[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 2389 Reported in Senate (RS)]


                                                       Calendar No. 425
109th CONGRESS
  2d Session
                                S. 2389

                          [Report No. 109-253]

   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 8, 2006

Mr. Allen (for himself, Mr. Stevens, Mr. Inouye, Mr. Burns, Mr. Warner, 
Mr. Santorum, Mr. Dorgan, Mr. Nelson of Florida, Mr. Vitter, Mr. Pryor, 
 Mr. Coleman, Mr. Talent, Mr. Martinez, Mr. Thune, Mrs. Hutchison, Mr. 
Burr, and Mr. Chambliss) introduced the following bill; which was read 
     twice and referred to the Committee on Commerce, Science, and 
                             Transportation

                              May 9, 2006

               Reported by Mr. Stevens, with an amendment
 [Strike all after the enacting clause and insert the part printed in 
                                italic]

_______________________________________________________________________

                                 A BILL


 
   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE; TABLE OF CONTENTS.</DELETED>

<DELETED>    (a) Short Title.--This Act may be cited as the 
``Protecting Consumer Phone Records Act''.</DELETED>
<DELETED>    (b) Table of Contents.--The table of contents for this Act 
is as follows:</DELETED>

<DELETED>Sec. 1. Short title; table of contents.
<DELETED>Sec. 2. Unauthorized acquisition, use, or sale of confidential 
                            customer proprietary network telephone 
                            information.
<DELETED>Sec. 3. Enhanced confidentiality procedures.
<DELETED>Sec. 4. Penalties; extension of confidentiality requirements 
                            to other entities.
<DELETED>Sec. 5. Enforcement by Federal Trade Commission.
<DELETED>Sec. 6. Concurrent enforcement by Federal Communications 
                            Commission.
<DELETED>Sec. 7. Enforcement by States.
<DELETED>Sec. 8. Preemption of State law.
<DELETED>Sec. 9. Consumer outreach and education.

<DELETED>SEC. 2. UNAUTHORIZED ACQUISITION, USE, OR SALE OF CONFIDENTIAL 
              CUSTOMER PROPRIETARY NETWORK TELEPHONE 
              INFORMATION.</DELETED>

<DELETED>    (a) In General.--It is unlawful for any person--</DELETED>
        <DELETED>    (1) to acquire or use the customer proprietary 
        network information of another person without that person's 
        affirmative written consent;</DELETED>
        <DELETED>    (2) to misrepresent that another person has 
        consented to the acquisition or use of such other person's 
        customer proprietary network information in order to acquire 
        such information;</DELETED>
        <DELETED>    (3) to obtain unauthorized access to the data 
        processing system or records of a telecommunications carrier or 
        an IP-enabled voice service provider in order to acquire the 
        customer proprietary network information of 1 or more other 
        persons;</DELETED>
        <DELETED>    (4) to sell, or offer for sale, customer 
        proprietary network information; or</DELETED>
        <DELETED>    (5) to request that another person obtain customer 
        proprietary network information from a telecommunications 
        carrier or IP-enabled voice service provider, knowing that the 
        other person will obtain the information from such carrier or 
        provider in any manner that is unlawful under subsection 
        (a).</DELETED>
<DELETED>    (b) Exceptions.--</DELETED>
        <DELETED>    (1) Existing practices permitted.--Nothing in 
        subsection (a) prohibits any practice permitted by section 222 
        of the Communications Act of 1934 (47 U.S.C. 222), or otherwise 
        authorized by law, as of the date of enactment of this 
        Act.</DELETED>
        <DELETED>    (2) Caller id.--Nothing in subsection (a) 
        prohibits the use of caller identification services by any 
        person to identify the originator of telephone calls received 
        by that person.</DELETED>
<DELETED>    (c) Private Right of Action for Providers.--</DELETED>
        <DELETED>    (1) In general.--A telecommunications carrier or 
        IP-enabled voice service provider may bring a civil action in 
        an appropriate State court, or in any United States district 
        court that meets applicable requirements relating to venue 
        under section 1391 of title 28, United States Code--</DELETED>
                <DELETED>    (A) based on a violation of this section 
                or the regulations prescribed under this section to 
                enjoin such violation;</DELETED>
                <DELETED>    (B) to recover for actual monetary loss 
                from such a violation, or to receive $11,000 in damages 
                for each such violation, whichever is greater; 
                or</DELETED>
                <DELETED>    (C) both.</DELETED>
        <DELETED>    (2) Treble damages.--If the court finds that the 
        defendant willfully or knowingly violated this section or the 
        regulations prescribed under this section, the court may, in 
        its discretion, increase the amount of the award to an amount 
        equal to not more than 3 times the amount available under 
        paragraph (1) of this subsection.</DELETED>
        <DELETED>    (3) Inflation adjustment.--The $11,000 amount in 
        paragraph (1)(B) shall be adjusted for inflation as if it were 
        a civil monetary penalty, as defined in section 3(2) of the 
        Federal Civil Penalties Inflation Adjustment Act of 1996 (28 
        U.S.C. 2461 note).</DELETED>
<DELETED>    (d) Civil Penalty.--</DELETED>
        <DELETED>    (1) In general.--Any person who violates this 
        section shall be subject to a civil penalty of not more than 
        $11,000 for each violation or each day of a continuing 
        violation, except that the amount assessed for any continuing 
        violation shall not exceed a total of $11,000,000 for any 
        single act or failure to act.</DELETED>
        <DELETED>    (2) Separate violations.--A violation of this 
        section with respect to the customer proprietary network 
        information of 1 person shall be treated as a separate 
        violation from a violation with respect to the customer 
        proprietary network information of any other person.</DELETED>
<DELETED>    (e) Limitation.--Nothing in this Act or section 222 of the 
Communications Act of 1934 (47 U.S.C. 222) authorizes a subscriber to 
bring a civil action against a telecommunications carrier or an IP-
enabled voice service provider.</DELETED>
<DELETED>    (f) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Customer proprietary network information.--The 
        term ``customer proprietary network information'' has the 
        meaning given that term by section 222(i)(1) of the 
        Communications Act of 1934 (47 U.S.C. 222(i)(1)).</DELETED>
        <DELETED>    (2) IP-enabled voice service.--The term ``IP-
        enabled voice service'' has the meaning given that term by 
        section 222(i)(8) of the Communications Act of 1934 (47 U.S.C. 
        222(i)(8)).</DELETED>
        <DELETED>    (3) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given it by 
        section 3(44) of the Communications Act of 1934 (47 U.S.C. 
        3(44)).</DELETED>

