[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 936 Introduced in House (IH)]







110th CONGRESS
  1st Session
                                H. R. 936

          To prohibit fraudulent access to telephone records.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            February 8, 2007

 Mr. Dingell (for himself, Mr. Barton of Texas, Mr. Markey, Mr. Upton, 
   Mr. Rush, Mr. Stearns, Ms. Schakowsky, Mr. Boucher, Mr. Gordon of 
Tennessee, Ms. Eshoo, Mr. Stupak, Mr. Gene Green of Texas, Ms. DeGette, 
    Mrs. Capps, Mr. Doyle, Ms. Solis, Mr. Gonzalez, Mr. Inslee, Ms. 
 Baldwin, Ms. Hooley, Mr. Matheson, Mr. Butterfield, Mr. Fossella, Mr. 
Terry, Mr. Burgess, and Mr. Engel) introduced the following bill; which 
          was referred to the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
          To prohibit fraudulent access to telephone records.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Prevention of Fraudulent Access to 
Phone Records Act''.

              TITLE I--FEDERAL TRADE COMMISSION PROVISIONS

SEC. 101. FRAUDULENT ACCESS TO CUSTOMER TELEPHONE RECORDS.

    (a) Prohibition on Obtaining Customer Information by False 
Pretenses.--It shall be unlawful for any person to obtain or attempt to 
obtain, or cause to be disclosed or attempt to cause to be disclosed to 
any person, customer proprietary network information relating to any 
other person by--
            (1) making a false, fictitious, or fraudulent statement or 
        representation to an officer, employee, or agent of a 
        telecommunications carrier; or
            (2) providing any document or other information to an 
        officer, employee, or agent of a telecommunications carrier 
        that the person knows or should know to be forged, counterfeit, 
        lost, stolen, or fraudulently obtained, or to contain a false, 
        fictitious, or fraudulent statement or representation.
    (b) Prohibition on Solicitation of a Person to Obtain Customer 
Information Under False Pretenses.--It shall be unlawful to request a 
person to obtain from a telecommunications carrier customer proprietary 
network information relating to any third person, if the person making 
such a request knew or should have known that the person to whom such a 
request is made will obtain or attempt to obtain such information in 
the manner described in subsection (a).
    (c) Prohibition on Sale or Other Disclosure of Customer Information 
Obtained Under False Pretenses.--It shall be unlawful for any person to 
sell or otherwise disclose to any person customer proprietary network 
information relating to any other person if the person selling or 
disclosing obtained such information in the manner described in 
subsection (a).

SEC. 102. EXEMPTION.

    No provision of section 101 shall be construed so as to prevent any 
action by a law enforcement agency, or any officer, employee, or agent 
of such agency, from obtaining or attempting to obtain customer 
proprietary network information from a telecommunications carrier in 
connection with the performance of the official duties of the agency, 
in accordance with other applicable laws.

SEC. 103. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.

    A violation of section 101 shall be treated as a violation of a 
rule defining an unfair or deceptive act or practice prescribed under 
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 
57a(a)(1)(B)). The Federal Trade Commission shall enforce this title in 
the same manner, by the same means, and with the same jurisdiction as 
though all applicable terms and provisions of the Federal Trade 
Commission Act were incorporated into and made a part of this title.

SEC. 104. DEFINITIONS.

    As used in this title--
            (1) the term ``customer proprietary network information'' 
        has the meaning given such term in section 222(j)(1) of the 
        Communications Act of 1934 (47 U.S.C. 222(j)(1)) (as 
        redesignated by section 203 of this Act);
            (2) the term ``telecommunications carrier''--
                    (A) has the meaning given such term in section 
                3(44) of the Communications Act of 1934 (47 U.S.C. 
                153(44)); and
                    (B) includes any provider of real-time Internet 
                protocol-enabled voice communications; and
            (3) the term ``real-time Internet protocol-enabled voice 
        communications'' means any service that is treated by the 
        Federal Communications Commission as a telecommunications 
        service provided by a telecommunications carrier for purposes 
        of section 222 of the Communications Act of 1934 (47 U.S.C. 
        222) under regulations promulgated pursuant to subsection (h) 
        of such section.

         TITLE II--FEDERAL COMMUNICATIONS COMMISSION PROVISIONS

SEC. 201. FINDINGS.

