[Congressional Record Volume 152, Number 29 (Wednesday, March 8, 2006)]
[Senate]
[Pages S1895-S1897]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. ALLEN (for himself, Mr. Stevens, Mr. Inouye, Mr. Burns, 
        Mr. Warner, Mr. Santorum, Mr. Dorgan, Mr. Nelson of Florida, 
        Mr. Vitter, Mr. Pryor, Mr. Coleman, Mr. Talent, Mr. Martinez, 
        and Mr. Thune):
  S. 2389. A bill to amend the Communications Act of 1934 to prohibit 
the unlawful acquisition and use of confidential customer proprietary 
network information, and for other purposes; to the Committee on 
Commerce, Science, and Transportation.
  Mr. ALLEN. Mr. President, today I rise to introduce and present to my 
colleagues the Protecting Consumers Phone Records Act. I am pleased to 
be the lead sponsor of this legislation and I want to thank my 
colleagues, including Senators Stevens and Inouye, for working with me 
on this important issue.
  In recent months, a number of Web sites have been selling consumers' 
confidential phone records to anyone willing to pay a small fee. 
According to experts, these records are usually obtained by 
unscrupulous individuals who fraudulently pose as customers requesting 
their own records. This common fraud is no less harmful, and in some 
cases even more disconcerting, than when a third-party uses false 
pretenses to obtain an innocent person's confidential financial 
records. In some cases, even physical harm can result from one's 
private phone records becoming public. We cannot allow these 
reprehensible practices to continue.
  The goal of the Protecting Consumers Phone Records Act is to prevent 
the unauthorized and intrusive third party access of American 
consumers' phone records. Specifically, our legislation makes it 
illegal to solicit, acquire or sell a person's confidential phone 
records without that person's consent. It also specifically prohibits 
the practice commonly referred to as ``pretexting,'' where individuals 
obtain records by fraudulently misrepresenting that they have the 
authorization to obtain the records.
  Fully combating this problem requires a team effort. That is why our 
legislation requires telephone companies to comply with minimum 
security requirements, similar to those required of financial 
institutions. Companies must do their part to protect their customers' 
records.
  In order to deter this bad behavior, our legislation increases the 
penalties for violators. Should someone fraudulently solicit, obtain or 
sell an individual's phone records, they will be subject to an $11,000 
penalty for each record, up to $11 million. Phone companies are subject 
to a $30,000 penalty, up to $3 million if they do not sufficiently 
protect their customers' phone records.
  Finally, the Protecting Consumers Phone Records Act recognizes the 
importance of enforcement. The legislation provides the Federal 
Communications Commission, the Federal Trade Commission and State 
Attorneys General with strengthened enforcement authority. 
Additionally, telephone companies are given the authority to take legal 
action against those entities or individuals who have illegally 
acquired confidential phone records.
  This legislation will send a clear message to the unscrupulous 
individuals profiting from the invasion of an innocent individual's 
privacy, that this fraudulent and deceptive behavior will not be 
tolerated. We are prepared to use all of the appropriate tools to 
eliminate this harmful practice.
  Mr. President, I ask unanimous consent that the text of the bill be 
placed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 2389

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Protecting 
     Consumer Phone Records Act''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Unauthorized acquisition, use, or sale of confidential customer 
              proprietary network telephone information.
Sec. 3. Enhanced confidentiality procedures.
Sec. 4. Penalties; extension of confidentiality requirements to other 
              entities.
Sec. 5. Enforcement by Federal Trade Commission.
Sec. 6. Concurrent enforcement by Federal Communications Commission.
Sec. 7. Enforcement by States.
Sec. 8. Preemption of State law.
Sec. 9. Consumer outreach and education.

     SEC. 2. UNAUTHORIZED ACQUISITION, USE, OR SALE OF 
                   CONFIDENTIAL CUSTOMER PROPRIETARY NETWORK 
                   TELEPHONE INFORMATION.