<DELETED>SEC. 3. ENHANCED CONFIDENTIALITY PROCEDURES.</DELETED>

<DELETED>    (a) In General.--Within 180 days after the date of 
enactment of this Act, the Federal Communications Commission shall--
</DELETED>
        <DELETED>    (1) revise or supplement its regulations, to the 
        extent the Commission determines it is necessary, to require a 
        telecommunications carrier or IP-enabled voice service 
        provider--</DELETED>
                <DELETED>    (A) to ensure the security and 
                confidentiality of customer proprietary network 
                information (as defined in section 222(i)(1) of the 
                Communications Act of 1934 (47 U.S.C. 
                222(i)(1))),</DELETED>
                <DELETED>    (B) to protect such customer proprietary 
                network information against threats or hazards to its 
                security or confidentiality; and</DELETED>
                <DELETED>    (C) to protect customer proprietary 
                network information from unauthorized access or use 
                that could result in substantial harm or inconvenience 
                to its customers, and</DELETED>
        <DELETED>    (2) ensure that any revised or supplemental 
        regulations are similar in scope and structure to the Federal 
        Trade Commission's regulations in part 314 of title 16, Code of 
        Federal Regulations, taking into consideration the differences 
        between financial information and customer proprietary network 
        information.</DELETED>
<DELETED>    (b) Compliance Certification.--Each telecommunications 
carrier and IP-enabled voice service provider to which the regulations 
under subsection (a) and section 222 of the Communications Act of 1934 
(47 U.S.C. 222) apply shall file with the Commission annually a 
certification that, for the period covered by the filing, it has been 
in compliance with those requirements.</DELETED>

<DELETED>SEC. 4. PENALTIES; EXTENSION OF CONFIDENTIALITY REQUIREMENTS 
              TO OTHER ENTITIES.</DELETED>

<DELETED>    (a) Penalties.--Title V of the Communications Act of 1934 
(47 U.S.C. 501 et seq.) is amended by inserting after section 508 the 
following:</DELETED>

<DELETED>``SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY 
              NETWORK INFORMATION VIOLATIONS.</DELETED>

<DELETED>    ``(a) Civil Forfeiture.--</DELETED>
        <DELETED>    ``(1) In general.--Any telecommunications carrier 
        or IP-enabled voice service provider that is determined by the 
        Commission, in accordance with paragraphs (3) and (4) of 
        section 503(b), to have violated section 222 of this Act shall 
        be liable to the United States for a forfeiture penalty. A 
        forfeiture penalty under this subsection shall be in addition 
        to any other penalty provided for by this Act. The amount of 
        the forfeiture penalty determined under this subsection shall 
        not exceed $30,000 for each violation, or 3 times that amount 
        for each day of a continuing violation, except that the amount 
        assessed for any continuing violation shall not exceed a total 
        of $3,000,000 for any single act or failure to act.</DELETED>
        <DELETED>    ``(2) Recovery.--Any forfeiture penalty determined 
        under paragraph (1) shall be recoverable pursuant to section 
        504(a) of this Act.</DELETED>
        <DELETED>    ``(3) Procedure.--No forfeiture liability shall be 
        determined under paragraph (1) against any person unless such 
        person receives the notice required by section 503(b)(3) or 
        section 503(b)(4) of this Act.</DELETED>
        <DELETED>    ``(4) 2-year statute of limitations.--No 
        forfeiture penalty shall be determined or imposed against any 
        person under paragraph (1) if the violation charged occurred 
        more than 2 years prior to the date of issuance of the required 
        notice or notice or apparent liability.</DELETED>
<DELETED>    ``(b) Criminal Fine.--Any person who willfully and 
knowingly violates section 222 of this Act shall upon conviction 
thereof be fined not more than $30,000 for each violation, or 3 times 
that amount for each day of a continuing violation, in lieu of the fine 
provided by section 501 for such a violation. This subsection does not 
supersede the provisions of section 501 relating to imprisonment or the 
imposition of a penalty of both fine and imprisonment.''.</DELETED>
<DELETED>    (b) Extension of Confidentiality Requirements to IP-
Enabled Voice Service Providers.--Section 222 of the Communications Act 
of 1934 (47 U.S.C. 222) is amended--</DELETED>
        <DELETED>    (1) by inserting ``or IP-enabled voice service 
        provider'' after ``telecommunications carrier'' each place it 
        appears except in subsections (e) and (g);</DELETED>
        <DELETED>    (2) by inserting ``or IP-enabled voice service 
        provider'' after ``exchange service'' in subsection 
        (g);</DELETED>
        <DELETED>    (3) by striking ``telecommunication carriers'' 
        each place it appears in subsection (a) and inserting 
        ``telecommunications carriers or IP-enabled voice service 
        providers'';</DELETED>
        <DELETED>    (4) by inserting ``or provider'' after ``carrier'' 
        in subsection (d)(2), paragraphs (1)(A) and (B) and (3)(A) and 
        (B) of subsection (i) (as redesignated);</DELETED>
        <DELETED>    (5) by inserting ``or providers'' after 
        ``carriers'' in subsection (d)(2); and</DELETED>
        <DELETED>    (6) by inserting ``and IP-Enabled Voice Service 
        Provider'' after ``Carrier'' in the caption of subsection 
        (c).</DELETED>
<DELETED>    (c) Definition.--Section 222(h) of the Communications Act 
of 1934 (47 U.S.C. 222(h)) is amended by adding at the end the 
following:</DELETED>
        <DELETED>    ``(8) IP-enabled voice service.--The term `IP-
        enabled voice service' means the provision of real-time 2-way 
        voice communications offered to the public, or such classes of 
        users as to be effectively available to the public, transmitted 
        through customer premises equipment using TCP/IP protocol, or a 
        successor protocol, for a fee (whether part of a bundle of 
        services or separately) with interconnection capability such 
        that the service can originate traffic to, or terminate traffic 
        from, the public switched telephone network.''.</DELETED>
<DELETED>    (d) Telecommunications Carrier and IP-Enabled Voice 
Service Provider Notification Requirement.--Section 222 of the 
Communications Act of 1934 (47 U.S.C. 222), is further amended--
</DELETED>
        <DELETED>    (1) by redesignating subsection (h) as subsection 
        (i); and</DELETED>
        <DELETED>    (2) by inserting after subsection (g) the 
        following new subsection:</DELETED>
<DELETED>    ``(h) Notice of Violations.--The Commission shall by 
regulation require each telecommunications carrier or IP-enabled voice 
service provider to notify a customer within 14 calendar days of any 
incident of which such telecommunications carrier or IP-enabled voice 
service provider becomes or is made aware in which customer proprietary 
network information relating to such customer is disclosed to someone 
other than the customer in violation of this section or section 2 of 
the Protecting Consumer Phone Records Act.''.</DELETED>

