[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 780 Introduced in Senate (IS)]

  1st Session
                                 S. 780

   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 6, 2007

   Mr. Pryor introduced the following bill; which was read twice and 
   referred to the Committee on Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Protecting 
Consumer Phone Records Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Unauthorized acquisition, use, or sale of confidential customer 
                            proprietary network telephone information.
Sec. 3. Enhanced confidentiality procedures.
Sec. 4. Penalties; extension of confidentiality requirements to other 
                            entities.
Sec. 5. Enforcement by Federal Trade Commission.
Sec. 6. Concurrent enforcement by Federal Communications Commission.
Sec. 7. Enforcement by States.
Sec. 8. Consumer outreach and education.D23/

SEC. 2. UNAUTHORIZED ACQUISITION, USE, OR SALE OF CONFIDENTIAL CUSTOMER 
              PROPRIETARY NETWORK TELEPHONE INFORMATION.

    (a) In General.--It is unlawful for any person--
            (1) to acquire or use the customer proprietary network 
        information of another person without that person's affirmative 
        written consent, which shall include electronic consent that 
        meets the requirements of the Electronic Signatures in Global 
        and National Commerce Act (15 U.S.C. 7001 et seq.);
            (2) to misrepresent that another person has consented to 
        the acquisition or use of such other person's customer 
        proprietary network information in order to acquire such 
        information;
            (3) to obtain unauthorized access to the data processing 
        system or records of a telecommunications carrier or an IP-
        enabled voice service provider in order to acquire the customer 
        proprietary network information of 1 or more other persons;
            (4) to sell, or offer for sale, customer proprietary 
        network information; or
            (5) to request that another person obtain customer 
        proprietary network information from a telecommunications 
        carrier or IP-enabled voice service provider, knowing that the 
        other person will obtain the information from such carrier or 
        provider in any manner that is unlawful under subsection (a).
    (b) Exceptions.--
            (1) Application with section 222 of communications act of 
        1934.--This Act does not prohibit a telecommunications carrier 
        or an IP-enabled voice service provider or any third party that 
        lawfully obtains such information from a carrier or provider 
        from engaging in any act or practice that was not prohibited by 
        section 222 of the Communications Act of 1934 (47 U.S.C. 222) 
        or regulations that are consistent with the provisions of 
        section 222, as that section and those regulations were in 
        effect on the day before the date of enactment of this Act.
            (2) Application of other laws.--This Act does not prohibit 
        any act or practice otherwise authorized by law, including any 
        lawfully authorized investigative, protective, or intelligence 
        activity of a law enforcement agency or the United States, a 
        State, or a political subdivision of a State, or an 
        intelligence agency of the United States.
            (3) Treatment of ip-enabled voice service providers.--For 
        purposes of this section, an IP-enabled voice service provider 
        shall be treated as if it were a telecommunications carrier 
        covered by section 222 of the Communications Act of 1934 (47 
        U.S.C. 222) before the date of enactment of this Act.
            (4) Caller id.--Nothing in this Act prohibits the use of 
        caller identification services by any person to identify the 
        originator of telephone calls received by that person.
    (c) Private Right of Action for Providers.--
            (1) In general.--A telecommunications carrier or IP-enabled 
        voice service provider may bring a civil action in an 
        appropriate State court, or in any United States district court 
        that meets applicable requirements relating to venue under 
        section 1391 of title 28, United States Code, or for any 
        judicial district in which the carrier or service provider 
        resides or conducts business--
                    (A) based on a violation of this section or the 
                regulations prescribed under this section to enjoin 
                such violation;
                    (B) to recover for actual monetary loss from such a 
                violation, or to receive $11,000 in damages for each 
                such violation, whichever is greater; or
                    (C) both.
            (2) Treble damages.--If the court finds that the defendant 
        willfully or knowingly violated this section or the regulations 
        prescribed under this section, the court may, in its 
        discretion, increase the amount of the award to an amount equal 
        to not more than 3 times the amount available under paragraph 
        (1) of this subsection.
            (3) Inflation adjustment.--The $11,000 amount in paragraph 
        (1)(B) shall be adjusted for inflation as if it were a civil 
        monetary penalty, as defined in section 3(2) of the Federal 
        Civil Penalties Inflation Adjustment Act of 1996 (28 U.S.C. 
        2461 note).
    (d) Private Right of Action for Consumers.--
            (1) In general.--An individual who has been caused harm as 
        a result of their confidential proprietary network information 
        being obtained, used, or sold in violation of this section may 
        file a civil action in any court of competent jurisdiction 
        against the person who caused the harm as a result of a 
        violation of this section.
            (2) Remedies.--A court in which such civil action has been 
        brought may award damages of not more than $11,000 for each 
        violation of this section with respect to the plaintiff's 
        customer proprietary network information and provide such 
        additional relief as the court deems appropriate, including the 
        award of court costs, investigative costs, and reasonable 
        attorney's fees.
            (3) Treble damages.--If the court finds that the defendant 
        willfully or knowingly violated this section or the regulations 
        prescribed under this section, the court may, in its 
        discretion, increase the amount of the award to not more than 3 
        times the damages determined by the court under paragraph (2).
            (4) Inflation adjustment.--The $11,000 amount in paragraph 
        (2) shall be adjusted for inflation as if it were a civil 
        monetary penalty, as defined in section 3 (2) of the Federal 
        Civil Penalties Inflation Adjustment Act of 1996 (28 U.S.C. 
        2461 note).
    (e) Civil Penalty.--
            (1) In general.--Any person who violates this section shall 
        be subject to a civil penalty of not more than $11,000 for each 
        violation or each day of a continuing violation, except that 
        the amount assessed for any continuing violation shall not 
        exceed a total of $11,000,000 for any single act or failure to 
        act.
            (2) Separate violations.--A violation of this section with 
        respect to the customer proprietary network information of 1 
        person shall be treated as a separate violation from a 
        violation with respect to the customer proprietary network 
        information of any other person.
    (f) Limitation.--Nothing in this Act or section 222 of the 
Communications Act of 1934 (47 U.S.C. 222) authorizes a subscriber to 
bring a civil action against a telecommunications carrier or an IP-
enabled voice service provider.
    (g) Definitions.--In this section:
            (1) Customer proprietary network information.--The term 
        ``customer proprietary network information'' has the meaning 
        given that term by section 222(i)(1) of the Communications Act 
        of 1934 (47 U.S.C. 222(i)(1)).
            (2) IP-enabled voice service.--The term ``IP-enabled voice 
        service'' has the meaning given that term by section 222(i)(8) 
        of the Communications Act of 1934 (47 U.S.C. 222(i)(8)).
            (3) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given it by 
        section 3(44) of the Communications Act of 1934 (47 U.S.C. 
        3(44)).