       (a) In General.--It is unlawful for any person--
       (1) to acquire or use the customer proprietary network 
     information of another person without that person's 
     affirmative written consent;
       (2) to misrepresent that another person has consented to 
     the acquisition or use of such other person's customer 
     proprietary network information in order to acquire such 
     information;
       (3) to obtain unauthorized access to the data processing 
     system or records of a telecommunications carrier or an IP-
     enabled voice service provider in order to acquire the 
     customer proprietary network information of 1 or more other 
     persons;
       (4) to sell, or offer for sale, customer proprietary 
     network information; or
       (5) to request that another person obtain customer 
     proprietary network information from a telecommunications 
     carrier or IP-enabled voice service provider, knowing that 
     the other person will obtain the information from such 
     carrier or provider in any manner that is unlawful under 
     subsection (a).
       (b) Exceptions.--
       (1) Existing practices permitted.--Nothing in subsection 
     (a) prohibits any practice permitted by section 222 of the 
     Communications Act of 1934 (47 U.S.C. 222), or otherwise 
     authorized by law, as of the date of enactment of this Act.
       (2) Caller ID.--Nothing in subsection (a) prohibits the use 
     of caller identification services by any person to identify 
     the originator of telephone calls received by that person.

[[Page S1896]]

       (c) Private Right of Action for Providers.--
       (1) In general.--A telecommunications carrier or IP-enabled 
     voice service provider may bring a civil action in an 
     appropriate State court, or in any United States district 
     court that meets applicable requirements relating to venue 
     under section 1391 of title 28, United States Code--
       (A) based on a violation of this section or the regulations 
     prescribed under this section to enjoin such violation;
       (B) to recover for actual monetary loss from such a 
     violation, or to receive $11,000 in damages for each such 
     violation, whichever is greater; or
       (C) both.
       (2) Treble damages.--If the court finds that the defendant 
     willfully or knowingly violated this section or the 
     regulations prescribed under this section, the court may, in 
     its discretion, increase the amount of the award to an amount 
     equal to not more than 3 times the amount available under 
     paragraph (1) of this subsection.
       (3) Inflation adjustment.--The $11,000 amount in paragraph 
     (1)(B) shall be adjusted for inflation as if it were a civil 
     monetary penalty, as defined in section 3(2) of the Federal 
     Civil Penalties Inflation Adjustment Act of 1996 (28 U.S.C. 
     2461 note).
       (d) Civil Penalty.--
       (1) In general.--Any person who violates this section shall 
     be subject to a civil penalty of not more than $11,000 for 
     each violation or each day of a continuing violation, except 
     that the amount assessed for any continuing violation shall 
     not exceed a total of $11,000,000 for any single act or 
     failure to act.
       (2) Separate violations.--A violation of this section with 
     respect to the customer proprietary network information of 1 
     person shall be treated as a separate violation from a 
     violation with respect to the customer proprietary network 
     information of any other person.
       (e) Limitation.--Nothing in this Act or section 222 of the 
     Communications Act of 1934 (47 U.S.C. 222) authorizes a 
     subscriber to bring a civil action against a 
     telecommunications carrier or an IP-enabled voice service 
     provider.
       (f) Definitions.--In this section:
       (1) Customer proprietary network information.--The term 
     ``customer proprietary network information'' has the meaning 
     given that term by section 222(i)(1) of the Communications 
     Act of 1934 (47 U.S.C. 222(i)(1)).
       (2) IP-enabled voice service.--The term ``IP-enabled voice 
     service'' has the meaning given that term by section 
     222(i)(8) of the Communications Act of 1934 (47 U.S.C. 
     222(i)(8)).
       (3) Telecommunications carrier.--The term 
     ``telecommunications carrier'' has the meaning given it by 
     section 3(44) of the Communications Act of 1934 (47 U.S.C. 
     3(44)).

     SEC. 3. ENHANCED CONFIDENTIALITY PROCEDURES.

