


110 HR 936 IH: Prevention of Fraudulent Access to

U.S. House of Representatives
2007-02-08
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		110th CONGRESS
		1st Session
		H. R. 936
		IN THE HOUSE OF REPRESENTATIVES
		
			February 8, 2007
			Mr. Dingell (for
			 himself, Mr. Barton of Texas,
			 Mr. Markey,
			 Mr. Upton,
			 Mr. Rush, Mr. Stearns, Ms.
			 Schakowsky, Mr. Boucher,
			 Mr. Gordon of Tennessee,
			 Ms. Eshoo,
			 Mr. Stupak,
			 Mr. Gene Green of Texas,
			 Ms. DeGette,
			 Mrs. Capps,
			 Mr. Doyle,
			 Ms. Solis,
			 Mr. Gonzalez,
			 Mr. Inslee,
			 Ms. Baldwin,
			 Ms. Hooley,
			 Mr. Matheson,
			 Mr. Butterfield,
			 Mr. Fossella,
			 Mr. Terry,
			 Mr. Burgess, and
			 Mr. Engel) introduced the following
			 bill; which was referred to the Committee
			 on Energy and Commerce
		
		A BILL
		To prohibit fraudulent access to telephone
		  records.
	
	
		1.Short titleThis Act may be cited as the
			 Prevention of Fraudulent Access to
			 Phone Records Act.
		IFederal Trade
			 Commission Provisions
			101.Fraudulent
			 access to customer telephone records
				(a)Prohibition on
			 obtaining customer information by false pretensesIt shall be unlawful for any person to
			 obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be
			 disclosed to any person, customer proprietary network information relating to
			 any other person by—
					(1)making a false,
			 fictitious, or fraudulent statement or representation to an officer, employee,
			 or agent of a telecommunications carrier; or
					(2)providing any document or other information
			 to an officer, employee, or agent of a telecommunications carrier that the
			 person knows or should know to be forged, counterfeit, lost, stolen, or
			 fraudulently obtained, or to contain a false, fictitious, or fraudulent
			 statement or representation.
					(b)Prohibition on
			 solicitation of a person to obtain customer information under false
			 pretensesIt shall be
			 unlawful to request a person to obtain from a telecommunications carrier
			 customer proprietary network information relating to any third person, if the
			 person making such a request knew or should have known that the person to whom
			 such a request is made will obtain or attempt to obtain such information in the
			 manner described in subsection (a).
				(c)Prohibition on
			 sale or other disclosure of customer information obtained under false
			 pretensesIt shall be
			 unlawful for any person to sell or otherwise disclose to any person customer
			 proprietary network information relating to any other person if the person
			 selling or disclosing obtained such information in the manner described in
			 subsection (a).
				102.ExemptionNo provision of section 101 shall be
			 construed so as to prevent any action by a law enforcement agency, or any
			 officer, employee, or agent of such agency, from obtaining or attempting to
			 obtain customer proprietary network information from a telecommunications
			 carrier in connection with the performance of the official duties of the
			 agency, in accordance with other applicable laws.
			103.Enforcement by
			 the Federal Trade CommissionA
			 violation of section 101 shall be treated as a violation of a rule defining an
			 unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the
			 Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). The Federal Trade
			 Commission shall enforce this title in the same manner, by the same means, and
			 with the same jurisdiction as though all applicable terms and provisions of the
			 Federal Trade Commission Act were incorporated into and made a part of this
			 title.
			104.DefinitionsAs used in this title—
				(1)the term
			 customer proprietary network information has the meaning given
			 such term in section 222(j)(1) of the Communications Act of 1934 (47 U.S.C.
