[Federal Register Volume 72, Number 110 (Friday, June 8, 2007)]
[Rules and Regulations]
[Pages 31948-31963]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-10732]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[CC Docket No. 96-115, WC Docket No. 04-36; FCC 07-22]


Customer Proprietary Network Information

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Commission adopted rules to implement section 222 of the 
Communications Act of 1934, as amended, which governs carriers' use and 
disclosure of customer proprietary network information. In this 
document, the Commission responds to the practice of ``pretexting'' by 
strengthening its rules to protect the privacy of customer proprietary 
network information (CPNI) that is collected and held by providers of 
communications services.

DATES: Revised paragraph (o) of Sec.  64.2003, new paragraphs (a), (b), 
(d), (m), (q), and (r) of Sec.  64.2003, revised paragraph (c)(3) of 
Sec.  64.2005, revised paragraph (b) of Sec.  64.2007, revised 
paragraph (e) of 64.2009, and new Sec. Sec.  64.2010 and 64.2011 
contain information collection requirements that have not been approved 
by the Office of Management and Budget (OMB). The Commission will 
publish a document in the Federal Register announcing the effective 
date. Written comment by the public on the modified information 
collection requirements are due August 7, 2007. Paragraphs (c), (e) 
through (l), (n), and (p) of Sec.  64.2003 do not contain information 
collection requirements that have not been approved by OMB and 
therefore are effective on June 8, 2007.

FOR FURTHER INFORMATION CONTACT: Adam Kirschenbaum, (202) 418-7280, 
Wireline Competition Bureau.
    For additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, contact 
Judith B. Herman at (202) 418-0214, or via e-mail at [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report 
and Order (Order) in CC Docket No. 96-115 and WC Docket No. 04-36, FCC 
07-22, adopted March 13, 2007, and released April 2, 2007. The complete 
text of this document is available for inspection and copying during 
normal business hours in the FCC Reference Information Center, Portals 
II, 445 12th Street, SW., Room CY-A257, Washington, DC 20554. This 
document may also be purchased from the Commission's duplicating 
contractor, Best Copy and Printing, Inc., 445 12th Street, SW., Room 
CY-B402, Washington, DC 20554, telephone (800) 378-3160 or (202) 863-
2893, facsimile (202) 863-2898, or via e-mail at http://www.bcpiweb.com. It is also available on the Commission's Web site at 
http://www.fcc.gov.
    In addition to filing comments with the Office of the Secretary, a 
copy of any comments on the Paperwork Reduction Act information 
collection requirements contained herein should be submitted to Judith 
B. Herman, Federal Communications Commission, Room 1-C804, 445 12th 
Street, SW., Washington, DC 20554, or via the Internet to [email protected].

Synopsis of the Report and Order

    1. On August 30, 2005, the Electronic Privacy Information Center 
(EPIC) filed a petition with the Commission asking the Commission to 
investigate telecommunications carriers' current security practices and 
to initiate a rulemaking proceeding to consider establishing more 
stringent security standards for telecommunications carriers to govern 
the disclosure of CPNI. In particular, EPIC proposed that the 
Commission consider requiring the use of consumer-set passwords, 
creating audit trails, employing encryption, limiting data retention, 
and improving notice procedures. On February 14, 2006, the Commission 
released the EPIC CPNI Notice, 71 FR 13317 (March 15, 2006), in which 
it sought comment on (a) the nature and scope of the problem identified 
by EPIC, including pretexting, and (b) what additional steps, if any, 
the Commission should take to protect further the privacy of CPNI. 
Specifically, the Commission sought comment on the five EPIC proposals 
listed above. In addition, the Commission tentatively concluded that it 
should amend its rules to require carriers annually to file their 
section 64.2009(e) certifications with the Commission. It also sought 
comment on whether it should require carriers to obtain a customer's 
opt-in consent before the carrier shares CPNI with its joint venture 
partners and independent contractors; whether to impose rules relating 
to how carriers verify customers' identities; whether to adopt a set of 
security requirements that could

