[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[S. 92 Introduced in Senate (IS)]

  1st Session
                                 S. 92

   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            January 4, 2007

 Mr. Stevens (for himself, Mr. Coleman, and Mr. Vitter) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
   To amend the Communications Act of 1934 to prohibit the unlawful 
   acquisition and use of confidential customer proprietary network 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Protecting 
Consumer Phone Records Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Unauthorized acquisition, use, or sale of confidential customer 
                            proprietary network telephone information.
Sec. 3. Enhanced confidentiality procedures.
Sec. 4. Penalties; extension of confidentiality requirements to other 
                            entities.
Sec. 5. Enforcement by Federal Trade Commission.
Sec. 6. Concurrent enforcement by Federal Communications Commission.
Sec. 7. Enforcement by States.
Sec. 8. Preemption of State law.
Sec. 9. Consumer outreach and education.

SEC. 2. UNAUTHORIZED ACQUISITION, USE, OR SALE OF CONFIDENTIAL CUSTOMER 
              PROPRIETARY NETWORK TELEPHONE INFORMATION.

    (a) In General.--It is unlawful for any person--
            (1) to acquire or use the customer proprietary network 
        information of another person without that person's affirmative 
        written consent, which shall include electronic consent that 
        meets the requirements of the Electronic Signatures in Global 
        and National Commerce Act (15 U.S.C. 7001 et seq.);
            (2) to misrepresent that another person has consented to 
        the acquisition or use of such other person's customer 
        proprietary network information in order to acquire such 
        information;
            (3) to obtain unauthorized access to the data processing 
        system or records of a telecommunications carrier or an IP-
        enabled voice service provider in order to acquire the customer 
        proprietary network information of 1 or more other persons;
            (4) to sell, or offer for sale, customer proprietary 
        network information; or
            (5) to request that another person obtain customer 
        proprietary network information from a telecommunications 
        carrier or IP-enabled voice service provider, knowing that the 
        other person will obtain the information from such carrier or 
        provider in any manner that is unlawful under this subsection.
    (b) Exceptions.--
            (1) Application with section 222 of communications act of 
        1934.--Subsection (a) does not prohibit a telecommunications 
        carrier or an IP-enabled voice service provider or any third 
        party that lawfully obtains customer proprietary network 
        information from a carrier or provider from engaging in any act 
        or practice that was not prohibited by section 222 of the 
        Communications Act of 1934 (47 U.S.C. 222) or regulations that 
        are consistent with the provisions of section 222, as that 
        section and those regulations were in effect on the day before 
        the date of enactment of this Act.
            (2) Application of other laws.--This Act does not prohibit 
        any act or practice otherwise authorized by law, including any 
        lawfully authorized investigative, protective, or intelligence 
        activity of a law enforcement agency or the United States, a 
        State, or a political subdivision of a State, or an 
        intelligence agency of the United States.
            (3) Treatment of ip-enabled voice service providers.--
        Notwithstanding any other provision of this section, an IP-
        enabled voice service provider may engage in any act or 
        practice with respect to customer proprietary network 
        information in which a telecommunications carrier may engage 
        under paragraph (1) of this subsection.
            (4) Caller id.--Nothing in this Act prohibits the use of 
        caller identification services by any person to identify the 
        originator of telephone calls received by that person.
    (c) Private Right of Action for Providers.--
            (1) In general.--A telecommunications carrier or IP-enabled 
        voice service provider may bring a civil action in an 
        appropriate State court, or in any United States district court 
        that meets applicable requirements relating to venue under 
        section 1391 of title 28, United States Code, or for any 
        judicial district in which the carrier or service provider 
        resides or conducts business--
                    (A) based on a violation of this section or the 
                regulations prescribed under this section to enjoin 
                such violation;
                    (B) to recover for actual monetary loss from such a 
                violation, or to receive $11,000 in damages for each 
                such violation, whichever is greater; or
                    (C) both.
            (2) Treble damages.--If the court finds that the defendant 
        willfully or knowingly violated this section or the regulations 
        prescribed under this section, the court may, in its 
        discretion, increase the amount of the award to an amount equal 
        to not more than 3 times the amount available under paragraph 
        (1) of this subsection.
            (3) Inflation adjustment.--The $11,000 amount in paragraph 
        (1)(B) shall be adjusted for inflation as if it were a civil 
        monetary penalty, as defined in section 3(2) of the Federal 
        Civil Penalties Inflation Adjustment Act of 1996 (28 U.S.C. 
        2461 note).
    (d) Private Right of Action for Consumers.--
            (1) In general.--An individual who has been injured as a 
        direct result of his or her confidential proprietary network 
        information being obtained, used, or sold in violation of this 
        section may file a civil action in any court of competent 
        jurisdiction against the person who caused the injury by 
        violating this section.
            (2) Remedies.--A court in which such civil action has been 
        brought may award damages of not more than $11,000 for each 
        violation of this section with respect to the plaintiff's 
        customer proprietary network information.
            (3) Treble damages.--If the court finds that the defendant 
        willfully or knowingly violated this section or the regulations 
        prescribed under this section, the court may, in its 
        discretion, increase the amount of the award to not more than 3 
        times the damages determined by the court under paragraph (2).
            (4) Inflation adjustment.--The $11,000 amount in paragraph 
        (2) shall be adjusted for inflation as if it were a civil 
        monetary penalty, as defined in section 3(2) of the Federal 
        Civil Penalties Inflation Adjustment Act of 1996 (28 U.S.C. 
        2461 note).
    (e) Civil Penalty.--
            (1) In general.--Any person who violates this section shall 
        be subject to a civil penalty of not more than $11,000 for each 
        violation or each day of a continuing violation, except that 
        the amount assessed for any continuing violation shall not 
        exceed a total of $11,000,000 for any single act or failure to 
        act.
            (2) Separate violations.--A violation of this section with 
        respect to the customer proprietary network information of 1 
        person shall be treated as a separate violation from a 
        violation with respect to the customer proprietary network 
        information of any other person.
    (f) Limitation.--Nothing in this Act or section 222 of the 
Communications Act of 1934 (47 U.S.C. 222) authorizes a customer to 
bring a civil action against a telecommunications carrier or an IP-
enabled voice service provider.
    (g) Definitions.--In this section:
            (1) Customer proprietary network information.--The term 
        ``customer proprietary network information'' has the meaning 
        given that term by--
                    (A) section 222(i)(1) of the Communications Act of 
                1934 (47 U.S.C. 222(i)(1)) with respect to 
                telecommunications carriers; and
                    (B) section 715(b)(1) of such Act with respect to 
                IP-enabled voice service providers.
            (2) IP-enabled voice service.--The term ``IP-enabled voice 
        service'' means the provision of real-time 2-way voice 
        communications offered to the public, or such classes of users 
        as to be effectively available to the public, transmitted 
        through customer premises equipment using TCP/IP protocol, or a 
        successor protocol, for a fee (whether part of a bundle of 
        services or separately) with interconnection capability such 
        that the service can originate traffic to, or terminate traffic 
        from, the public switched telephone network.
            (3) Telecommunications carrier.--The term 
        ``telecommunications carrier'' has the meaning given it by 
        section 3(44) of the Communications Act of 1934 (47 U.S.C. 
        3(44)).