       (a) In General.--Within 180 days after the date of 
     enactment of this Act, the Federal Communications Commission 
     shall--
       (1) revise or supplement its regulations, to the extent the 
     Commission determines it is necessary, to require a 
     telecommunications carrier or IP-enabled voice service 
     provider--
       (A) to ensure the security and confidentiality of customer 
     proprietary network information (as defined in section 
     222(i)(1) of the Communications Act of 1934 (47 U.S.C. 
     222(i)(1))), and
       (B) to protect such customer proprietary network 
     information against threats or hazards to its security or 
     confidentiality; and
       (C) to protect customer proprietary network information 
     from unauthorized access or use that could result in 
     substantial harm or inconvenience to its customers, and
       (2) ensure that any revised or supplemental regulations are 
     similar in scope and structure to the Federal Trade 
     Commission's regulations in part 314 of title 16, Code of 
     Federal Regulations, taking into consideration the 
     differences between financial information and customer 
     proprietary network information.
       (b) Compliance Certification.--Each telecommunications 
     carrier and IP-enabled voice service provider to which the 
     regulations under subsection (a) and section 222 of the 
     Communications Act of 1934 (47 U.S.C. 222) apply shall file 
     with the Commission annually a certification that, for the 
     period covered by the filing, it has been in compliance with 
     those requirements.

     SEC. 4. PENALTIES; EXTENSION OF CONFIDENTIALITY REQUIREMENTS 
                   TO OTHER ENTITIES.

       (a) Penalties.--Title V of the Communications Act of 1934 
     (47 U.S.C. 501 et seq.) is amended by inserting after section 
     508 the following:

     ``SEC. 509. PENALTIES FOR CONFIDENTIAL CUSTOMER PROPRIETARY 
                   NETWORK INFORMATION VIOLATIONS.

       ``(a) Civil Forfeiture.--
       ``(1) In general.--Any telecommunications carrier or IP-
     enabled voice service provider that is determined by the 
     Commission, in accordance with paragraphs (3) and (4) of 
     section 503(b), to have violated section 222 of this Act 
     shall be liable to the United States for a forfeiture 
     penalty. A forfeiture penalty under this subsection shall be 
     in addition to any other penalty provided for by this Act. 
     The amount of the forfeiture penalty determined under this 
     subsection shall not exceed $30,000 for each violation, or 3 
     times that amount for each day of a continuing violation, 
     except that the amount assessed for any continuing violation 
     shall not exceed a total of $3,000,000 for any single act or 
     failure to act.
       ``(2) Recovery.--Any forfeiture penalty determined under 
     paragraph (1) shall be recoverable pursuant to section 504(a) 
     of this Act.
       ``(3) Procedure.--No forfeiture liability shall be 
     determined under paragraph (1) against any person unless such 
     person receives the notice required by section 503(b)(3) or 
     section 503(b)(4) of this Act.
       ``(4) 2-year statute of limitations.--No forfeiture penalty 
     shall be determined or imposed against any person under 
     paragraph (1) if the violation charged occurred more than 2 
     years prior to the date of issuance of the required notice or 
     notice or apparent liability.
       ``(b) Criminal Fine.--Any person who willfully and 
     knowingly violates section 222 of this Act shall upon 
     conviction thereof be fined not more than $30,000 for each 
     violation, or 3 times that amount for each day of a 
     continuing violation, in lieu of the fine provided by section 
     501 for such a violation. This subsection does not supersede 
     the provisions of section 501 relating to imprisonment or the 
     imposition of a penalty of both fine and imprisonment.''.
       (b) Extension of Confidentiality Requirements to IP-enabled 
     Voice Service Providers.--Section 222 of the Communications 
     Act of 1934 (47 U.S.C. 222) is amended--
       (1) by inserting ``or IP-enabled voice service provider'' 
     after ``telecommunications carrier'' each place it appears 
     except in subsections (e) and (g);
       (2) by inserting ``or IP-enabled voice service provider'' 
     after ``exchange service'' in subsection (g);
       (3) by striking ``telecommunication carriers'' each place 
     it appears in subsection (a) and inserting 
     ``telecommunications carriers or IP-enabled voice service 
     providers'';
       (4) by inserting ``or provider'' after ``carrier'' in 
     subsection (d)(2), paragraphs (1)(A) and (B) and (3)(A) and 
     (B) of subsection (i) (as redesignated),
       (5) by inserting ``or providers'' after ``carriers'' in 
     subsection (d)(2); and
       (6) by inserting ``and IP-enabled Voice Service Provider'' 
     after ``Carrier'' in the caption of subsection (c).
       (c) Definition.--Section 222(h) of the Communications Act 
     of 1934 (47 U.S.C. 222(h)) is amended by adding at the end 
     the following:
       ``(8) IP-enabled voice service.--The term `IP-enabled voice 
     service' means the provision of real-time 2-way voice 
     communications offered to the public, or such classes of 
     users as to be effectively available to the public, 
     transmitted through customer premises equipment using TCP/IP 
     protocol, or a successor protocol, for a fee (whether part of 
     a bundle of services or separately) with interconnection 
     capability such that the service can originate traffic to, or 
     terminate traffic from, the public switched telephone 
     network.''.
       (d) Telecommunications Carrier and IP-enabled Voice Service 
     Provider Notification Requirement.--Section 222 of the 
     Communications Act of 1934 (47 U.S.C. 222), is further 
     amended--
       (1) by redesignating subsection (h) as subsection (i); and
       (2) by inserting after subsection (g) the following new 
     subsection:
       ``(h) Notice of Violations.--The Commission shall by 
     regulation require each telecommunications carrier or IP-
     enabled voice service provider to notify a customer within 14 
     calendar days of any incident of which such 
     telecommunications carrier or IP-enabled voice service 
     provider becomes or is made aware in which customer 
     proprietary network information relating to such customer is 
     disclosed to someone other than the customer in violation of 
     this section or section 2 of the Protecting Consumer Phone 
     Records Act.''.