<DELETED>SEC. 5. ENFORCEMENT BY FEDERAL TRADE COMMISSION.</DELETED>

<DELETED>    (a) In General.--Except as provided in sections 6 and 7 of 
this Act, section 2 of this Act shall be enforced by the Federal Trade 
Commission.</DELETED>
<DELETED>    (b) Violation Treated as an Unfair or Deceptive Act or 
Practice.--Violation of section 2 shall be treated as an unfair or 
deceptive act or practice proscribed under a rule issued under section 
18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)).</DELETED>
<DELETED>    (c) Actions by the Commission.--The Commission shall 
prevent any person from violating this Act in the same manner, by the 
same means, and with the same jurisdiction, powers, and duties as 
though all applicable terms and provisions of the Federal Trade 
Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a 
part of this Act. Any person that violates section 2 is subject to the 
penalties and entitled to the privileges and immunities provided in the 
Federal Trade Commission Act in the same manner, by the same means, and 
with the same jurisdiction, powers, and duties as though all applicable 
terms and provisions of the Federal Trade Commission Act were 
incorporated into and made a part of this Act.</DELETED>

<DELETED>SEC. 6. CONCURRENT ENFORCEMENT BY FEDERAL COMMUNICATIONS 
              COMMISSION.</DELETED>

<DELETED>    (a) In General.--The Federal Communications Commission 
shall have concurrent jurisdiction to enforce section 2.</DELETED>
<DELETED>    (b) Penalty; Procedure.--For purposes of enforcement of 
that section by the Commission--</DELETED>
        <DELETED>    (1) a violation of section 2 of this Act is deemed 
        to be a violation of a provision of the Communications Act of 
        1934 (47 U.S.C. 151 et seq.) rather than a violation of the 
        Federal Trade Commission Act; and</DELETED>
        <DELETED>    (2) the provisions of section 509(a)(2), (3), and 
        (4) of the Communications Act of 1934 shall apply to the 
        imposition and collection of the civil penalty imposed by 
        section 2 of this Act as if it were the civil penalty imposed 
        by section 509(a)(1) of that Act.</DELETED>

<DELETED>SEC. 7. ENFORCEMENT BY STATES.</DELETED>

<DELETED>    (a) In General.--The chief legal officer of a State may 
bring a civil action, as parens patriae, on behalf of the residents of 
that State in an appropriate district court of the United States to 
enforce section 2 or to impose the civil penalties for violation of 
that section, whenever the chief legal officer of the State has reason 
to believe that the interests of the residents of the State have been 
or are being threatened or adversely affected by a violation of this 
Act or a regulation under this Act.</DELETED>
<DELETED>    (b) Notice.--The chief legal officer of a State shall 
serve written notice on the Federal Trade Commission and the Federal 
Communications Commission of any civil action under subsection (a) 
prior to initiating such civil action. The notice shall include a copy 
of the complaint to be filed to initiate such civil action, except that 
if it is not feasible for the State to provide such prior notice, the 
State shall provide such notice immediately upon instituting such civil 
action.</DELETED>
<DELETED>    (c) Authority To Intervene.--Upon receiving the notice 
required by subsection (b), either Commission may intervene in such 
civil action and upon intervening--</DELETED>
        <DELETED>    (1) be heard on all matters arising in such civil 
        action; and</DELETED>
        <DELETED>    (2) file petitions for appeal of a decision in 
        such civil action.</DELETED>
<DELETED>    (d) Construction.--For purposes of bringing any civil 
action under subsection (a), nothing in this section shall prevent the 
chief legal officer of a State from exercising the powers conferred on 
that officer by the laws of such State to conduct investigations or to 
administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other 
evidence.</DELETED>
<DELETED>    (e) Venue; Service of Process.--</DELETED>
        <DELETED>    (1) Venue.--An action brought under subsection (a) 
        shall be brought in a district court of the United States that 
        meets applicable requirements relating to venue under section 
        1391 of title 28, United States Code.</DELETED>
        <DELETED>    (2) Service of process.--In an action brought 
        under subsection (a)--</DELETED>
                <DELETED>    (A) process may be served without regard 
                to the territorial limits of the district or of the 
                State in which the action is instituted; and</DELETED>
                <DELETED>    (B) a person who participated in an 
                alleged violation that is being litigated in the civil 
                action may be joined in the civil action without regard 
                to the residence of the person.</DELETED>
<DELETED>    (f) Limitation on State Action While Federal Action Is 
Pending.--If either Commission has instituted an enforcement action or 
proceeding for violation of section 2 of this Act, the chief legal 
officer of the State in which the violation occurred may not bring an 
action under this section during the pendency of the proceeding against 
any person with respect to whom the Commission has instituted the 
proceeding.</DELETED>