[[Page 31949]]

be used as the basis for liability if a carrier failed to implement 
such requirements, or adopt a set of security requirements that a 
carrier could implement to exempt itself from liability; whether VoIP 
service providers or other IP-enabled service providers should be 
covered by any new rules the Commission adopts in the present 
rulemaking; and other specific proposals that might increase the 
protection of CPNI.
    2. In this Order, the Commission responds to the practice of 
``pretexting'' by strengthening its rules to protect the privacy of 
customer proprietary network information (CPNI) that is collected and 
held by providers of communications services (hereinafter, 
communications carriers or carriers). Section 222 of the Communications 
Act requires telecommunications carriers to take specific steps to 
ensure that CPNI is adequately protected from unauthorized disclosure. 
In the Order, the Commission strengthens its privacy rules by adopting 
additional safeguards to protect customers' CPNI against unauthorized 
access and disclosure.
    3. The Order is directly responsive to the actions of data brokers, 
or pretexters, to obtain unauthorized access to CPNI. As EPIC pointed 
out in its petition that led to this rulemaking proceeding, numerous 
Web sites advertise the sale of personal telephone records for a price. 
These data brokers have been able to obtain private and personal 
information, including what calls were made to and/or from a particular 
telephone number and the duration of such calls. In many cases, the 
data brokers claim to be able to provide this information within fairly 
quick time frames, ranging from a few hours to a few days. The 
additional privacy safeguards the Commission adopts in the Order will 
sharply limit pretexters' ability to obtain unauthorized access to this 
type of personal customer information from carriers the Commission 
regulates.
    4. The Commission finds that the release of call detail over the 
telephone presents an immediate risk to privacy and therefore it 
prohibits carriers from releasing call detail information based on 
customer-initiated telephone contact except under three circumstances. 
First, a carrier can release call detail information if the customer 
provides the carrier with a pre-established password. Second, a carrier 
may, at the customer's request, send call detail information to the 
customer's address of record. Third, a carrier may call the telephone 
number of record and disclose call detail information. A carrier may 
disclose non-call detail CPNI to a customer after the carrier 
authenticates the customer.
    5. The Commission does not intend for the prohibition on the 
release of call detail over the telephone for customer-initiated 
telephone contact to hinder routine carrier-customer relations 
regarding service/billing disputes and questions. If a customer is able 
to provide to the carrier, during a customer-initiated telephone call, 
all of the call detail information necessary to address a customer 
service issue (i.e., the telephone number called, when it was called, 
and, if applicable, the amount charged for the call), then the carrier 
is permitted to proceed with its routine customer care procedures. The 
Commission believes that if a customer is able to provide this 
information to the carrier, without carrier assistance, then the 
carrier does not violate the Commission's rules if the carrier takes 
routine customer service actions related to such information. The 
Commission additionally clarifies that, under these circumstances, 
carriers may not disclose to the customer any call detail information 
about the customer account other than the call detail information that 
the customer provides without the customer first providing a password. 
The Commission's rule is intended to prevent pretexter phishing and 
other pretexter methods for gaining unauthorized access to customer 
account information.
    6. The Commission also requires carriers to password protect online 
access to CPNI. Although section 222 of the Act imposes a duty on 
carriers to protect the privacy of CPNI, data brokers and others have 
been able to access CPNI online without the account holder's knowledge 
or consent. The Commission agrees with EPIC that the apparent ease with 
which data brokers have been able to access CPNI online demonstrates 
the insufficiency of carriers' customer authentication procedures. In 
particular, the record evidence demonstrates that some carriers permit 
customers to establish online accounts by providing readily available 
biographical information. Thus, a data broker may obtain online account 
access easily without the customer's knowledge. Therefore, the 
Commission agrees with EPIC and others that use of such identifiers is 
an insufficient mechanism for preventing data brokers from obtaining 
unauthorized online access to CPNI.
    7. The Commission continues to allow carriers to provide customers 
with access to CPNI at a carrier's retail location if the customer 
presents a valid photo ID and the valid photo ID matches the name on 
the account. The Commission agrees with the Attorneys General and finds 
that this is a secure authentication practice because it enables the 
carrier to make a reasonable judgment about the customer's identity.
    8. The Commission requires carriers to notify customers immediately 
of certain account changes, including whenever a password, customer 
response to a carrier-designed back-up means of authentication, online 
account, or address of record is created or changed. The Commission 
agrees with the New Jersey Ratepayer Advocate that this notification is 
an important tool for customers to monitor their account's security. 
This notification may be through a carrier-originated voicemail or text 
message to the telephone number of record, or by mail to the address of 
record, as to reasonably ensure that the customer receives this 
notification. The Commission believes this measure is appropriate to 
protect customers from data brokers that might otherwise manage to 
circumvent the authentication protections the Commission adopts in this 
Order, and to take appropriate action in the event of pretexter 
activity. Further, the Commission finds that this notification 
requirement will also empower customers to provide carriers with timely 
information about pretexting activity, which the carriers may not be 
able to identify easily.
    9. The Commission does make an exception to the rules that it 
adopts for certain business customers. The Commission agrees with 
commenters who argue that privacy concerns of telecommunications 
consumers are greatest when using personal telecommunications services. 
Indeed, the fraudulent practices described by EPIC have mainly targeted 
individual consumers, and the record indicates that the proprietary 
information of wireline and wireless business account customers already 
is subject to stringent safeguards, which are privately negotiated by 
contract. Therefore, if the carrier's contract with a business customer 
is serviced by a dedicated account representative as the primary 
contact, and specifically addresses the carrier's protection of CPNI, 
the Commission does not extend its carrier authentication rules to 
cover these business customers, because businesses are typically able 
to negotiate the appropriate protection of CPNI in their service 
agreements. However, nothing in the Order exempts carriers serving 
wireline enterprise and wireless business account customers from 
section 222 or the remainder of the Commission's CPNI rules.
    10. The Commission agrees with EPIC that carriers should be 
required to notify a customer whenever a security breach

