[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 2389 Introduced in Senate (IS)]


109th CONGRESS
  2d Session
                                S. 2389

   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 8, 2006

Mr. Allen (for himself, Mr. Stevens, Mr. Inouye, Mr. Burns, Mr. Warner, 
Mr. Santorum, Mr. Dorgan, Mr. Nelson of Florida, Mr. Vitter, Mr. Pryor, 
 Mr. Coleman, Mr. Talent, Mr. Martinez, and Mr. Thune) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Protecting 
Consumer Phone Records Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Unauthorized acquisition, use, or sale of confidential customer 
                            proprietary network telephone information.
Sec. 3. Enhanced confidentiality procedures.
Sec. 4. Penalties; extension of confidentiality requirements to other 
                            entities.
Sec. 5. Enforcement by Federal Trade Commission.
Sec. 6. Concurrent enforcement by Federal Communications Commission.
Sec. 7. Enforcement by States.
Sec. 8. Preemption of State law.
Sec. 9. Consumer outreach and education.

SEC. 2. UNAUTHORIZED ACQUISITION, USE, OR SALE OF CONFIDENTIAL CUSTOMER 
              PROPRIETARY NETWORK TELEPHONE INFORMATION.

    (a) In General.--It is unlawful for any person--
            (1) to acquire or use the customer proprietary network 
        information of another person without that person's affirmative 
        written consent;
            (2) to misrepresent that another person has consented to 
        the acquisition or use of such other person's customer 
        proprietary network information in order to acquire such 
        information;
            (3) to obtain unauthorized access to the data processing 
        system or records of a telecommunications carrier or an IP-
        enabled voice service provider in order to acquire the customer 
        proprietary network information of 1 or more other persons;
            (4) to sell, or offer for sale, customer proprietary 
        network information; or
            (5) to request that another person obtain customer 
        proprietary network information from a telecommunications 
        carrier or IP-enabled voice service provider, knowing that the 
        other person will obtain the information from such carrier or 
        provider in any manner that is unlawful under subsection (a).
    (b) Exceptions.--
            (1) Existing practices permitted.--Nothing in subsection 
        (a) prohibits any practice permitted by section 222 of the 
        Communications Act of 1934 (47 U.S.C. 222), or otherwise 
        authorized by law, as of the date of enactment of this Act.
            (2) Caller id.--Nothing in subsection (a) prohibits the use 
        of caller identification services by any person to identify the 
        originator of telephone calls received by that person.
    (c) Private Right of Action for Providers.--
            (1) In general.--A telecommunications carrier or IP-enabled 
        voice service provider may bring a civil action in an 
        appropriate State court, or in any United States district court 
        that meets applicable requirements relating to venue under 
        section 1391 of title 28, United States Code--
                    (A) based on a violation of this section or the 
                regulations prescribed under this section to enjoin 
                such violation;
                    (B) to recover for actual monetary loss from such a 
                violation, or to receive $11,000 in damages for each 
                such violation, whichever is greater; or
                    (C) both.
            (2) Treble damages.--If the court finds that the defendant 
        willfully or knowingly violated this section or the regulations 
        prescribed under this section, the court may, in its 
        discretion, increase the amount of the award to an amount equal 
        to not more than 3 times the amount available under paragraph 
        (1) of this subsection.
            (3) Inflation adjustment.--The $11,000 amount in paragraph 
        (1)(B) shall be adjusted for inflation as if it were a civil 
        monetary penalty, as defined in section 3(2) of the Federal 
        Civil Penalties Inflation Adjustment Act of 1996 (28 U.S.C. 
        2461 note).
    (d) Civil Penalty.--
            (1) In general.--Any person who violates this section shall 
        be subject to a civil penalty of not more than $11,000 for each 
        violation or each day of a continuing violation, except that 
        the amount assessed for any continuing violation shall not 
        exceed a total of $11,000,000 for any single act or failure to 
        act.
            (2) Separate violations.--A violation of this section with 
        respect to the customer proprietary network information of 1 
        person shall be treated as a separate violation from a 
        violation with respect to the customer proprietary network 
        information of any other person.
    (e) Limitation.--Nothing in this Act or section 222 of the 
Communications Act of 1934 (47 U.S.C. 222) authorizes a subscriber to 
bring a civil action against a telecommunications carrier or an IP-
enabled voice service provider.
    (f) Definitions.--In this section:
            (1) Customer proprietary network information.--The term 
        ``customer proprietary network information'' has the meaning 
        given that term by section 222(i)(1) of the Communications Act 
        of 1934 (47 U.S.C. 222(i)(1)).
            (2) IP-enabled voice service.--The term ``IP-enabled voice 
        service'' has the meaning given that term by section 222(i)(8) 
        of the Communications Act of 1934 (47 U.S.C. 222(i)(8)).
            (3) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given it by 
        section 3(44) of the Communications Act of 1934 (47 U.S.C. 
        3(44)).