     SEC. 5. ENFORCEMENT BY FEDERAL TRADE COMMISSION.

       (a) In General.--Except as provided in sections 6 and 7 of 
     this Act, section 2 of this Act shall be enforced by the 
     Federal Trade Commission.
       (b) Violation Treated as an Unfair or Deceptive Act or 
     Practice.--Violation of section 2 shall be treated as an 
     unfair or deceptive act or practice proscribed under a rule 
     issued under section 18(a)(1)(B) of the Federal Trade 
     Commission Act (15 U.S.C. 57a(a)(1)(B)).
       (c) Actions by the Commission.--The Commission shall 
     prevent any person from violating this Act in the same 
     manner, by the same means, and with the same jurisdiction, 
     powers, and duties as though all applicable terms and 
     provisions of the Federal Trade Commission Act (15 U.S.C. 41 
     et seq.) were incorporated into and made a part of this Act. 
     Any person that violates section 2 is subject to the 
     penalties and entitled to the privileges and immunities 
     provided in the Federal Trade Commission Act in the same 
     manner, by the same means, and with the same jurisdiction, 
     powers, and duties as though all applicable terms and 
     provisions of the Federal Trade Commission Act were 
     incorporated into and made a part of this Act.

     SEC. 6. CONCURRENT ENFORCEMENT BY FEDERAL COMMUNICATIONS 
                   COMMISSION.

       (a) In General.--The Federal Communications Commission 
     shall have concurrent jurisdiction to enforce section 2.
       (b) Penalty; Procedure.--For purposes of enforcement of 
     that section by the Commission--
       (1) a violation of section 2 of this Act is deemed to be a 
     violation of a provision of the Communications Act of 1934 
     (47 U.S.C. 151 et seq.) rather than a violation of the 
     Federal Trade Commission Act; and

[[Page S1897]]

       (2) the provisions of section 509(a)(2), (3), and (4) of 
     the Communications Act of 1934 shall apply to the imposition 
     and collection of the civil penalty imposed by section 2 of 
     this Act as if it were the civil penalty imposed by section 
     509(a)(1) of that Act.

     SEC. 7. ENFORCEMENT BY STATES.