[[Page 31950]]

results in that customer's CPNI being disclosed to a third party 
without that customer's authorization. However, the Commission also 
appreciates law enforcement's concern about delaying customer 
notification in order to allow law enforcement to investigate crimes. 
Therefore, the Commission adopts a rule that it believes balances a 
customer's need to know with law enforcement's ability to undertake an 
investigation of suspected criminal activity, which itself might 
advance the goal of consumer protection.
    11. The Commission declines to specify the precise content of the 
notice that must be provided to customers in the event of a security 
breach of CPNI. The notice requirement the Commission adopts in this 
proceeding is general, and the Commission recognizes that numerous 
types of circumstances--including situations other than pretexting--
could result in the unauthorized disclosure of a customer's CPNI to a 
third party. Thus, the Commission leaves carriers the discretion to 
tailor the language and method of notification to the circumstances. 
Finally, the Commission expects carriers to cooperate fully in any law 
enforcement investigation of such unauthorized release of CPNI or 
attempted unauthorized access to an account consistent with statutory 
and Commission requirements.
    12. The Commission agrees with commenters that techniques for fraud 
vary and tend to become more sophisticated over time, and that carriers 
need leeway to engage emerging threats. The Commission therefore 
clarifies that carriers are free to bolster their security measures 
through additional measures to meet their section 222 obligations to 
protect the privacy of CPNI. The Commission also codifies the existing 
statutory requirement contained in section 222 of the Act that carriers 
take reasonable measures to discover and protect against activity that 
is indicative of pretexting. Adoption of the rules in this Order does 
not relieve carriers of their fundamental duty to remain vigilant in 
their protection of CPNI, nor does it necessarily insulate them from 
enforcement action for unauthorized disclosure of CPNI.
    13. The Commission modifies its rules to require telecommunications 
carriers to obtain opt-in consent from a customer before disclosing 
that customer's CPNI to a carrier's joint venture partner or 
independent contractor for the purpose of marketing communications-
related services to that customer. While the Commission realizes that 
this is a change in Commission policy, it finds that new circumstances 
force it to reassess its existing regulations. As the Commission has 
found previously, the Commission has a substantial interest in 
protecting customer privacy. Based on this and in light of new privacy 
concerns, the Commission now finds that an opt-in framework for the 
sharing of CPNI with joint venture partners and independent contractors 
for the purposes of marketing communications-related services to a 
customer both directly advances its interest in protecting customer 
privacy and is narrowly tailored to achieve its goal of privacy 
protection. Specifically, an opt-in regime will more effectively limit 
the circulation of a customer's CPNI by maintaining it in a carrier's 
possession unless a customer provides informed consent for its release. 
Moreover, the Commission finds that an opt-in regime will provide 
necessary informed customer choice concerning these information sharing 
relationships with other companies.
    14. To the extent that carriers voluntarily obtained opt-in 
approval from their customers for the disclosure of customers' CPNI to 
a joint venture partner or independent contractor for the purposes of 
marketing communications-related services to a customer prior to the 