<DELETED>SEC. 8. PREEMPTION OF STATE LAW.</DELETED>

<DELETED>    (a) Preemption.--Section 2 and the regulations prescribed 
pursuant to section 3 of this Act and section 222 of the Communications 
Act of 1934 (47 U.S.C. 222) and the regulations prescribed thereunder 
preempt any--</DELETED>
        <DELETED>    (1) statute, regulation, or rule of any State or 
        political subdivision thereof that requires a 
        telecommunications carrier or provider of IP-enabled voice 
        service to develop, implement, or maintain procedures for 
        protecting the confidentiality of customer proprietary network 
        information (as defined in section 222(i)(1) of the 
        Communications Act of 1934 (47 U.S.C. 222(i)(1))) held by that 
        telecommunications carrier or provider of IP-enabled voice 
        service, or that restricts or regulates a carrier's or 
        provider's ability to use, disclose, or permit access to such 
        information; and</DELETED>
        <DELETED>    (2) any such statute, regulation, or rule, or 
        judicial precedent of any State court under which liability is 
        imposed on a telecommunications carrier or provider of IP-
        enabled voice service for failure to comply with any statute, 
        regulation, or rule described in paragraph (1) or with the 
        requirements of section 2 or the regulations prescribed 
        pursuant to section 3 of this Act or with section 222 of the 
        Communications Act of 1934 or the regulations prescribed 
        thereunder.</DELETED>
<DELETED>    (b) Limitation on Preemption.--This Act shall not be 
construed to preempt the applicability of--</DELETED>
        <DELETED>    (1) State laws that are not specific to the 
        matters described in subsection (a), including State contract 
        or tort law; or</DELETED>
        <DELETED>    (2) other State laws to the extent those laws 
        relate to acts of fraud or computer crime.</DELETED>

<DELETED>SEC. 9. CONSUMER OUTREACH AND EDUCATION.</DELETED>

<DELETED>    (a) In General.--Within 180 days after the date of 
enactment of this Act, the Federal Trade Commission and Federal 
Communications Commission shall jointly establish and implement a media 
and distribution campaign to teach the public about the protection 
afforded customer proprietary network information under this Act, the 
Federal Trade Commission Act and the Communications Act of 
1934.</DELETED>
<DELETED>    (b) Campaign Requirements.--The campaign shall--</DELETED>
        <DELETED>    (1) promote understanding of--</DELETED>
                <DELETED>    (A) the problem concerning the theft and 
                misuse of customer proprietary network 
                information;</DELETED>
                <DELETED>    (B) available methods for consumers to 
                protect their customer proprietary network information; 
                and</DELETED>
                <DELETED>    (C) efforts undertaken by the Federal 
                Trade Commission and the Federal Communications 
                Commission to prevent the problem and seek redress 
                where a breach of security involving customer 
                proprietary network information has occurred; 
                and</DELETED>
        <DELETED>    (2) explore various distribution platforms to 
        accomplish the goal set forth in paragraph (1).</DELETED>

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Protecting 
Consumer Phone Records Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Unauthorized acquisition, use, or sale of confidential customer 
                            proprietary network telephone information.
Sec. 3. Enhanced confidentiality procedures.
Sec. 4. Penalties; extension of confidentiality requirements to other 
                            entities.
Sec. 5. Enforcement by Federal Trade Commission.
Sec. 6. Concurrent enforcement by Federal Communications Commission.
Sec. 7. Enforcement by States.
Sec. 8. Preemption of State law.
Sec. 9. Consumer outreach and education.D23/

SEC. 2. UNAUTHORIZED ACQUISITION, USE, OR SALE OF CONFIDENTIAL CUSTOMER 
              PROPRIETARY NETWORK TELEPHONE INFORMATION.