SEC. 3. ENHANCED CONFIDENTIALITY PROCEDURES.

    (a) In General.--Within 180 days after the date of enactment of 
this Act, the Federal Communications Commission shall--
            (1) revise or supplement its regulations, to the extent the 
        Commission determines it is necessary, to require a 
        telecommunications carrier or IP-enabled voice service provider 
        to protect--
                    (A) the security and confidentiality of customer 
                proprietary network information (as defined in section 
                222(i)(1) of the Communications Act of 1934 (47 U.S.C. 
                222(i)(1)) or as defined in section 715(b)(1) of such 
                Act with respect to IP-enabled voice service 
                providers);
                    (B) customer proprietary network information 
                against any anticipated threats or hazards to its 
                security or confidentiality; and
                    (C) customer proprietary network information from 
                unauthorized access or use that could result in 
                substantial harm or inconvenience to its customers; and
            (2) ensure that any revised or supplemental regulations are 
        similar in scope and structure to the Federal Trade 
        Commission's regulations in part 314 of title 16, Code of 
        Federal Regulations, as such regulations are in effect on the 
        date of enactment of this Act, taking into consideration the 
        differences between financial information and customer 
        proprietary network information.
    (b) Compliance Certification.--Each telecommunications carrier and 
IP-enabled voice service provider to which the regulations under 
subsection (a) and section 222 or 715 of the Communications Act of 1934 
apply shall file with the Commission annually a certification that, for 
the period covered by the filing, it has been in compliance with those 
requirements.

SEC. 4. PENALTIES; EXTENSION OF CONFIDENTIALITY REQUIREMENTS TO OTHER 
              ENTITIES.

    (a) Penalties.--Title V of the Communications Act of 1934 (47 
U.S.C. 501 et seq.) is amended by inserting after section 508 the 
following:

``SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY NETWORK 
              INFORMATION VIOLATIONS.