adoption of this Order, those carriers can continue to use those 
approvals.
    15. The Commission adopts the Commission's tentative conclusion and 
amends its rules to require carriers to file their annual CPNI 
certification with the Commission, including an explanation of any 
actions taken against data brokers and a summary of all customer 
complaints received in the past year concerning the unauthorized 
release of CPNI. The Commission finds that this amendment to the 
Commission's rules is an appropriate measure and will ensure that 
carriers regularly focus their attention on their duty to safeguard 
CPNI. Additionally, the Commission finds that this modification to its 
rules will remind carriers of the Commission's oversight and high 
priority regarding carrier performance in this area. Further, with this 
filing, the Commission will be better able to monitor the industry's 
response to CPNI privacy issues and to take any necessary steps to 
ensure that carriers are managing customer CPNI securely.
    16. The Commission extends the application of the Commission's CPNI 
rules to providers of interconnected VoIP service. In the IP-Enabled 
Services Notice and the EPIC CPNI Notice, the Commission sought comment 
on whether to extend the CPNI requirements to VoIP service providers. 
Since the Commission has not decided whether interconnected VoIP 
services are telecommunications services or information services as 
those terms are defined in the Act, nor does it do so in this Order, 
the Commission analyzes the issues addressed in this Order under its 
Title I ancillary jurisdiction to encompass both types of service. If 
the Commission later classifies interconnected VoIP service as a 
telecommunications service, the providers of interconnected VoIP 
services would be subject to the requirements of section 222 and the 
Commission's CPNI rules as telecommunications carriers under Title II.
    17. The Commission concludes that it has authority under Title I of 
the Act to impose CPNI requirements on providers of interconnected VoIP 
service. Ancillary jurisdiction may be employed, in the Commission's 
discretion, when Title I of the Act gives the Commission subject matter 
jurisdiction over the service to be regulated and the assertion of 
jurisdiction is ``reasonably ancillary to the effective performance of 
[its] various responsibilities.'' Both predicates for ancillary 
jurisdiction are satisfied here. First, as the Commission concluded in 
the Interim USF Order and VoIP 911 Order, interconnected VoIP services 
fall within the subject matter jurisdiction granted to it in the Act. 
Second, the Commission analysis requires it to evaluate whether 
imposing CPNI obligations is reasonably ancillary to the effective 
performance of the Commission's various responsibilities. Based on the 
record in this matter, the Commission finds that sections 222 and 1 of 
the Act provide the requisite nexus, with additional support from 
section 706.
    18. The Commission takes seriously the protection of customers' 
private information and commit to remaining vigilant to ensure 
compliance with applicable privacy laws within its jurisdiction. One 
way in which the Commission will help protect consumer privacy is 
through strong enforcement measures. When investigating compliance with 
the rules and statutory obligations, the Commission will consider 
whether the carrier has taken reasonable precautions to prevent the 
unauthorized disclosure of a customer's CPNI. Specifically, the 
Commission hereby puts carriers on notice that the Commission 
henceforth will infer from evidence that a pretexter has obtained 
unauthorized access to a customer's CPNI that the carrier did not 
sufficiently protect that customer's CPNI. A carrier then must 
demonstrate that the steps it