    The Congress finds the following:
            (1) As our Nation's communications networks become more 
        ubiquitous and increasingly sophisticated, more individuals and 
        industries will be using such networks in greater amounts to 
        communicate and conduct commercial transactions.
            (2) The ease of gathering and compiling sensitive personal 
        information as a result of such communications is becoming more 
        efficient and commonplace due to advances in digital technology 
        and the widespread use of the Internet.
            (3) Ensuring the privacy of sensitive individual telephone 
        calling records, both wireline and wireless, is of utmost 
        importance. The information gathered and retained by 
        communications providers can convey details about intimate 
        aspects of an individual's life, including who they call, when 
        they call, the duration of such calls, the frequency of their 
        communications, information about their purchases, 
        informational inquiries, political or religious interests, or 
        other affiliations.
            (4) Disclosure of personal telephone records can also lead 
        to harassment, intimidation, physical harm, and identity theft.
            (5) The government has a compelling interest in protecting 
        sensitive personal information contained in customer telephone 
        records and ensuring that commercial interests adequately 
        protect such records in order to preserve individual freedom, 
        safeguard personal privacy, and ensure trust in electronic 
        commerce.
            (6) Because customers have a proprietary interest in their 
        sensitive personal information, customers should have some 
        control over the use and disclosure of telephone calling 
        records.
            (7) A telecommunications carrier may use aggregated data it 
        has obtained from its customer databases to improve services, 
        solicit new business, or market additional services to its 
        customers.
            (8) A telecommunications carrier may communicate to all 
        consumers in order to broadly solicit new business, and may 
        also target specific communications to its own existing 
        customers, without use or disclosure of detailed customer 
        calling records and thus without the threat of compromising 
        customer privacy.
            (9) The risk of compromising customer privacy is raised and 
        increased whenever additional entities or persons are permitted 
        use of, or access to, or receive disclosure of, customer 
        calling records beyond the carrier with which the customer has 
        an established business relationship.
            (10) A telecommunications carrier which obtains or 
        possesses a customer's calling records has a duty to safeguard 
        the confidentiality of such customer's personal information. 
        Detailed customer calling records describing the customer's use 
        of telecommunications services should not be publicly available 
        or offered for commercial sale.

SEC. 202. EXPANDED PROTECTION FOR DETAILED CUSTOMER RECORDS.

    (a) Confidentiality of Customer Information.--Paragraph (1) of 
section 222(c) of the Communications Act of 1934 (47 U.S.C. 222(c)(1)) 
is amended to read as follows:
            ``(1) Privacy requirements for telecommunications 
        carriers.--
                    ``(A) In general.--Except as required by law or as 
                permitted under the following provisions of this 
                paragraph, a telecommunications carrier that receives 
                or obtains individually identifiable customer 
                proprietary network information (including detailed 
                customer telephone records) by virtue of its provision 
                of a telecommunications service shall only use, 
                disclose, or permit access to such information or 
                records in the provision by such carrier of--
                            ``(i) the telecommunications service from 
                        which such information is derived; or
                            ``(ii) services necessary to, or used in, 
                        the provision of such telecommunications 
                        service, including the publishing of 
                        directories.
                    ``(B) Requirements for disclosure of detailed 
                information.--A telecommunications carrier may only use 
                detailed customer telephone records through, or 
                disclose such records to, or permit access to such 
                records by, a joint venture partner, independent 
                contractor, or any other third party (other than an 
                affiliate) if the customer has given express prior 
                authorization for that use, disclosure, or access, and 
                that authorization has not been withdrawn.
                    ``(C) Requirements for affiliate use of both 
                general and detailed information.--A telecommunications 
                carrier may not, except with the approval of a 
                customer, use individually identifiable customer 
                proprietary network information (including detailed 
                customer telephone records) through, or disclose such 
                information or records to, or permit access to such 
                information or records by, an affiliate of such carrier 
                in the provision by such affiliate of the services 
                described in clause (i) or (ii) of subparagraph (A).
                    ``(D) Requirements for partner and contractor use 
                of general information.--A telecommunications carrier 
                may not, except with the approval of the customer, use 
                individually identifiable customer proprietary network 
                information (other than detailed customer telephone 
                records) through, or disclose such information to, or 
                permit access to such information by, a joint venture 
                partner or independent contractor in the provision by 
                such partner or contractor of the services described in 
                clause (i) or (ii) of subparagraph (A).
                    ``(E) Access to wireless telephone numbers.--A 
                telecommunications carrier may not, except with prior 
                express authorization from the customer, disclose the 
                wireless telephone number of any customer or permit 
                access to the wireless telephone number of any 
                customer.''.
    (b) Disclosure of Detailed Information on Request by Customer.--
Section 222(c)(2) of such Act is amended by inserting ``(including a 
detailed customer telephone record)'' after ``customer proprietary 
network information''.
    (c) Aggregate Data.--Section 222(c)(3) of such Act is amended by 
adding at the end the following new sentence: ``Aggregation of data 
that is conducted by a third party may be treated for purposes of this 
subsection as aggregation by the carrier if such aggregation is 
conducted in a secure manner under the control or supervision of the 
carrier.''.
    (d) Prohibition of Sale of General or Detailed Information.--
Section 222(c) of such Act is further amended by adding at the end the 
following new paragraph:
            ``(4) Prohibition of sale of general or detailed 
        information.--Except for the purposes for which use, 
        disclosure, or access is permitted under subsection (d), it 
        shall be unlawful for any person to sell, rent, lease, or 
        otherwise make available for remuneration or other 
        consideration the customer proprietary network information 
        (including the detailed customer telephone records) of any 
        customer.''.
    (e) Exceptions to Limitations on Disclosures of Detailed 
Information.--Section 222(d) of such Act is amended--
            (1) by striking ``its agents'' and inserting ``its joint 
        venture partners, contractors, or agents''; and
            (2) in paragraph (1), by inserting after 
        ``telecommunications services'' the following: ``, or provide 
        customer service with respect to telecommunications services to 
        which the customer subscribes''.

