting after telecommunications services the following: , or provide customer service with respect to telecommunications services to which the customer subscribes.  
203.Prevention by telecommunications carriers of fraudulent access to phone recordsSection 222 of the Communications Act of 1934 (47 U.S.C. 222) is further amended— 
(1)by redesignating subsection (h) as subsection (j); 
(2)by inserting after subsection (g) the following new subsections: 
 
(h)Prevention of fraudulent access to phone records 
(1)RegulationsWithin 180 days after the date of enactment of the Prevention of Fraudulent Access to Phone Records Act, the Commission shall prescribe regulations adopting more stringent security standards for customer proprietary network information (including detailed customer telephone records) to detect and prevent violations of this section. The Commission— 
(A)shall prescribe regulations— 
(i)to require timely notice (written or electronic) to each customer upon breach of the regulations under this section with respect to customer proprietary network information relating to that customer; 
(ii)to require timely notice to the Commission upon breach of the regulations under this section with respect to customer proprietary network information relating to any customer; 
(iii)to require periodic audits by the Commission of telecommunication carriers and their agents to determine compliance with this section; 
(iv)to require telecommunications carriers and their agents to maintain records— 
(I)of each time customer proprietary network information is requested or accessed by, or disclosed to, a person purporting to be the customer or to be acting at the request or direction of the customer; and 
(II)if such access or disclosure was granted to such a person, of how the person’s identity or authority was verified; 
(v)to require telecommunications carriers to establish a security policy that includes appropriate standards relating to administrative, technical, and physical safeguards to ensure the security and confidentiality of customer proprietary network information; 
(vi)to prohibit any telecommunications carrier from obtaining or attempting to obtain, or causing to be disclosed or attempting to cause to be disclosed to that carrier or its agent or employee, customer proprietary network information relating to any customer of another carrier— 
(I)by using a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of another telecommunications carrier; or 
(II)by making a false, fictitious, or fraudulent statement or representation to a customer of another telecommunications carrier; and 
(vii)only for the purposes of this section, to treat as a telecommunications service provided by a telecommunications carrier any real-time Internet protocol-enabled voice communications offered by any person to the public, or such classes of users as to be effectively available to the public, that allows a user to originate traffic to, or terminate traffic from, the public switched telephone network; and 
(B)shall consider prescribing regulations— 
(i)to require telecommunications carriers to institute customer-specific identifiers in order to access customer proprietary network information;  
(ii)to require encryption of customer proprietary network information data or other safeguards to better secure such data; and 
(iii)to require deletion of customer proprietary network information data after a reasonable period of time if such data is no longer necessary for the purpose for which it was collected or for the purpose of an exception contained in section (d), and there are no pending requests for access to such information. 
(2)Reports 
(A)Assessment and recommendationsWithin 12 months after the date on which the Commission’s regulations under paragraph (1) are prescribed, and again not later than 3 years later, the Commission shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report containing— 
(i)an assessment of the efficacy and adequacy of the regulations and remedies provided in accordance with this subsection in protecting customer proprietary network information; 
(ii)an assessment of the efficacy and adequacy of telecommunications carriers' safeguards to secure such data, security plans, and notification procedures; and 
(iii)any recommendations for additional legislative or regulatory action to address threats to the privacy of customer information. 
(B)Annual ReportThe Federal Communications Commission shall submit to Congress an annual report containing— 
(i)the number and disposition of all enforcement actions taken pursuant to this subsection; and 
(ii)the number and type of notifications received under paragraph (1)(A)(ii) and the methodology, including the basis for the selection of carriers to be audited, and the results of each audit conducted under paragraph (1)(A)(iii). 
(3)Dual regulation prohibitedAny person that is treated as a telecommunications carrier providing a telecommunications service with respect to the offering of real-time Internet protocol-enabled voice communications by the regulations prescribed under paragraph (1)(A)(vii) shall not be subject to the provisions of section 631 with respect to the offering of such communications. 
(i)Forfeiture penalties 
(1)Increased penaltiesIn any case in which the violator is determined by the Commission under section 503(b)(1) to have violated this section or the regulations thereunder, section 503(b)(2)(B) shall be applied— 
(A)by substituting $300,000 for $100,000; and 
(B)by substituting $3,000,000 for $1,000,000. 
(2)No first warningsParagraph (5) of section 503(b) shall not apply to the determination of forfeiture liability under such section with respect to a violation of this section or the regulations thereunder by any telecommunications carrier or any agent of such a carrier.; and 
(3)in subsection (g), by striking subsection (i)(3)(A) and inserting subsection (j)(3)(A).  
204.DefinitionsSubsection (j) of section 222 of the Communications Act of 1934 (47 U.S.C. 222(j)), as redesignated by section 203(1) of this Act, is amended by adding at the end the following new paragraphs: 
 
(8)Detailed customer telephone recordThe term detailed customer telephone record means customer proprietary network information that contains the specific and detailed destinations, locations, duration, time, and date of telecommunications to or from a customer, as typically contained in the bills for such service. Such term does not mean aggregate data or subscriber list information. 
(9)Wireless telephone numberThe term wireless telephone number means the telephone number of a subscriber to a commercial mobile service.. 
 
 
March 16, 2006 
Committed to the Committee of the Whole House on the State of the Union and ordered to be printed 