[[Page 31951]]

has taken to protect CPNI from unauthorized disclosure, including the 
carrier's policies and procedures, are reasonable in light of the 
threat posed by pretexting and the sensitivity of the customer 
information at issue. If the Commission finds at the conclusion of its 
investigation that the carrier indeed has not taken sufficient steps 
adequately to protect the privacy of CPNI, the Commission may sanction 
it for this oversight, including through forfeiture.
    19. The Commission offers additional guidance regarding the 
Commission's expectations that will inform its investigations. The 
Commission fully expects carriers to take every reasonable precaution 
to protect the confidentiality of proprietary or personal customer 
information. Of course, the Commission requires carriers to implement 
the specific minimum requirements set forth in the Commission's rules. 
The Commission further expects carriers to take additional steps to 
protect the privacy of CPNI to the extent such additional measures are 
feasible for a particular carrier. For instance, although the 
Commission declines to impose audit trail obligations on carriers at 
this time, the Commission expects carriers through audits or other 
measures to take reasonable measures to discover and protect against 
activity that is indicative of pretexting. Similarly, although the 
Commission does not specifically require carriers to encrypt their 
customers' CPNI, the Commission expects a carrier to encrypt its CPNI 
databases if doing so would provide significant additional protection 
against the unauthorized access to CPNI at a cost that is reasonable 
given the technology a carrier already has implemented.

Final Paperwork Reduction Act Analysis

    20. This Order contains modified information collection 
requirements subject to the Paperwork Reduction Act of 1995 (PRA), 
Public Law 104-13. It will be submitted to the Office of Management and 
Budget (OMB) for review under section 3507(d) of the PRA. OMB, the 
general public, and other Federal agencies are invited to comment on 
the new information collection requirements contained in this 
proceeding. In addition, pursuant to the Small Business Paperwork 
Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), the 
Commission previously sought specific comment on how it might ``further 
reduce the information collection burden for small business concerns 
with fewer than 25 employees.''
    21. In the Order, the Commission assessed the burdens placed on 
small businesses to notify customers of account changes, to notify law 
enforcement and customers of unauthorized CPNI disclosure; to obtain 
opt-in consent prior to sharing CPNI with joint venture partners and 
independent contractors; to file annually a CPNI certification with the 
Commission, including an explanation of any actions taken against data 
brokers and a summary of all consumer complaints received in the past 
year concerning the unauthorized release of CPNI, and to extend the 
CPNI rules to providers of interconnected VoIP services, and found that 
these requirements do not place a significant burden on small 
businesses.

Final Regulatory Flexibility Analysis

    22. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was 
incorporated in the EPIC CPNI Notice in CC Docket No. 96-115 and the 
IP-Enabled Services Notice in WC Docket 04-36. The Commission sought 
written public comment on the proposals in both notices, including 
comment on the IRFA. The Commission received comments specifically 
directed toward the IRFA from three commenters in CC Docket No. 96-115 
and from three commenters in WC Docket No. 04-36. These comments are 
discussed below. This Final Regulatory Flexibility Analysis (FRFA) 
conforms to the RFA.