    ``(a) Civil Forfeiture.--
            ``(1) In general.--Any person determined by the Commission, 
        in accordance with paragraphs (3) and (4) of section 503(b), to 
        have violated section 2 of the Protecting Consumer Phone 
        Records Act shall be liable to the United States for a 
        forfeiture penalty. A forfeiture penalty under this subsection 
        shall be in addition to any other penalty provided for by this 
        Act. The amount of the forfeiture penalty determined under this 
        subsection shall not exceed $30,000 for each violation, or 3 
        times that amount for each day of a continuing violation, 
        except that the amount assessed for any continuing violation 
        shall not exceed a total of $3,000,000 for any single act or 
        failure to act.
            ``(2) Recovery.--Any forfeiture penalty determined under 
        paragraph (1) shall be recoverable pursuant to section 504(a) 
        of this Act.
            ``(3) Procedure.--No forfeiture liability shall be 
        determined under paragraph (1) against any person unless such 
        person receives the notice required by section 503(b)(3) or 
        section 503(b)(4) of this Act.
            ``(4) 2-year statute of limitations.--No forfeiture penalty 
        shall be determined or imposed against any person under 
        paragraph (1) if the violation charged occurred more than 2 
        years prior to the date of issuance of the required notice or 
        notice or apparent liability.''.
    (b) Extension of Confidentiality Requirements to IP-Enabled Voice 
Service Providers.--
            (1) In general.--Title VII of the Communications Act of 
        1934 (47 U.S.C. 601 et seq.) is amended by adding at the end 
        thereof the following:

``SEC. 715. PROTECTION OF CUSTOMER PROPRIETARY NETWORK INFORMATION BY 
              IP-ENABLED VOICE SERVICE PROVIDERS.

    ``(a) In General.--
            ``(1) General duty of confidentiality.--An IP-enabled voice 
        service provider has a duty to protect the confidentiality of 
        proprietary information of, and relating to, other IP-enabled 
        voice service providers, telecommunications carriers, equipment 
        manufacturers, and customers, including telecommunications 
        carriers reselling telecommunications services provided by 
        another telecommunications carrier or an IP-enabled voice 
        service provider.
            ``(2) Carrier information.--An IP-enabled voice service 
        provider that receives or obtains proprietary information from 
        a telecommunications carrier or another IP-enabled voice 
        service provider for purposes of providing any 
        telecommunications service shall use such information only for 
        such purpose, and shall not use such information for its own 
        marketing efforts.
            ``(3) Customer proprietary network information.--Within 90 
        days after the date of enactment of the Protecting Consumer 
        Phone Records Act, the Commission shall initiate a rulemaking 
        proceeding to apply the requirements of section 222, and 
        regulations thereunder, to IP-enabled voice service providers 
        to the same extent, in the same manner, and subject to the same 
        penalties for failure to comply with those requirements as are 
        applicable to telecommunications carriers.
    ``(b) Definitions.--In this section:
            ``(1) Customer proprietary network information.--The term 
        `customer proprietary network information' has the meaning 
        given that term by section 222(i) of this Act, except that--
                    ``(A) the reference in section 222(i)(1)(B) of this 
                Act to telephone exchange service or telephone toll 
                service shall be considered to refer also to IP-enabled 
                voice service; and
                    ``(B) it does not include information that is 
                related to non-voice service features bundled with IP-
                enabled voice service.
            ``(2) IP-enabled voice service.--The term ``IP-enabled 
        voice service'' means the provision of real-time 2-way voice 
        communications offered to the public, or such classes of users 
        as to be effectively available to the public, transmitted 
        through customer premises equipment using IP protocol, or a 
        successor protocol, for a fee (whether part of a bundle of 
        services or separately) with interconnection capability such 
        that the service can originate traffic to, or terminate traffic 
        from, the public switched telephone network.
            ``(3) Other terms.--Except as provided in paragraph (1), 
        any term used in subsection (a) that is defined or used in 
        section 222 of this Act has the same meaning as when used in 
        that section.''.
            (2) Duty of telecommunications carriers with respect to 
        cpni from ip-enabled voice service providers.--Section 222(a) 
        of the Communications Act of 1934 (47 U.S.C. 222(a)) is amended 
        by inserting after ``carrier.'' the following: ``A 
        telecommunications carrier has the same duties under this 
        section with respect to the confidentiality of proprietary 
        information of, or relating to, an IP-enabled voice service 
        provider, and with respect to customer proprietary network 
        information received or obtained from an IP-enabled voice 
        service provider, as it has under this section with respect to 
        another telecommunications carrier.''.
    (c) Telecommunications Carrier Notification Requirement.--Section 
222 of the Communications Act of 1934 (47 U.S.C. 222), is amended--
            (1) by redesignating subsection (h) as subsection (i);
            (2) by inserting after subsection (g) the following new 
        subsection:
    ``(h) Notice of Violations.--
            ``(1) In general.--The Commission shall by regulation 
        require each telecommunications carrier to notify a customer 
        within 14 calendar days after the carrier or provider is 
        notified of, or becomes aware of, an incident in which customer 
        proprietary network information relating to such customer was 
        disclosed to someone other than the customer in violation of 
        this section or section 2 of the Protecting Consumer Phone 
        Records Act.
            ``(2) Law enforcement and homeland security related 
        delays.--Notwithstanding paragraph (1), a telecommunications 
        carrier may delay the required notification for a reasonable 
        period of time if--
                    ``(A) a Federal or State law enforcement agency 
                determines that giving notice within the 14-day period 
                would materially impede a civil or criminal 
                investigation; or
                    ``(B) a Federal national security agency or the 
                Department of Homeland Security determines that giv