SEC. 3. ENHANCED CONFIDENTIALITY PROCEDURES.

    (a) In General.--Within 180 days after the date of enactment of 
this Act, the Federal Communications Commission shall--
            (1) revise or supplement its regulations, to the extent the 
        Commission determines it is necessary, to require a 
        telecommunications carrier or IP-enabled voice service provider 
        to protect--
                    (A) the security and confidentiality of customer 
                proprietary network information (as defined in section 
                222(i)(1) of the Communications Act of 1934 (47 U.S.C. 
                222(i)(1))),
                    (B) customer proprietary network information 
                against any anticipated threats or hazards to its 
                security or confidentiality, and
                    (C) customer proprietary network information from 
                unauthorized access or use that could result in 
                substantial harm or inconvenience to its customers, and
            (2) ensure that any revised or supplemental regulations are 
        similar in scope and structure to the Federal Trade 
        Commission's regulations in part 314 of title 16, Code of 
        Federal Regulations, as such regulations are in effect on the 
        date of enactment of this Act, taking into consideration the 
        differences between financial information and customer 
        proprietary network information.
    (b) Compliance Certification.--Each telecommunications carrier and 
IP-enabled voice service provider to which the regulations under 
subsection (a) and section 222 of the Communications Act of 1934 (47 
U.S.C. 222) apply shall file with the Commission annually a 
certification that, for the period covered by the filing, it has been 
in compliance with those requirements.