A. Need for, and Objectives of, the Rules

    23. The Order strengthens the Commission's rules to protect the 
privacy of CPNI that is collected and held by providers of 
communications services. Section 222 of the Communications Act requires 
telecommunications carriers to take specific steps to ensure that CPNI 
is adequately protected from unauthorized disclosure. The Order adopts 
additional safeguards to protect customers' CPNI against unauthorized 
access and disclosure.

B. Summary of Significant Issues Raised by Public Comments in Response 
to the IRFA

    24. Comments Received in Response to the EPIC CPNI Notice. In this 
section, the Commission responds to comments filed in response to the 
IRFA. To the extent the Commission received comments raising general 
small business concerns during the proceeding, those comments are 
discussed throughout the Order.
    25. The Commission disagrees with Alexicon that small carriers are 
less vulnerable to unauthorized attempts to access CPNI. In fact, 
Alexicon itself points out that one of its client companies actually 
experienced an unauthorized access attempt, and thus the Commission 
finds the steps it takes in the Order are applicable to all carriers. 
The Commission does, however, agree with commenters that argue the 
Commission should not adopt many of EPIC's suggested requirements. The 
Commission also agrees with commenters that argue for flexible rules to 
allow carriers to determine proper authentication methods for its 
customers. Therefore, the Commission does not adopt specific 
authentication methods, or back-up authentication methods for lost or 
forgotten passwords and instead adopts rules that provide limits on the 
types of authentication methods that meet section 222's mandate to 
protect CPNI. Further, the Commission agrees with commenters that small 
carriers should be provided additional time to implement the 
requirements that the Commission does adopt in the Order. Thus, the 
Commission provides small carriers with an additional six month 
implementation period for the online carrier authentication 
requirements adopted in the Order.
    26. Comments Received in Response to the IP-Enabled Services 
Notice. In this section, the Commission responds to comments filed in 
response to the IRFA. To the extent the Commission received comments 
raising general small business concerns during the proceeding, those 
comments are discussed throughout the Order.
    27. The Commission disagrees with the SBA and Francois D. Menard 
(Menard) that the Commission should postpone acting in this 
proceeding--thereby postponing extending the application of the CPNI 
rules to interconnected VoIP service providers--and instead should 
reevaluate the economic impact and the compliance burdens on small 
entities and issue a further notice of proposed rulemaking in 
conjunction with a supplemental IRFA identifying and analyzing the 
economic impacts on small entities and less burdensome alternatives. 
The Commission believes the additional steps suggested by SBA and 
Menard are unnecessary because small entities already have received 
sufficient notice of the issues addressed in the Order and because the 
Commission has considered the economic impact on small entities and 
what ways are feasible to minimize the burdens imposed on those 
entities, and, to the extent feasible, has implemented those less 
burdensome alternatives.

[[Page 31952]]