			 222(j)(1)) (as redesignated by section 203 of this Act);
				(2)the term telecommunications
			 carrier—
					(A)has the meaning
			 given such term in section 3(44) of the Communications Act of 1934 (47 U.S.C.
			 153(44)); and
					(B)includes any provider of real-time Internet
			 protocol-enabled voice communications; and
					(3)the term real-time Internet
			 protocol-enabled voice communications means any service that is treated
			 by the Federal Communications Commission as a telecommunications service
			 provided by a telecommunications carrier for purposes of section 222 of the
			 Communications Act of 1934 (47 U.S.C. 222) under regulations promulgated
			 pursuant to subsection (h) of such section.
				IIFederal
			 Communications Commission Provisions
			201.FindingsThe Congress finds the following:
				(1)As our Nation’s communications networks
			 become more ubiquitous and increasingly sophisticated, more individuals and
			 industries will be using such networks in greater amounts to communicate and
			 conduct commercial transactions.
				(2)The ease of
			 gathering and compiling sensitive personal information as a result of such
			 communications is becoming more efficient and commonplace due to advances in
			 digital technology and the widespread use of the Internet.
				(3)Ensuring the
			 privacy of sensitive individual telephone calling records, both wireline and
			 wireless, is of utmost importance. The information gathered and retained by
			 communications providers can convey details about intimate aspects of an
			 individual’s life, including who they call, when they call, the duration of
			 such calls, the frequency of their communications, information about their
			 purchases, informational inquiries, political or religious interests, or other
			 affiliations.
				(4)Disclosure of
			 personal telephone records can also lead to harassment, intimidation, physical
			 harm, and identity theft.
				(5)The government has
			 a compelling interest in protecting sensitive personal information contained in
			 customer telephone records and ensuring that commercial interests adequately
			 protect such records in order to preserve individual freedom, safeguard
			 personal privacy, and ensure trust in electronic commerce.
				(6)Because customers
			 have a proprietary interest in their sensitive personal information, customers
			 should have some control over the use and disclosure of telephone calling
			 records.
				(7)A
			 telecommunications carrier may use aggregated data it has obtained from its
			 customer databases to improve services, solicit new business, or market
			 additional services to its customers.
				(8)A
			 telecommunications carrier may communicate to all consumers in order to broadly
			 solicit new business, and may also target specific communications to its own
			 existing customers, without use or disclosure of detailed customer calling
			 records and thus without the threat of compromising customer privacy.
				(9)The risk of
			 compromising customer privacy is raised and increased whenever additional
			 entities or persons are permitted use of, or access to, or receive disclosure
			 of, customer calling records beyond the carrier with which the customer has an
			 established business relationship.
				(10)A
			 telecommunications carrier which obtains or possesses a customer’s calling
			 records has a duty to safeguard the confidentiality of such customer's personal
			 information. Detailed customer calling records describing the customer’s use of
			 telecommunications services should not be publicly available or offered for
			 commercial sale.
				202.Expanded
			 protection for detailed customer records
				(a)Confidentiality
			 of Customer InformationParagraph (1) of section 222(c) of the
			 Communications Act of 1934 (47 U.S.C. 222(c)(1)) is amended to read as
			 follows:
					