SEC. 203. PREVENTION BY TELECOMMUNICATIONS CARRIERS OF FRAUDULENT 
              ACCESS TO PHONE RECORDS.

    Section 222 of the Communications Act of 1934 (47 U.S.C. 222) is 
further amended--
            (1) by redesignating subsection (h) as subsection (j);
            (2) by inserting after subsection (g) the following new 
        subsections:
    ``(h) Prevention of Fraudulent Access to Phone Records.--
            ``(1) Regulations.--Within 180 days after the date of 
        enactment of the Prevention of Fraudulent Access to Phone 
        Records Act, the Commission shall prescribe regulations 
        adopting more stringent security standards for customer 
        proprietary network information (including detailed customer 
        telephone records) to detect and prevent violations of this 
        section. The Commission--
                    ``(A) shall prescribe regulations--
                            ``(i) to require timely notice (written or 
                        electronic) to each customer upon breach of the 
                        regulations under this section with respect to 
                        customer proprietary network information 
                        relating to that customer;
                            ``(ii) to require timely notice to the 
                        Commission upon breach of the regulations under 
                        this section with respect to customer 
                        proprietary network information relating to any 
                        customer;
                            ``(iii) to require periodic audits by the 
                        Commission of telecommunication carriers and 
                        their agents to determine compliance with this 
                        section;
                            ``(iv) to require telecommunications 
                        carriers and their agents to maintain records--
                                    ``(I) of each time customer 
                                proprietary network information is 
                                requested or accessed by, or disclosed 
                                to, a person purporting to be the 
                                customer or to be acting at the request 
                                or direction of the customer; and
                                    ``(II) if such access or disclosure 
                                was granted to such a person, of how 
                                the person's identity or authority was 
                                verified;
                            ``(v) to require telecommunications 
                        carriers to establish a security policy that 
                        includes appropriate standards relating to 
                        administrative, technical, and physical 
                        safeguards to ensure the security and 
                        confidentiality of customer proprietary network 
                        information;
                            ``(vi) to prohibit any telecommunications 
                        carrier from obtaining or attempting to obtain, 
                        or causing to be disclosed or attempting to 
                        cause to be disclosed to that carrier or its 
                        agent or employee, customer proprietary network 
                        information relating to any customer of another 
                        carrier--
                                    ``(I) by using a false, fictitious, 
                                or fraudulent statement or 
                                representation to an officer, employee, 
                                or agent of another telecommunications 
                                carrier; or
                                    ``(II) by making a false, 
                                fictitious, or fraudulent statement or 
                                representation to a customer of another 
                                telecommunications carrier; and
                            ``(vii) only for the purposes of this 
                        section, to treat as a telecommunications 
                        service provided by a telecommunications 
                        carrier any real-time Internet protocol-enabled 
                        voice communications offered by any person to 
                        the public, or such classes of users as to be 
                        effectively available to the public, that 
                        allows a user to originate traffic to, or 
                        terminate traffic from, the public switched 
                        telephone network; and
                    ``(B) shall consider prescribing regulations--
                            ``(i) to require telecommunications 
                        carriers to institute customer-specific 
                        identifiers in order to access customer 
                        proprietary network information;