SEC. 4. PENALTIES; EXTENSION OF CONFIDENTIALITY REQUIREMENTS TO OTHER 
              ENTITIES.

    (a) Penalties.--Title V of the Communications Act of 1934 (47 
U.S.C. 501 et seq.) is amended by inserting after section 508 the 
following:

``SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY NETWORK 
              INFORMATION VIOLATIONS.

    ``(a) Civil Forfeiture.--
            ``(1) In general.--Any person determined by the Commission, 
        in accordance with paragraphs (3) and (4) of section 503(b), to 
        have violated section 2 of the Protecting Consumer Phone 
        Records Act shall be liable to the United States for a 
        forfeiture penalty. A forfeiture penalty under this subsection 
        shall be in addition to any other penalty provided for by this 
        Act. The amount of the forfeiture penalty determined under this 
        subsection shall not exceed $30,000 for each violation, or 3 
        times that amount for each day of a continuing violation, 
        except that the amount assessed for any continuing violation 
        shall not exceed a total of $3,000,000 for any single act or 
        failure to act.
            ``(2) Recovery.--Any forfeiture penalty determined under 
        paragraph (1) shall be recoverable pursuant to section 504(a) 
        of this Act.
            ``(3) Procedure.--No forfeiture liability shall be 
        determined under paragraph (1) against any person unless such 
        person receives the notice required by section 503(b)(3) or 
        section 503(b)(4) of this Act.
            ``(4) 2-year statute of limitations.--No forfeiture penalty 
        shall be determined or imposed against any person under 
        paragraph (1) if the violation charged occurred more than 2 
        years prior to the date of issuance of the required notice or 
        notice or apparent liability.
    ``(b) Criminal Fine.--Any person who willfully and knowingly 
violates section 2 of the Protecting Consumer Phone Records Act shall 
upon conviction thereof be fined not more than $30,000 for each 
violation, or 3 times that amount for each day of a continuing 
violation, in lieu of the fine provided by section 501 for such a 
violation. This subsection does not supersede the provisions of section 
501 relating to imprisonment or the imposition of a penalty of both 
fine and imprisonment.''.
    (b) Extension of Confidentiality Requirements to IP-Enabled Voice 
Service Providers.--Section 222 of the Communications Act of 1934 (47 
U.S.C. 222) is amended--
            (1) by inserting ``or IP-enabled voice service provider'' 
        after ``telecommunications carrier'' each place it appears 
        except in subsections (e) and (g);
            (2) by inserting ``or IP-enabled voice service provider'' 
        after ``exchange service'' in subsection (g);
            (3) by striking ``telecommunication carriers'' each place 
        it appears in subsection (a) and inserting ``telecommunications 
        carriers or IP-enabled voice service providers'';
            (4) by inserting ``or provider'' after ``carrier'' in 
        subsection (d)(2) and in paragraphs (1)(A) and (B) and (3)(A) 
        and (B) of subsection (h);
            (5) by inserting ``or provider-customer'' after ``carrier-
        customer'' in subsection (h)(1)(A);
            (6) by inserting ``or providers'' after ``carriers'' in 
        subsection (d)(2);
            (7) by inserting ``and IP-enabled Voice Service Provider'' 
        after ``Carrier'' in the caption of subsection (b);
            (8) by inserting ``and ip-enabled voice service providers'' 
        after ``carriers'' in the caption of subsection (c)(1);
            (9) by inserting ``or IP-enabled voice service'' after 
        ``service'' in subsection (h)(1)(A); and
            (10) by striking ``telephone exchange service or telephone 
        toll service'' in subsection (h)(1)(B) and inserting 
        ``telephone exchange service, telephone toll service, or IP-
        enabled voice service''.
    (c) Definition.--Section 222(h) of the Communications Act of 1934 
(47 U.S.C. 222(h)) is amended by adding at the end the following:
            ``(8) IP-enabled voice service.--The term `IP-enabled voice 
        service' means the provision of real-time 2-way voice 
        communications offered to the public, or such classes of users 
        as to be effectively available to the public, transmitted 
        through customer premises equipment using TCP/IP protocol, or a 
        successor protocol, for a fee (whether part of a bundle of 
        services or separately) with 2-way interconnection capability 
        such that the service can originate traffic to, or terminate 
        traffic from, the public switched telephone network.''.
    (d) Telecommunications Carrier and IP-Enabled Voice Service 
Provider Notification Requirement.--Section 222 of the Communications 
Act of 1934 (47 U.S.C. 222), is further amended--
            (1) by redesignating subsection (h) as subsection (i);
            (2) by inserting after subsection (g) the following new 
        subsection:
    ``(h) Notice of Violations.--
            ``(1) In general.--The Commission shall by regulation 
        require each telecommunications carrier or IP-enabled voice 
        service provider to notify a customer within 14 calendar days 
        after the carrier or provider is notified of, or becomes aware 
        of, an incident in which customer proprietary network 
        information relating to such customer was disclosed to someone 
        other than the customer in violation of this section or section 
        2 of the Protecting Consumer Phone Records Act.
            ``(2) Law enforcement and homeland security related 
        delays.--Notwithstanding paragraph (1), a telecommunications 
        carrier or IP-enabled voice service provider may delay the 
        required notification for a reasonable period of time if--
                    ``(A) a Federal or State law enforcement agency 
                determines that giving notice within the 14-day period 
                would materially impede a civil or criminal 
                investigation; or
                    ``(B) a Federal national security agency or the 
                Department of Homeland Security determines that giving 
                notice within the 14-day period would threaten national 
                or homeland security.''; and
            (3) by striking ``information.'' in paragraph (1) of 
        subsection (i), as redesignated, and inserting ``information 
        nor does it include information that is related to non-voice 
        service features bundled with IP-enabled voice service.''.
    (e) Statute of Limitations.--Section 503(b)(6)(B) of the 
Communications Act of 1934 (47 U.S.C. 503(b)(6)(B)) is amended to read 
as follows:
                    ``(B) such person does not hold a broadcast station 
                license issued under title III of this Act and--
                            ``(i) the person is charged with violating 
                        section 222 and the violation occurred more 
                        than 2 years prior to the date of issuance of 
                        the required notice or notice of apparent 
                        liability; or
                            ``(ii) the person is charged with violating 
                        any other provision of this Act and the 
                        violation occurred more than 1 year prior to 
                        the date of issuance of the required notice or 
                        notice of apparent liability.''.
    (f) Application of Cable Subscriber Privacy Rules to IP-Enabled 
Voice Service Providers.--Section 631 of the Communications Act of 1934 
(47 U.S.C. 551) is amended by adding at the end the following:
    ``(i) Customer Proprietary Network Information.--This section does 
not apply to customer proprietary network information (as defined in 
section 222(i)(1) of this Act) as it relates to the provision of IP-
enabled voice service (as defined in section 222(i)(8) of this Act) by 
a cable operator to the extent that section 222 of this Act and section 
2 of the Protecting Consumer Phone Records Act applies to such 
information.''.