C. Description and Estimate of the Number of Small Entities to Which 
Rules Will Apply

    28. The RFA directs agencies to provide a description of and, where 
feasible, an estimate of the number of small entities that may be 
affected by the rules adopted herein. The RFA generally defines the 
term ``small entity'' as having the same meaning as the terms ``small 
business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small business concern'' under the Small Business 
Act. A small business concern is one which: (1) Is independently owned 
and operated; (2) is not dominant in its field of operation; and (3) 
satisfies any additional criteria established by the Small Business 
Administration (SBA).
    29. Small Businesses. Nationwide, there are a total of 
approximately 22.4 million small businesses, according to SBA data.
    30. Small Organizations. Nationwide, there are approximately 1.6 
million small organizations.
    31. Small Governmental Jurisdictions. The term ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, towns, 
townships, villages, school districts, or special districts, with a 
population of less than fifty thousand.'' Census Bureau data for 2002 
indicate that there were 87,525 local governmental jurisdictions in the 
United States. The Commission estimates that, of this total, 84,377 
entities were ``small governmental jurisdictions.'' Thus, the 
Commission estimates that most governmental jurisdictions are small.
1. Telecommunications Service Entities
a. Wireline Carriers and Service Providers
    32. The Commission has included small incumbent local exchange 
carriers in the present RFA analysis. As noted above, a ``small 
business'' under the RFA is one that, inter alia, meets the pertinent 
small business size standard (e.g., a telephone communications business 
having 1,500 or fewer employees), and ``is not dominant in its field of 
operation.'' The SBA's Office of Advocacy contends that, for RFA 
purposes, small incumbent local exchange carriers are not dominant in 
their field of operation because any such dominance is not ``national'' 
in scope. The Commission has therefore included small incumbent local 
exchange carriers in this RFA analysis, although the Commission 
emphasizes that this RFA action has no effect on Commission analyses 
and determinations in other, non-RFA contexts.
    33. Incumbent Local Exchange Carriers (LECs). Neither the 
Commission nor the SBA has developed a small business size standard 
specifically for incumbent local exchange services. The appropriate 
size standard under SBA rules is for the category Wired 
Telecommunications Carriers. Under that size standard, such a business 
is small if it has 1,500 or fewer employees. According to Commission 
data, 1,303 carriers have reported that they are engaged in the 
provision of incumbent local exchange services. Of these 1,303 
carriers, an estimated 1,020 have 1,500 or fewer employees and 283 have 
more than 1,500 employees. Consequently, the Commission estimates that 
most providers of incumbent local exchange service are small businesses 
that may be affected by its action.
    34. Competitive Local Exchange Carriers, Competitive Access 
Providers (CAPs), ``Shared-Tenant Service Providers,'' and ``Other 
Local Service Providers.'' Neither the Commission nor the SBA has 
developed a small business size standard specifically for these service 
providers. The appropriate size standard under SBA rules is for the 
category Wired Telecommunications Carriers. Under that size standard, 
such a business is small if it has 1,500 or fewer employees. According 
to Commission data, 769 carriers have reported that they are engaged in 
the provision of either competitive access provider services or 
competitive local exchange carrier services. Of these 769 carriers, an 
estimated 676 have 1,500 or fewer employees and 93 have more than 1,500 
employees. In addition, 12 carriers have reported that they are 
``Shared-Tenant Service Providers,'' and all 12 are estimated to have 
1,500 or fewer employees. In addition, 39 carriers have reported that 
they are ``Other Local Service Providers.'' Of the 39, an estimated 38 
have 1,500 or fewer employees and one has more than 1,500 employees. 
Consequently, the Commission estimates that most providers of 
competitive local exchange service, competitive access providers, 
``Shared-Tenant Service Providers,'' and ``Other Local Service 
Providers'' are small entities that may be affected by its action.
    35. Local Resellers. The SBA has developed a small business size 
standard for the category of Telecommunications Resellers. Under that 
size standard, such a business is small if it has 1,500 or fewer 
employees. According to Commission data, 143 carriers have reported 
that they are engaged in the provision of local resale services. Of 
these, an estimated 141 have 1,500 or fewer employees and two have more 
than 1,500 employees. Consequently, the Commission estimates that the 
majority of local resellers are small entities that may be affected by 
its action.
    36. Toll Resellers. The SBA has developed a small business size 
standard for the category of Telecommunications Resellers. Under that 
size standard, such a business is small if it has 1,500 or fewer 
employees. According to Commission data, 770 carriers have reported 
that they are engaged in the provision of toll resale services. Of 
these, an estimated 747 have 1,500 or fewer employees and 23 have more 
than 1,500 employees. Consequently, the Commission estimates that the 
majority of toll resellers are small entities that may be affected by 
its action.
    37. Payphone Service Providers (PSPs). Neither the Commission nor 
the SBA has developed a small business size standard specifically for 
payphone services providers. The appropriate size standard under SBA 
rules is for the category Wired Telecommunications Carriers. Under that 
size standard, such a business is small if it has 1,500 or fewer 
employees. According to Commission data, 613 carriers have reported 
that they are engaged in the provision of payphone services. Of these, 
an estimated 609 have 1,500 or fewer employees and four have more than 
1,500 employees. Consequently, the Commission estimates that the 
majority of payphone service providers are small entities that may be 
affected by its action.
    38. Interexchange Carriers (IXCs). Neither the Commission nor the 
SBA has developed a small business size standard specifically for 
providers of interexchange services. The appropriate size standard 
under SBA rules is for the category Wired Telecommunications Carriers. 
Under that size standard, such a business is small if it has 1,500 or 
fewer employees. According to Commission data, 316 carriers have 
reported that they are engaged in the provision of interexchange 
service. Of these, an estimated 292 have 1,500 or fewer employees and 
24 have more than 1,500 employees. Consequently, the Commission 
estimates that the majority of IXCs are small entities that may be 
affected by its action.
    39. Operator Service Providers (OSPs). Neither the Commission nor 
the SBA has developed a small business size standard specifically for 
operator service providers. The appropriate size standard under SBA 
rules is for the category Wired Telecommunications