    (a) In General.--It is unlawful for any person--
            (1) to acquire or use the customer proprietary network 
        information of another person without that person's affirmative 
        written consent, which shall include electronic consent that 
        meets the requirements of the Electronic Signatures in Global 
        and National Commerce Act (15 U.S.C. 7001 et seq.);
            (2) to misrepresent that another person has consented to 
        the acquisition or use of such other person's customer 
        proprietary network information in order to acquire such 
        information;
            (3) to obtain unauthorized access to the data processing 
        system or records of a telecommunications carrier or an IP-
        enabled voice service provider in order to acquire the customer 
        proprietary network information of 1 or more other persons;
            (4) to sell, or offer for sale, customer proprietary 
        network information; or
            (5) to request that another person obtain customer 
        proprietary network information from a telecommunications 
        carrier or IP-enabled voice service provider, knowing that the 
        other person will obtain the information from such carrier or 
        provider in any manner that is unlawful under subsection (a).
    (b) Exceptions.--
            (1) Application with section 222 of communications act of 
        1934.--This Act does not prohibit a telecommunications carrier 
        or an IP-enabled voice service provider or any third party that 
        lawfully obtains such information from a carrier or provider 
        from engaging in any act or practice that was not prohibited by 
        section 222 of the Communications Act of 1934 (47 U.S.C. 222) 
        or regulations that are consistent with the provisions of 
        section 222, as that section and those regulations were in 
        effect on the day before the date of enactment of this Act.
            (2) Application of other laws.--This Act does not prohibit 
        any act or practice otherwise authorized by law, including any 
        lawfully authorized investigative, protective, or intelligence 
        activity of a law enforcement agency or the United States, a 
        State, or a political subdivision of a State, or an 
        intelligence agency of the United States.
            (3) Treatment of ip-enabled voice service providers.--For 
        purposes of this section, an IP-enabled voice service provider 
        shall be treated as if it were a telecommunications carrier 
        covered by section 222 of the Communications Act of 1934 (47 
        U.S.C. 222) before the date of enactment of this Act.
            (4) Caller id.--Nothing in this Act prohibits the use of 
        caller identification services by any person to identify the 
        originator of telephone calls received by that person.
    (c) Private Right of Action for Providers.--
            (1) In general.--A telecommunications carrier or IP-enabled 
        voice service provider may bring a civil action in an 
        appropriate State court, or in any United States district court 
        that meets applicable requirements relating to venue under 
        section 1391 of title 28, United States Code, or for any 
        judicial district in which the carrier or service provider 
        resides or conducts business--
                    (A) based on a violation of this section or the 
                regulations prescribed under this section to enjoin 
                such violation;
                    (B) to recover for actual monetary loss from such a 
                violation, or to receive $11,000 in damages for each 
                such violation, whichever is greater; or
                    (C) both.
            (2) Treble damages.--If the court finds that the defendant 
        willfully or knowingly violated this section or the regulations 
        prescribed under this section, the court may, in its 
        discretion, increase the amount of the award to an amount equal 
        to not more than 3 times the amount available under paragraph 
        (1) of this subsection.
            (3) Inflation adjustment.--The $11,000 amount in paragraph 
        (1)(B) shall be adjusted for inflation as if it were a civil 
        monetary penalty, as defined in section 3(2) of the Federal 
        Civil Penalties Inflation Adjustment Act of 1996 (28 U.S.C. 
        2461 note).
    (d) Private Right of Action for Consumers.--
            (1) In general.--An individual who has been caused harm as 
        a result of their confidential proprietary network information 
        being obtained, used, or sold in violation of this section may 
        file a civil action in any court of competent jurisdiction 
        against the person who caused the harm as a result of a 
        violation of this section.
            (2) Remedies.--A court in which such civil action has been 
        brought may award damages of not more than $11,000 for each 
        violation of this section with respect to the plaintiff's 
        customer proprietary network information and provide such 
        additional relief as the court deems appropriate, including the 
        award of court costs, investigative costs, and reasonable 
        attorney's fees.
            (3) Treble damages.--If the court finds that the defendant 
        willfully or knowingly violated this section or the regulations 
        prescribed under this section, the court may, in its 
        discretion, increase the amount of the award to not more than 3 
        times the damages determined by the court under paragraph (2).
            (4) Inflation adjustment.--The $11,000 amount in paragraph 
        (2) shall be adjusted for inflation as if it were a civil 
        monetary penalty, as defined in section 3 (2) of the Federal 
        Civil Penalties Inflation Adjustment Act of 1996 (28 USC 2461 
        note).
    (e) Civil Penalty.--
            (1) In general.--Any person who violates this section shall 
        be subject to a civil penalty of not more than $11,000 for each 
        violation or each day of a continuing violation, except that 
        the amount assessed for any continuing violation shall not 
        exceed a total of $11,000,000 for any single act or failure to 
        act.
            (2) Separate violations.--A violation of this section with 
        respect to the customer proprietary network information of 1 
        person shall be treated as a separate violation from a 
        violation with respect to the customer proprietary network 
        information of any other person.
    (f) Limitation.--Nothing in this Act or section 222 of the 
Communications Act of 1934 (47 U.S.C. 222) authorizes a subscriber to 
bring a civil action against a telecommunications carrier or an IP-
enabled voice service provider.
    (g) Definitions.--In this section:
            (1) Customer proprietary network information.--The term 
        ``customer proprietary network information'' has the meaning 
        given that term by section 222(i)(1) of the Communications Act 
        of 1934 (47 U.S.C. 222(i)(1)).
            (2) IP-enabled voice service.--The term ``IP-enabled voice 
        service'' has the meaning given that term by section 222(i)(8) 
        of the Communications Act of 1934 (47 U.S.C. 222(i)(8)).
            (3) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given it by 
        section 3(44) of the Communications Act of 1934 (47 U.S.C. 
        3(44)).

SEC. 3. ENHANCED CONFIDENTIALITY PROCEDURES.

    (a) In General.--Within 180 days after the date of enactment of 
this Act, the Federal Communications Commission shall--
            (1) revise or supplement its regulations, to the extent the 
        Commission determines it is necessary, to require a 
        telecommunications carrier or IP-enabled voice service provider 
        to protect--
                    (A) the security and confidentiality of customer 
                proprietary network information (as defined in section 
                222(i)(1) of the Communications Act of 1934 (47 U.S.C. 
                222(i)(1))); and
                    (B) customer proprietary network information 
                against any anticipated threats or hazards to its 
                security or confidentiality; and
                    (C) customer proprietary network information from 
                unauthorized access or use that could result in 
                substantial harm or inconvenience to its customers; and
            (2) ensure that any revised or supplemental regulations are 
        similar in scope and structure to the Federal Trade 
        Commission's regulations in part 314 of title 16, Code of 
        Federal Regulations, as such regulations are in effect on the 
        date of enactment of this Act, taking into consideration the 
        differences between financial information and customer 
        proprietary network information.
    (b) Compliance Certification.--Each telecommunications carrier and 
IP-enabled voice service provider to which the regulations under 
subsection (a) and section 222 of the Communications Act of 1934 (47 
U.S.C. 222) apply shall file with the Commission annually a 
certification that, for the period covered by the filing, it has been 
in compliance with those requirements.