SEC. 3. ENHANCED CONFIDENTIALITY PROCEDURES.

    (a) In General.--Within 180 days after the date of enactment of 
this Act, the Federal Communications Commission shall--
            (1) revise or supplement its regulations, to the extent the 
        Commission determines it is necessary, to require a 
        telecommunications carrier or IP-enabled voice service 
        provider--
                    (A) to ensure the security and confidentiality of 
                customer proprietary network information (as defined in 
                section 222(i)(1) of the Communications Act of 1934 (47 
                U.S.C. 222(i)(1))),
                    (B) to protect such customer proprietary network 
                information against threats or hazards to its security 
                or confidentiality; and
                    (C) to protect customer proprietary network 
                information from unauthorized access or use that could 
                result in substantial harm or inconvenience to its 
                customers, and
            (2) ensure that any revised or supplemental regulations are 
        similar in scope and structure to the Federal Trade 
        Commission's regulations in part 314 of title 16, Code of 
        Federal Regulations, taking into consideration the differences 
        between financial information and customer proprietary network 
        information.
    (b) Compliance Certification.--Each telecommunications carrier and 
IP-enabled voice service provider to which the regulations under 
subsection (a) and section 222 of the Communications Act of 1934 (47 
U.S.C. 222) apply shall file with the Commission annually a 
certification that, for the period covered by the filing, it has been 
in compliance with those requirements.

SEC. 4. PENALTIES; EXTENSION OF CONFIDENTIALITY REQUIREMENTS TO OTHER 
              ENTITIES.

    (a) Penalties.--Title V of the Communications Act of 1934 (47 
U.S.C. 501 et seq.) is amended by inserting after section 508 the 
following:

``SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY NETWORK 
              INFORMATION VIOLATIONS.