						(1)Privacy
				requirements for telecommunications carriers
							(A)In
				generalExcept as required by
				law or as permitted under the following provisions of this paragraph, a
				telecommunications carrier that receives or obtains individually identifiable
				customer proprietary network information (including detailed customer telephone
				records) by virtue of its provision of a telecommunications service shall only
				use, disclose, or permit access to such information or records in the provision
				by such carrier of—
								(i)the
				telecommunications service from which such information is derived; or
								(ii)services
				necessary to, or used in, the provision of such telecommunications service,
				including the publishing of directories.
								(B)Requirements for
				disclosure of detailed informationA telecommunications carrier may only use
				detailed customer telephone records through, or disclose such records to, or
				permit access to such records by, a joint venture partner, independent
				contractor, or any other third party (other than an affiliate) if the customer
				has given express prior authorization for that use, disclosure, or access, and
				that authorization has not been withdrawn.
							(C)Requirements for
				affiliate use of both general and detailed informationA telecommunications carrier may not,
				except with the approval of a customer, use individually identifiable customer
				proprietary network information (including detailed customer telephone records)
				through, or disclose such information or records to, or permit access to such
				information or records by, an affiliate of such carrier in the provision by
				such affiliate of the services described in clause (i) or (ii) of
				subparagraph (A).
							(D)Requirements for
				partner and contractor use of general informationA telecommunications carrier may not,
				except with the approval of the customer, use individually identifiable
				customer proprietary network information (other than detailed customer
				telephone records) through, or disclose such information to, or permit access
				to such information by, a joint venture partner or independent contractor in
				the provision by such partner or contractor of the services described in clause
				(i) or (ii) of
				subparagraph (A).
							(E)Access to
				wireless telephone numbersA
				telecommunications carrier may not, except with prior express authorization
				from the customer, disclose the wireless telephone number of any customer or
				permit access to the wireless telephone number of any
				customer.
							.
				(b)Disclosure of
			 detailed information on request by customerSection 222(c)(2) of
			 such Act is amended by inserting (including a detailed customer
			 telephone record) after customer proprietary network
			 information.
				(c)Aggregate
			 dataSection 222(c)(3) of such Act is amended by adding at the
			 end the following new sentence: Aggregation of data that is conducted by
			 a third party may be treated for purposes of this subsection as aggregation by
			 the carrier if such aggregation is conducted in a secure manner under the
			 control or supervision of the carrier..
				(d)Prohibition of
			 sale of general or detailed informationSection 222(c) of such
			 Act is further amended by adding at the end the following new paragraph:
					
						(4)Prohibition of
				sale of general or detailed informationExcept for the purposes for which use,
				disclosure, or access is permitted under subsection (d), it shall be unlawful
				for any person to sell, rent, lease, or otherwise make available for
				remuneration or other consideration the customer proprietary network
				information (including the detailed customer telephone records) of any
				customer.
						.
				(e)Exceptions to
			 limitations on disclosures of detailed informationSection
			 222(d) of such Act is amended—
					(1)by striking
			 its agents and inserting its joint venture partners,
			 contractors, or agents; and
					(2)in paragraph (1), by inserting after
			 telecommunications services the following: , or provide
			 customer service with respect to telecommunications services to which the
			 customer subscribes.
					203.Prevention by
			 telecommunications carriers of fraudulent access to phone recordsSection 222 of the Communications Act of
			 1934 (47 U.S.C. 222) is further amended—
				(1)by redesignating
			 subsection (h) as subsection (j);
				(2)by inserting after
			 subsection (g) the following new subsections:
					