SEC. 4. PENALTIES; EXTENSION OF CONFIDENTIALITY REQUIREMENTS TO OTHER 
              ENTITIES.

    (a) Penalties.--Title V of the Communications Act of 1934 (47 
U.S.C. 501 et seq.) is amended by inserting after section 508 the 
following:

``SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY NETWORK 
              INFORMATION VIOLATIONS.

    ``(a) Civil Forfeiture.--
            ``(1) In general.--Any person determined by the Commission, 
        in accordance with paragraphs (3) and (4) of section 503(b), to 
        have violated section 2 of the Protecting Consumer Phone 
        Records Act shall be liable to the United States for a 
        forfeiture penalty. A forfeiture penalty under this subsection 
        shall be in addition to any other penalty provided for by this 
        Act. The amount of the forfeiture penalty determined under this 
        subsection shall not exceed $30,000 for each violation, or 3 
        times that amount for each day of a continuing violation, 
        except that the amount assessed for any continuing violation 
        shall not exceed a total of $3,000,000 for any single act or 
        failure to act.
            ``(2) Recovery.--Any forfeiture penalty determined under 
        paragraph (1) shall be recoverable pursuant to section 504(a) 
        of this Act.
            ``(3) Procedure.--No forfeiture liability shall be 
        determined under paragraph (1) against any person unless such 
        person receives the notice required by section 503(b)(3) or 
        section 503(b)(4) of this Act.
            ``(4) 2-year statute of limitations.--No forfeiture penalty 
        shall be determined or imposed against any person under 
        paragraph (1) if the violation charged occurred more than 2 
        years prior to the date of issuance of the required notice or 
        notice or apparent liability.
    ``(b) Criminal Fine.--Any person who willfully and knowingly 
violates section 2 of the Protecting Consumer Phone Records Act shall 
upon conviction thereof be fined not more than $30,000 for each 
violation, or 3 times that amount for each day of a continuing 
violation, in lieu of the fine provided by section 501 for such a 
violation. This subsection does not supersede the provisions of section 
501 relating to imprisonment or the imposition of a penalty of both 
fine and imprisonment.''.
    (b) Extension of Confidentiality Requirements to IP-enabled Voice 
Service Providers.--Section 222 of the Communications Act of 1934 (47 
U.S.C. 222) is amended--
            (1) by inserting ``or IP-enabled voice service provider'' 
        after ``telecommunications carrier'' each place it appears 
        except in subsections (e) and (g);
            (2) by inserting ``or IP-enabled voice service provider'' 
        after ``exchange service'' in subsection (g);
            (3) by striking ``telecommunication carriers'' each place 
        it appears in subsection (a) and inserting ``telecommunications 
        carriers or IP-enabled voice service providers'';
            (4) by inserting ``or provider'' after ``carrier'' in 
        subsection (d)(2) and in paragraphs (1)(A) and (B) and (3)(A) 
        and (B) of subsection (h);
            (5) by inserting ``or provider-customer'' after ``carrier-
        customer'' in subsection (h)(1)(A);
            (6) by inserting ``or providers'' after ``carriers'' in 
        subsection (d)(2);
            (7) by inserting ``and IP-enabled Voice Service Provider'' 
        after ``Carrier'' in the caption of subsection (b);
            (8) by inserting ``and ip-enabled voice service providers'' 
        after ``carriers'' in the caption of subsection (c)(1);
            (9) by inserting ``or IP-enabled voice service'' after 
        ``service'' in subsection (h)(1)(A); and
            (10) by striking ``telephone exchange service or telephone 
        toll service'' in subsection (h)(1)(B) and inserting 
        ``telephone exchange service, telephone toll service, or IP-
        enabled voice service''.
    (c) Definition.--Section 222(h) of the Communications Act of 1934 
(47 U.S.C. 222(h)) is amended by adding at the end the following:
            ``(8) IP-enabled voice service.--The term `IP-enabled voice 
        service' means the provision of real-time 2-way voice 
        communications offered to the public, or such classes of users 
        as to be effectively available to the public, transmitted 
        through customer premises equipment using TCP/IP protocol, or a 
        successor protocol, for a fee (whether part of a bundle of 
        services or separately) with interconnection capability such 
        that the service can originate traffic to, or terminate traffic 
        from, the public switched telephone network.''.
    (d) Telecommunications Carrier and IP-enabled Voice Service 
Provider Notification Requirement.--Section 222 of the Communications 
Act of 1934 (47 U.S.C. 222), is further amended--
            (1) by redesignating subsection (h) as subsection (i);
            (2) by inserting after subsection (g) the following new 
        subsection:
    ``(h) Notice of Violations.--
            ``(1) In general.--The Commission shall by regulation 
        require each telecommunications carrier or IP-enabled voice 
        service provider to notify a customer within 14 calendar days 
        after the carrier or provider is notified of, or becomes aware 
        of, an incident in which customer proprietary network 
        information relating to such customer was disclosed to someone 
        other than the customer in violation of this section or section 
        2 of the Protecting Consumer Phone Records Act.
            ``(2) Law enforcement and homeland security related 
        delays.--Notwithstanding paragraph (1), a telecommunications 
        carrier or IP-enabled voice service provider may delay the 
        required notification for a reasonable period of time if--
                    ``(A) a Federal or State law enforcement agency 
                determines that giving notice within the 14-day period 
                would materially impede a civil or criminal 
                investigation; or
                    ``(B) a Federal national security agency or the 
                Department of Homeland Security determines that giving 
                notice within the 14-day period would threaten national 
                or homeland security.''; and
            (3) by striking ``information.'' in paragraph (1) of 
        subsection (i), as redesignated, and inserting ``information 
        nor does it include information that is related to non-voice 
        service features bundled with IP-enabled voice service.''.
    (e) Statute of Limitations.--Section 503(b)(6)(B) of the 
Communications Act of 1934 (47 U.S.C. 503(b)(6)(B)) is amended to read 
as follows:
                    ``(B) such person does not hold a broadcast station 