SEC. 5. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

    (a) In General.--Except as provided in sections 6 and 7 of this 
Act, section 2 of this Act shall be enforced by the Federal Trade 
Commission with respect to any entity subject to the jurisdiction of 
the Commission under section 5(a)(2) of the Federal Trade Commission 
Act (15 U.S.C. 45(a)(2)).
    (b) Violation Treated as an Unfair or Deceptive Act or Practice.--
Violation of section 2 shall be treated as an unfair or deceptive act 
or practice proscribed under a rule issued under section 18(a)(1)(B) of 
the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
    (c) Actions by the Commission.--The Commission shall prevent any 
person from violating this Act in the same manner, by the same means, 
and with the same jurisdiction, powers, and duties as though all 
applicable terms and provisions of the Federal Trade Commission Act (15 
U.S.C. 41 et seq.) were incorporated into and made a part of this Act. 
Any person that violates section 2 is subject to the penalties and 
entitled to the privileges and immunities provided in the Federal Trade 
Commission Act in the same manner, by the same means, and with the same 
jurisdiction, powers, and duties as though all applicable terms and 
provisions of the Federal Trade Commission Act were incorporated into 
and made a part of this Act. Nothing in section 2(d) of this Act limits 
any penalty under the Federal Trade Commission Act as that Act is made 
applicable to violations of section 2 by the preceding sentence.