                            ``(ii) to require encryption of customer 
                        proprietary network information data or other 
                        safeguards to better secure such data; and
                            ``(iii) to require deletion of customer 
                        proprietary network information data after a 
                        reasonable period of time if such data is no 
                        longer necessary for the purpose for which it 
                        was collected or for the purpose of an 
                        exception contained in section (d), and there 
                        are no pending requests for access to such 
                        information.
            ``(2) Reports.--
                    ``(A) Assessment and recommendations.--Within 12 
                months after the date on which the Commission's 
                regulations under paragraph (1) are prescribed, and 
                again not later than 3 years later, the Commission 
                shall submit to the Committee on Energy and Commerce of 
                the House of Representatives and the Committee on 
                Commerce, Science, and Transportation of the Senate a 
                report containing--
                            ``(i) an assessment of the efficacy and 
                        adequacy of the regulations and remedies 
                        provided in accordance with this subsection in 
                        protecting customer proprietary network 
                        information;
                            ``(ii) an assessment of the efficacy and 
                        adequacy of telecommunications carriers' 
                        safeguards to secure such data, security plans, 
                        and notification procedures; and
                            ``(iii) any recommendations for additional 
                        legislative or regulatory action to address 
                        threats to the privacy of customer information.
                    ``(B) Annual report.--The Federal Communications 
                Commission shall submit to Congress an annual report 
                containing--
                            ``(i) the number and disposition of all 
                        enforcement actions taken pursuant to this 
                        subsection; and
                            ``(ii) the number and type of notifications 
                        received under paragraph (1)(A)(ii) and the 
                        methodology, including the basis for the 
                        selection of carriers to be audited, and the 
                        results of each audit conducted under paragraph 
                        (1)(A)(iii).
            ``(3) Dual regulation prohibited.--Any person that is 
        treated as a telecommunications carrier providing a 
        telecommunications service with respect to the offering of 
        real-time Internet protocol-enabled voice communications by the 
        regulations prescribed under paragraph (1)(A)(vii) shall not be 
        subject to the provisions of section 631 with respect to the 
        offering of such communications.
    ``(i) Forfeiture Penalties.--
            ``(1) Increased penalties.--In any case in which the 
        violator is determined by the Commission under section 
        503(b)(1) to have violated this section or the regulations 
        thereunder, section 503(b)(2)(B) shall be applied--
                    ``(A) by substituting `$300,000' for `$100,000'; 
                and
                    ``(B) by substituting `$3,000,000' for 
                `$1,000,000'.
            ``(2) No first warnings.--Paragraph (5) of section 503(b) 
        shall not apply to the determination of forfeiture liability 
        under such section with respect to a violation of this section 
        or the regulations thereunder by any telecommunications carrier 
        or any agent of such a carrier.''; and
            (3) in subsection (g), by striking ``subsection (i)(3)(A)'' 
        and inserting ``subsection (j)(3)(A)''.

SEC. 204. DEFINITIONS.

    Subsection (j) of section 222 of the Communications Act of 1934 (47 
U.S.C. 222(j)), as redesignated by section 203(1) of this Act, is 
amended by adding at the end the following new paragraphs:
            ``(8) Detailed customer telephone record.--The term 
        `detailed customer telephone record' means customer proprietary 
        network information that contains the specific and detailed 
        destinations, locations, duration, time, and date of 
        telecommunications to or from a customer, as typically 
        contained in the bills for such service. Such term does not 
        mean aggregate data or subscriber list information.
            ``(9) Wireless telephone number.--The term `wireless 
        telephone number' means the telephone number of a subscriber to 
        a commercial mobile service.''.
                                 <all>