                license issued under title III of this Act and--
                            ``(i) the person is charged with violating 
                        section 222 and the violation occurred more 
                        than 2 years prior to the date of issuance of 
                        the required notice or notice of apparent 
                        liability; or
                            ``(ii) the person is charged with violating 
                        any other provision of this Act and the 
                        violation occurred more than 1 year prior to 
                        the date of issuance of the required notice or 
                        notice of apparent liability.''.
    (f) Application of Cable Subscriber Privacy Rules to IP-enabled 
Voice Service Providers.--Section 631 of the Communications Act of 1934 
(47 U.S.C. 551) is amended by adding at the end the following:
    ``(i) Customer Proprietary Network Information.--This section does 
not apply to customer proprietary network information (as defined in 
section 222(i)(1) of this Act) as it relates to the provision of IP-
enabled voice service (as defined in section 222(i)(8) of this Act) by 
a cable operator to the extent that section 222 of this Act and section 
2 of the Protecting Consumer Phone Records Act applies to such 
information.''.
    (g) Consumer Control of Wireless Phone Numbers.--Section 222 of the 
Communications Act of 1934 (47 U.S.C. 222), as amended by subsection 
(d), is further amended by adding at the end the following:
    ``(j) Wireless Consumer Privacy Protection.--
            ``(1) In general.--A provider of commercial mobile 
        services, or any direct or indirect affiliate or agent of such 
        a provider, may not include the wireless telephone number 
        information of any subscriber in any wireless directory 
        assistance service database unless the mobile service 
        provider--
                    ``(A) provides a conspicuous, separate notice to 
                the subscriber informing the subscriber of the right 
                not to be listed in any wireless directory assistance 
                service; and
                    ``(B) obtains express prior authorization for 
                listing from such subscriber, separate from any 
                authorization obtained to provide such subscriber with 
                commercial mobile service, or any calling plan or 
                service associated with such commercial mobile service, 
                and such authorization has not been subsequently 
                withdrawn.
            ``(2) Cost-free de-listing.--A provider of commercial 
        mobile services, or any direct or indirect affiliate or agent 
        of such a provider, shall remove the wireless telephone number 
        information of any subscriber from any wireless directory 
        assistance service database upon request by that subscriber and 
        without any cost to the subscriber.
            ``(3) Publication of directories prohibited.--A provider of 
        commercial mobile services, or any direct or indirect affiliate 
        or agent of such a provider, may not publish, in printed, 
        electronic, or other form, or sell or otherwise disseminate, 
        the contents of any wireless directory assistance service 
        database, or any portion or segment thereof unless the mobile 
        service provider--
                    ``(A) provides a conspicuous, separate notice to 
                the subscriber informing the subscriber of the right 
                not to be listed; and
                    ``(B) obtains express prior authorization for 
                listing from such subscriber, separate from any 
                authorization obtained to provide such subscriber with 
                commercial mobile service, or any calling plan or 
                service associated with such commercial mobile service, 
                and such authorization has not been subsequently 
                withdrawn.
            ``(4) No consumer fee for retaining privacy.--A provider of 
        commercial mobile services may not charge any subscriber for 
        exercising any of the rights described under this subsection.
            ``(5) State and local laws pre-empted.--To the extent that 
        any State or local government imposes requirements on providers 
        of commercial mobile services, or any direct or indirect 
        affiliate or agent of such providers, that are inconsistent 
        with the requirements of this subsection, this subsection 
        preempts such State or local requirements.
            ``(6) Definitions.--In this subsection:
                    ``(A) Wireless telephone number information.--The 
                term `wireless telephone number information' means the 
                telephone number, electronic address, and any other 
                identifying information by which a calling party may 
                reach a subscriber to commercial mobile services, and 
                which is assigned by a commercial mobile service 
                provider to such subscriber, and includes the name and 
                address of such subscriber.
                    ``(B) Wireless directory assistance service.--The 
                term `wireless directory assistance service' means any 
                service for connecting calling parties to a subscriber 
                of commercial mobile service when such calling parties 
                themselves do not possess the wireless telephone number 
                information of such subscriber.''.

SEC. 5. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

    (a) In General.--Except as provided in sections 6 and 7 of this 
Act, section 2 of this Act shall be enforced by the Federal Trade 
Commission with respect to any entity subject to the jurisdiction of 
the Commission under section 5(a)(2) of the Federal Trade Commission 
Act (15 U.S.C. 45(a)(2)).
    (b) Violation Treated as an Unfair or Deceptive Act or Practice.--
Violation of section 2 shall be treated as an unfair or deceptive act 
or practice proscribed under a rule issued under section 18(a)(1)(B) of 
the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
    (c) Actions by the Commission.--The Commission shall prevent any 
person from violating this Act in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
Any person that violates section 2 is subject to the penalties and 
entitled to the privileges and immunities provided in the Federal Trade 
Commission Act in the same manner, by the same means, and with the same 
jurisdiction, powers, and duties as though all applicable terms and 
provisions of the Federal Trade Commission Act were incorporated into 
and made a part of this Act. Nothing in section 2(d) of this Act limits 
any penalty under the Federal Trade Commission Act as that Act is made 
applicable to violations of section 2 by the preceding sentence.