    ``(a) Civil Forfeiture.--
            ``(1) In general.--Any telecommunications carrier or IP-
        enabled voice service provider that is determined by the 
        Commission, in accordance with paragraphs (3) and (4) of 
        section 503(b), to have violated section 222 of this Act shall 
        be liable to the United States for a forfeiture penalty. A 
        forfeiture penalty under this subsection shall be in addition 
        to any other penalty provided for by this Act. The amount of 
        the forfeiture penalty determined under this subsection shall 
        not exceed $30,000 for each violation, or 3 times that amount 
        for each day of a continuing violation, except that the amount 
        assessed for any continuing violation shall not exceed a total 
        of $3,000,000 for any single act or failure to act.
            ``(2) Recovery.--Any forfeiture penalty determined under 
        paragraph (1) shall be recoverable pursuant to section 504(a) 
        of this Act.
            ``(3) Procedure.--No forfeiture liability shall be 
        determined under paragraph (1) against any person unless such 
        person receives the notice required by section 503(b)(3) or 
        section 503(b)(4) of this Act.
            ``(4) 2-year statute of limitations.--No forfeiture penalty 
        shall be determined or imposed against any person under 
        paragraph (1) if the violation charged occurred more than 2 
        years prior to the date of issuance of the required notice or 
        notice or apparent liability.
    ``(b) Criminal Fine.--Any person who willfully and knowingly 
violates section 222 of this Act shall upon conviction thereof be fined 
not more than $30,000 for each violation, or 3 times that amount for 
each day of a continuing violation, in lieu of the fine provided by 
section 501 for such a violation. This subsection does not supersede 
the provisions of section 501 relating to imprisonment or the 
imposition of a penalty of both fine and imprisonment.''.
    (b) Extension of Confidentiality Requirements to IP-Enabled Voice 
Service Providers.--Section 222 of the Communications Act of 1934 (47 
U.S.C. 222) is amended--
            (1) by inserting ``or IP-enabled voice service provider'' 
        after ``telecommunications carrier'' each place it appears 
        except in subsections (e) and (g);
            (2) by inserting ``or IP-enabled voice service provider'' 
        after ``exchange service'' in subsection (g);
            (3) by striking ``telecommunication carriers'' each place 
        it appears in subsection (a) and inserting ``telecommunications 
        carriers or IP-enabled voice service providers'';
            (4) by inserting ``or provider'' after ``carrier'' in 
        subsection (d)(2), paragraphs (1)(A) and (B) and (3)(A) and (B) 
        of subsection (i) (as redesignated);
            (5) by inserting ``or providers'' after ``carriers'' in 
        subsection (d)(2); and
            (6) by inserting ``and IP-Enabled Voice Service Provider'' 
        after ``Carrier'' in the caption of subsection (c).
    (c) Definition.--Section 222(h) of the Communications Act of 1934 
(47 U.S.C. 222(h)) is amended by adding at the end the following:
            ``(8) IP-enabled voice service.--The term `IP-enabled voice 
        service' means the provision of real-time 2-way voice 
        communications offered to the public, or such classes of users 
        as to be effectively available to the public, transmitted 
        through customer premises equipment using TCP/IP protocol, or a 
        successor protocol, for a fee (whether part of a bundle of 
        services or separately) with interconnection capability such 
        that the service can originate traffic to, or terminate traffic 
        from, the public switched telephone network.''.
    (d) Telecommunications Carrier and IP-Enabled Voice Service 
Provider Notification Requirement.--Section 222 of the Communications 
Act of 1934 (47 U.S.C. 222), is further amended--
            (1) by redesignating subsection (h) as subsection (i); and
            (2) by inserting after subsection (g) the following new 
        subsection:
    ``(h) Notice of Violations.--The Commission shall by regulation 
require each telecommunications carrier or IP-enabled voice service 
provider to notify a customer within 14 calendar days of any incident 
of which such telecommunications carrier or IP-enabled voice service 
provider becomes or is made aware in which customer proprietary network 
information relating to such customer is disclosed to someone other 
than the customer in violation of this section or section 2 of the 
Protecting Consumer Phone Records Act.''.

SEC. 5. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

    (a) In General.--Except as provided in sections 6 and 7 of this 
Act, section 2 of this Act shall be enforced by the Federal Trade 
Commission.
    (b) Violation Treated as an Unfair or Deceptive Act or Practice.--
Violation of section 2 shall be treated as an unfair or deceptive act 
or practice proscribed under a rule issued under section 18(a)(1)(B) of 
the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
    (c) Actions by the Commission.--The Commission shall prevent any 
person from violating this Act in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
Any person that violates section 2 is subject to the penalties and 
entitled to the privileges and immunities provided in the Federal Trade 
Commission Act in the same manner, by the same means, and with the same 
jurisdiction, powers, and duties as though all applicable terms and 
provisions of the Federal Trade Commission Act were incorporated into 
and made a part of this Act.

SEC. 6. CONCURRENT ENFORCEMENT BY FEDERAL COMMUNICATIONS COMMISSION.

    (a) In General.--The Federal Communications Commission shall have 
concurrent jurisdiction to enforce section 2.
    (b) Penalty; Procedure.--For purposes of enforcement of that 
section by the Commission--
            (1) a violation of section 2 of this Act is deemed to be a 
        violation of a provision of the Communications Act of 1934 (47 
        U.S.C. 151 et seq.) rather than a violation of the Federal 
        Trade Commission Act; and
            (2) the provisions of section 509(a)(2), (3), and (4) of 
        the Communications Act of 1934 shall apply to the imposition 
        and collection of the civil penalty imposed by section 2 of 
        this Act as if it were the civil penalty imposed by section 
        509(a)(1) of that Act.

SEC. 7. ENFORCEMENT BY STATES.