SEC. 6. CONCURRENT ENFORCEMENT BY FEDERAL COMMUNICATIONS COMMISSION.

    (a) In General.--The Federal Communications Commission shall have 
concurrent jurisdiction to enforce section 2.
    (b) Penalty; Procedure.--For purposes of enforcement of that 
section by the Commission--
            (1) a violation of section 2 of this Act is deemed to be a 
        violation of a provision of the Communications Act of 1934 (47 
        U.S.C. 151 et seq.) rather than a violation of the Federal 
        Trade Commission Act; and
            (2) the provisions of section 509(a)(2), (3), and (4) of 
        the Communications Act of 1934 shall apply to the imposition 
        and collection of the civil penalty imposed by section 2 of 
        this Act as if it were the civil penalty imposed by section 
        509(a)(1) of that Act.

SEC. 7. ENFORCEMENT BY STATES.

    (a) In General.--The chief legal officer of a State, or any other 
State officer authorized by law to bring actions on behalf of the 
residents of a State, may bring a civil action, as parens patriae, on 
behalf of the residents of that State in an appropriate district court 
of the United States to enforce section 2 or to impose the civil 
penalties for violation of that section, whenever the chief legal 
officer or other State officer has reason to believe that the interests 
of the residents of the State have been or are being threatened or 
adversely affected by a violation of this Act or a regulation under 
this Act.
    (b) Notice.--The chief legal officer or other State officer shall 
serve written notice on the Federal Trade Commission and the Federal 
Communications Commission of any civil action under subsection (a) 
prior to initiating such civil action. The notice shall include a copy 
of the complaint to be filed to initiate such civil action, except that 
if it is not feasible for the State to provide such prior notice, the 
State shall provide such notice immediately upon instituting such civil 
action.
    (c) Authority To Intervene.--Upon receiving the notice required by 
subsection (b), either Commission may intervene in such civil action 
and upon intervening--
            (1) be heard on all matters arising in such civil action; 
        and
            (2) file petitions for appeal of a decision in such civil 
        action.
    (d) Construction.--For purposes of bringing any civil action under 
subsection (a), nothing in this section shall prevent the chief legal 
officer or other State officer from exercising the powers conferred on 
that officer by the laws of such State to conduct investigations or to 
administer oaths or affirmations or to compel the attendance of 
witnesses or the production of documentary and other evidence.
    (e) Venue; Service of Process.--
            (1) Venue.--An action brought under subsection (a) shall be 
        brought in a district court of the United States that meets 
        applicable requirements relating to venue under section 1391 of 
        title 28, United States Code.
            (2) Service of process.--In an action brought under 
        subsection (a)--
                    (A) process may be served without regard to the 
                territorial limits of the district or of the State in 
                which the action is instituted; and
                    (B) a person who participated in an alleged 
                violation that is being litigated in the civil action 
                may be joined in the civil action without regard to the 
                residence of the person.
    (f) Limitation on State Action While Federal Action Is Pending.--If 
either Commission has instituted an enforcement action or proceeding 
for violation of section 2 of this Act, the chief legal officer or 
other State officer of the State in which the violation occurred may 
not bring an action under this section during the pendency of the 
proceeding against any person with respect to whom the Commission has 
instituted the proceeding.

SEC. 8. CONSUMER OUTREACH AND EDUCATION.

    (a) In General.--Within 180 days after the date of enactment of 
this Act, the Federal Trade Commission and Federal Communications 
Commission shall jointly establish and implement a media and 
distribution campaign to teach the public about the protection afforded 
customer proprietary network information under this Act, the Federal 
Trade Commission Act and the Communications Act of 1934.
    (b) Campaign Requirements.--The campaign shall--
            (1) promote understanding of--
                    (A) the problem concerning the theft and misuse of 
                customer proprietary network information;
                    (B) available methods for consumers to protect 
                their customer proprietary network information; and
                    (C) efforts undertaken by the Federal Trade 
                Commission and the Federal Communications Commission to 
                prevent the problem; and
            (2) explore various distribution platforms to accomplish 
        the goal set forth in paragraph (1).
                                 <all>