SEC. 6. CONCURRENT ENFORCEMENT BY FEDERAL COMMUNICATIONS COMMISSION.

    (a) In General.--The Federal Communications Commission shall have 
concurrent jurisdiction to enforce section 2.
    (b) Penalty; Procedure.--For purposes of enforcement of that 
section by the Commission--
            (1) a violation of section 2 of this Act is deemed to be a 
        violation of a provision of the Communications Act of 1934 (47 
        U.S.C. 151 et seq.) rather than a violation of the Federal 
        Trade Commission Act; and
            (2) the provisions of section 509(a)(2), (3), and (4) of 
        the Communications Act of 1934 shall apply to the imposition 
        and collection of the civil penalty imposed by section 2 of 
        this Act as if it were the civil penalty imposed by section 
        509(a)(1) of that Act.

SEC. 7. ENFORCEMENT BY STATES.

    (a) In General.--The chief legal officer of a State, or any other 
State officer authorized by law to bring actions on behalf of the 
residents of a State, may bring a civil action, as parens patriae, on 
behalf of the residents of that State in an appropriate district court 
of the United States to enforce section 2 or to impose the civil 
penalties for violation of that section, whenever the chief legal 
officer or other State officer has reason to believe that the interests 
of the residents of the State have been or are being threatened or 
adversely affected by a violation of this Act or a regulation under 
this Act.
    (b) Notice.--The chief legal officer or other State officer shall 
serve written notice on the Federal Trade Commission and the Federal 
Communications Commission of any civil action under subsection (a) 
prior to initiating such civil action. The notice shall include a copy 
of the complaint to be filed to initiate such civil action, except that 
if it is not feasible for the State to provide such prior notice, the 
State shall provide such notice immediately upon instituting such civil 
action.
    (c) Authority To Intervene.--Upon receiving the notice required by 
subsection (b), either Commission may intervene in such civil action 
and upon intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall prevent the chief legal 
officer or other State officer from exercising the powers conferred on 
that officer by the laws of such State to conduct investigations or to 
administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--An action brought under subsection (a) shall be 
        brought in a district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a)--
                    (A) process may be served without regard to the 
                territorial limits of the district or of the State in 
                which the action is instituted; and
                    (B) a person who participated in an alleged 
                violation that is being litigated in the civil action 
                may be joined in the civil action without regard to the 
                residence of the person.
    (f) Limitation on State Action While Federal Action Is Pending.--If 
either Commission has instituted an enforcement action or proceeding 
for violation of section 2 of this Act, the chief legal officer or 
other State officer of the State in which the violation occurred may 
not bring an action under this section during the pendency of the 
proceeding against any person with respect to whom the Commission has 
instituted the proceeding.

SEC. 8. PREEMPTION OF STATE LAW.

    (a) Preemption.--Section 2 and the regulations prescribed pursuant 
to section 3 of this Act and section 222 of the Communications Act of 
1934 (47 U.S.C. 222) and the regulations prescribed thereunder preempt 
any--
            (1) statute, regulation, or rule of any State or political 
        subdivision thereof that requires a telecommunications carrier 
        or provider of IP-enabled voice service to develop, implement, 
        or maintain procedures for protecting the confidentiality of 
        customer proprietary network information (as defined in section 
        222(i)(1) of the Communications Act of 1934 (47 U.S.C. 
        222(i)(1))) held by that telecommunications carrier or provider 
        of IP-enabled voice service, or that restricts or regulates a 
        carrier's or provider's ability to use, disclose, or permit 
        access to such information; and
            (2) any such statute, regulation, or rule, or judicial 
        precedent of any State court under which liability is imposed 
        on a telecommunications carrier or provider of IP-enabled voice 
        service for failure to comply with any statute, regulation, or 
        rule described in paragraph (1) or with the requirements of 
        section 2 or the regulations prescribed pursuant to section 3 
        of this Act or with section 222 of the Communications Act of 
        1934 or the regulations prescribed thereunder.
    (b) Limitation on Preemption.--This Act shall not be construed to 
preempt the applicability of--
            (1) State laws that are not specific to the matters 
        described in subsection (a), including State contract or tort 
        law; or
            (2) other State laws to the extent those laws relate to 
        acts of fraud or computer crime.

SEC. 9. CONSUMER OUTREACH AND EDUCATION.

    (a) In General.--Within 180 days after the date of enactment of 
this Act, the Federal Trade Commission and Federal Communications 
Commission shall jointly establish and implement a media and 
distribution campaign to teach the public about the protection afforded 
customer proprietary network information under this Act, the Federal 
Trade Commission Act and the Communications Act of 1934.
    (b) Campaign Requirements.--The campaign shall--
            (1) promote understanding of--
                    (A) the problem concerning the theft and misuse of 
                customer proprietary network information;
                    (B) available methods for consumers to protect 
                their customer proprietary network information; and
                    (C) efforts undertaken by the Federal Trade 
                Commission and the Federal Communications Commission to 
                prevent the problem; and
            (2) explore various distribution platforms to accomplish 
        the goal set forth in paragraph (1).D23/
                                                       Calendar No. 425

109th CONGRESS

  2d Session

                                S. 2389

                          [Report No. 109-253]

_______________________________________________________________________

                                 A BILL

   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.

_______________________________________________________________________

                              May 9, 2006

                       Reported with an amendment