						(h)Prevention of
				fraudulent access to phone records
							(1)RegulationsWithin 180 days after the date of enactment
				of the Prevention of Fraudulent Access to
				Phone Records Act, the Commission shall prescribe regulations
				adopting more stringent security standards for customer proprietary network
				information (including detailed customer telephone records) to detect and
				prevent violations of this section. The Commission—
								(A)shall prescribe
				regulations—
									(i)to require timely notice (written or
				electronic) to each customer upon breach of the regulations under this section
				with respect to customer proprietary network information relating to that
				customer;
									(ii)to require timely
				notice to the Commission upon breach of the regulations under this section with
				respect to customer proprietary network information relating to any
				customer;
									(iii)to require periodic audits by the
				Commission of telecommunication carriers and their agents to determine
				compliance with this section;
									(iv)to require
				telecommunications carriers and their agents to maintain records—
										(I)of each time
				customer proprietary network information is requested or accessed by, or
				disclosed to, a person purporting to be the customer or to be acting at the
				request or direction of the customer; and
										(II)if such access or
				disclosure was granted to such a person, of how the person’s identity or
				authority was verified;
										(v)to require telecommunications carriers to
				establish a security policy that includes appropriate standards relating to
				administrative, technical, and physical safeguards to ensure the security and
				confidentiality of customer proprietary network information;
									(vi)to prohibit any telecommunications carrier
				from obtaining or attempting to obtain, or causing to be disclosed or
				attempting to cause to be disclosed to that carrier or its agent or employee,
				customer proprietary network information relating to any customer of another
				carrier—
										(I)by using a false,
				fictitious, or fraudulent statement or representation to an officer, employee,
				or agent of another telecommunications carrier; or
										(II)by making a
				false, fictitious, or fraudulent statement or representation to a customer of
				another telecommunications carrier; and
										(vii)only for the purposes of this section, to
				treat as a telecommunications service provided by a telecommunications carrier
				any real-time Internet protocol-enabled voice communications offered by any
				person to the public, or such classes of users as to be effectively available
				to the public, that allows a user to originate traffic to, or terminate traffic
				from, the public switched telephone network; and
									(B)shall consider
				prescribing regulations—
									(i)to
				require telecommunications carriers to institute customer-specific identifiers
				in order to access customer proprietary network information;
									(ii)to require encryption of customer
				proprietary network information data or other safeguards to better secure such
				data; and
									(iii)to require deletion of customer proprietary
				network information data after a reasonable period of time if such data is no
				longer necessary for the purpose for which it was collected or for the purpose
				of an exception contained in section (d), and there are no pending requests for
				access to such information.
									(2)Reports
								(A)Assessment and
				recommendationsWithin 12
				months after the date on which the Commission’s regulations under
				paragraph (1) are prescribed, and again not
				later than 3 years later, the Commission shall submit to the Committee on
				Energy and Commerce of the House of Representatives and the Committee on
				Commerce, Science, and Transportation of the Senate a report containing—
									(i)an
				assessment of the efficacy and adequacy of the regulations and remedies
				provided in accordance with this subsection in protecting customer proprietary
				network information;
									(ii)an assessment of the efficacy and adequacy
				of telecommunications carriers' safeguards to secure such data, security plans,
				and notification procedures; and
									(iii)any recommendations for additional
				legislative or regulatory action to address threats to the privacy of customer
				information.
									(B)Annual
				ReportThe Federal Communications Commission shall submit to
				Congress an annual report containing—
									(i)the number and
				disposition of all enforcement actions taken pursuant to this subsection;
				and
									(ii)the number and type of notifications
				received under
				paragraph (1)(A)(ii) and the
				methodology, including the basis for the selection of carriers to be audited,
				and the results of each audit conducted under
				paragraph (1)(A)(iii).
									(3)Dual regulation
				prohibitedAny person that is
				treated as a telecommunications carrier providing a telecommunications service
				with respect to the offering of real-time Internet protocol-enabled voice
				communications by the regulations prescribed under
				paragraph (1)(A)(vii) shall not be
				subject to the provisions of section 631 with respect to the offering of such
				communications.
							(i)Forfeiture
				penalties
							(1)Increased
				penaltiesIn any case in which the violator is determined by the
				Commission under section 503(b)(1) to have violated this section or the
				regulations thereunder, section 503(b)(2)(B) shall be applied—
								(A)by substituting
				$300,000 for $100,000; and
								(B)by substituting
				$3,000,000 for $1,000,000.
								(2)No first
				warningsParagraph (5) of section 503(b) shall not apply to the
				determination of forfeiture liability under such section with respect to a
				violation of this section or the regulations thereunder by any
				telecommunications carrier or any agent of such a
				carrier.
							;
				and
				(3)in subsection (g),
			 by striking subsection (i)(3)(A) and inserting subsection
			 (j)(3)(A).
				204.DefinitionsSubsection (j) of section 222 of the
			 Communications Act of 1934 (47 U.S.C. 222(j)), as redesignated by section
			 203(1) of this Act, is amended by adding at the end the following new
			 paragraphs:
				
					(8)Detailed
				customer telephone recordThe
				term detailed customer telephone record means customer proprietary
				network information that contains the specific and detailed destinations,
				locations, duration, time, and date of telecommunications to or from a
				customer, as typically contained in the bills for such service. Such term does
				not mean aggregate data or subscriber list information.
					(9)Wireless
				telephone numberThe term wireless telephone number
				means the telephone number of a subscriber to a commercial mobile
				service.
					.
			