       (a) In General.--The chief legal officer of a State may 
     bring a civil action, as parens patriae, on behalf of the 
     residents of that State in an appropriate district court of 
     the United States to enforce section 2 or to impose the civil 
     penalties for violation of that section, whenever the chief 
     legal officer of the State has reason to believe that the 
     interests of the residents of the State have been or are 
     being threatened or adversely affected by a violation of this 
     Act or a regulation under this Act.
       (b) Notice.--The chief legal officer of a State shall serve 
     written notice on the Federal Trade Commission and the 
     Federal Communications Commission of any civil action under 
     subsection (a) prior to initiating such civil action. The 
     notice shall include a copy of the complaint to be filed to 
     initiate such civil action, except that if it is not feasible 
     for the State to provide such prior notice, the State shall 
     provide such notice immediately upon instituting such civil 
     action.
       (c) Authority To Intervene.--Upon receiving the notice 
     required by subsection (b), either Commission may intervene 
     in such civil action and upon intervening--
       (1) be heard on all matters arising in such civil action; 
     and
       (2) file petitions for appeal of a decision in such civil 
     action.
       (d) Construction.--For purposes of bringing any civil 
     action under subsection (a), nothing in this section shall 
     prevent the chief legal officer of a State from exercising 
     the powers conferred on that officer by the laws of such 
     State to conduct investigations or to administer oaths or 
     affirmations or to compel the attendance of witnesses or the 
     production of documentary and other evidence.
       (e) Venue; Service of Process.--
       (1) Venue.--An action brought under subsection (a) shall be 
     brought in a district court of the United States that meets 
     applicable requirements relating to venue under section 1391 
     of title 28, United States Code.
       (2) Service of process.--In an action brought under 
     subsection (a)--
       (A) process may be served without regard to the territorial 
     limits of the district or of the State in which the action is 
     instituted; and
       (B) a person who participated in an alleged violation that 
     is being litigated in the civil action may be joined in the 
     civil action without regard to the residence of the person.
       (f) Limitation on State Action While Federal Action Is 
     Pending.--If either Commission has instituted an enforcement 
     action or proceeding for violation of section 2 of this Act, 
     the chief legal officer of the State in which the violation 
     occurred may not bring an action under this section during 
     the pendency of the proceeding against any person with 
     respect to whom the Commission has instituted the proceeding.

     SEC. 8. PREEMPTION OF STATE LAW.

       (a) Preemption.--Section 2 and the regulations prescribed 
     pursuant to section 3 of this Act and section 222 of the 
     Communications Act of 1934 (47 U.S.C. 222) and the 
     regulations prescribed thereunder preempt any--
       (1) statute, regulation, or rule of any State or political 
     subdivision thereof that requires a telecommunications 
     carrier or provider of IP-enabled voice service to develop, 
     implement, or maintain procedures for protecting the 
     confidentiality of customer proprietary network information 
     (as defined in section 222(i)(1) of the Communications Act of 
     1934 (47 U.S.C. 222(i)(1))) held by that telecommunications 
     carrier or provider of IP-enabled voice service, or that 
     restricts or regulates a carrier's or provider's ability to 
     use, disclose, or permit access to such information; and
       (2) any such statute, regulation, or rule, or judicial 
     precedent of any State court under which liability is imposed 
     on a telecommunications carrier or provider of IP-enabled 
     voice service for failure to comply with any statute, 
     regulation, or rule described in paragraph (1) or with the 
     requirements of section 2 or the regulations prescribed 
     pursuant to section 3 of this Act or with section 222 of the 
     Communications Act of 1934 or the regulations prescribed 
     thereunder.
       (b) Limitation on Preemption.--This Act shall not be 
     construed to preempt the applicability of--
       (1) State laws that are not specific to the matters 
     described in subsection (a), including State contract or tort 
     law; or
       (2) other State laws to the extent those laws relate to 
     acts of fraud or computer crime.

     SEC. 9. CONSUMER OUTREACH AND EDUCATION.

       (a) In General.--Within 180 days after the date of 
     enactment of this Act, the Federal Trade Commission and 
     Federal Communications Commission shall jointly establish and 
     implement a media and distribution campaign to teach the 
     public about the protection afforded customer proprietary 
     network information under this Act, the Federal Trade 
     Commission Act and the Communications Act of 1934.
       (b) Campaign Requirements.--The campaign shall--
       (1) promote understanding of--
       (A) the problem concerning the theft and misuse of customer 
     proprietary network information;
       (B) available methods for consumers to protect their 
     customer proprietary network information; and
       (C) efforts undertaken by the Federal Trade Commission and 
     the Federal Communications Commission to prevent the problem 
     and seek redress where a breach of security involving 
     customer proprietary network information has occurred; and
       (2) explore various distribution platforms to accomplish 
     the goal set forth in paragraph (1).
                                 ______