    (a) In General.--The chief legal officer of a State may bring a 
civil action, as parens patriae, on behalf of the residents of that 
State in an appropriate district court of the United States to enforce 
section 2 or to impose the civil penalties for violation of that 
section, whenever the chief legal officer of the State has reason to 
believe that the interests of the residents of the State have been or 
are being threatened or adversely affected by a violation of this Act 
or a regulation under this Act.
    (b) Notice.--The chief legal officer of a State shall serve written 
notice on the Federal Trade Commission and the Federal Communications 
Commission of any civil action under subsection (a) prior to initiating 
such civil action. The notice shall include a copy of the complaint to 
be filed to initiate such civil action, except that if it is not 
feasible for the State to provide such prior notice, the State shall 
provide such notice immediately upon instituting such civil action.
    (c) Authority To Intervene.--Upon receiving the notice required by 
subsection (b), either Commission may intervene in such civil action 
and upon intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall prevent the chief legal 
officer of a State from exercising the powers conferred on that officer 
by the laws of such State to conduct investigations or to administer 
oaths or affirmations or to compel the attendance of witnesses or the 
production of documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--An action brought under subsection (a) shall be 
        brought in a district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a)--
                    (A) process may be served without regard to the 
                territorial limits of the district or of the State in 
                which the action is instituted; and
                    (B) a person who participated in an alleged 
                violation that is being litigated in the civil action 
                may be joined in the civil action without regard to the 
                residence of the person.
    (f) Limitation on State Action While Federal Action Is Pending.--If 
either Commission has instituted an enforcement action or proceeding 
for violation of section 2 of this Act, the chief legal officer of the 
State in which the violation occurred may not bring an action under 
this section during the pendency of the proceeding against any person 
with respect to whom the Commission has instituted the proceeding.

SEC. 8. PREEMPTION OF STATE LAW.

    (a) Preemption.--Section 2 and the regulations prescribed pursuant 
to section 3 of this Act and section 222 of the Communications Act of 
1934 (47 U.S.C. 222) and the regulations prescribed thereunder preempt 
any--
            (1) statute, regulation, or rule of any State or political 
        subdivision thereof that requires a telecommunications carrier 
        or provider of IP-enabled voice service to develop, implement, 
        or maintain procedures for protecting the confidentiality of 
        customer proprietary network information (as defined in section 
        222(i)(1) of the Communications Act of 1934 (47 U.S.C. 
        222(i)(1))) held by that telecommunications carrier or provider 
        of IP-enabled voice service, or that restricts or regulates a 
        carrier's or provider's ability to use, disclose, or permit 
        access to such information; and
            (2) any such statute, regulation, or rule, or judicial 
        precedent of any State court under which liability is imposed 
        on a telecommunications carrier or provider of IP-enabled voice 
        service for failure to comply with any statute, regulation, or 
        rule described in paragraph (1) or with the requirements of 
        section 2 or the regulations prescribed pursuant to section 3 
        of this Act or with section 222 of the Communications Act of 
        1934 or the regulations prescribed thereunder.
    (b) Limitation on Preemption.--This Act shall not be construed to 
preempt the applicability of--
            (1) State laws that are not specific to the matters 
        described in subsection (a), including State contract or tort 
        law; or
            (2) other State laws to the extent those laws relate to 
        acts of fraud or computer crime.

SEC. 9. CONSUMER OUTREACH AND EDUCATION.

    (a) In General.--Within 180 days after the date of enactment of 
this Act, the Federal Trade Commission and Federal Communications 
Commission shall jointly establish and implement a media and 
distribution campaign to teach the public about the protection afforded 
customer proprietary network information under this Act, the Federal 
Trade Commission Act and the Communications Act of 1934.
    (b) Campaign Requirements.--The campaign shall--
            (1) promote understanding of--
                    (A) the problem concerning the theft and misuse of 
                customer proprietary network information;
                    (B) available methods for consumers to protect 
                their customer proprietary network information; and
                    (C) efforts undertaken by the Federal Trade 
                Commission and the Federal Communications Commission to 
                prevent the problem and seek redress where a breach of 
                security involving customer proprietary network 
                information has occurred; and
            (2) explore various distribution platforms to accomplish 
        the goal set forth in paragraph (1).
                                 <all>