[[Page 31953]]

Carriers. Under that size standard, such a business is small if it has 
1,500 or fewer employees. According to Commission data, 23 carriers 
have reported that they are engaged in the provision of operator 
services. Of these, an estimated 20 have 1,500 or fewer employees and 
three have more than 1,500 employees. Consequently, the Commission 
estimates that the majority of OSPs are small entities that may be 
affected by its action.
    40. Prepaid Calling Card Providers. Neither the Commission nor the 
SBA has developed a small business size standard specifically for 
prepaid calling card providers. The appropriate size standard under SBA 
rules is for the category Telecommunications Resellers. Under that size 
standard, such a business is small if it has 1,500 or fewer employees. 
According to Commission data, 89 carriers have reported that they are 
engaged in the provision of prepaid calling cards. Of these, 88 are 
estimated to have 1,500 or fewer employees and one has more than 1,500 
employees. Consequently, the Commission estimates that all or the 
majority of prepaid calling card providers are small entities that may 
be affected by its action.
    41. 800 and 800-Like Service Subscribers. Neither the Commission 
nor the SBA has developed a small business size standard specifically 
for 800 and 800-like service (``toll free'') subscribers. The 
appropriate size standard under SBA rules is for the category 
Telecommunications Resellers. Under that size standard, such a business 
is small if it has 1,500 or fewer employees. The most reliable source 
of information regarding the number of these service subscribers 
appears to be data the Commission collects on the 800, 888, and 877 
numbers in use. According to the Commission's data, at the end of 
January, 1999, the number of 800 numbers assigned was 7,692,955; the 
number of 888 numbers assigned was 7,706,393; and the number of 877 
numbers assigned was 1,946,538. The Commission does not have data 
specifying the number of these subscribers that are not independently 
owned and operated or have more than 1,500 employees, and thus is 
unable at this time to estimate with greater precision the number of 
toll free subscribers that would qualify as small businesses under the 
SBA size standard. Consequently, the Commission estimates that there 
are 7,692,955 or fewer small entity 800 subscribers; 7,706,393 or fewer 
small entity 888 subscribers; and 1,946,538 or fewer small entity 877 
subscribers.
b. International Service Providers
    42. The Commission has not developed a small business size standard 
specifically for providers of international service. The appropriate 
size standards under SBA rules are for the two broad census categories 
of ``Satellite Telecommunications'' and ``Other Telecommunications.'' 
Under both categories, such a business is small if it has $12.5 million 
or less in average annual receipts.
    43. The first category of Satellite Telecommunications ``comprises 
establishments primarily engaged in providing point-to-point 
telecommunications services to other establishments in the 
telecommunications and broadcasting industries by forwarding and 
receiving communications signals via a system of satellites or 
reselling satellite telecommunications.'' For this category, Census 
Bureau data for 2002 show that there were a total of 371 firms that 
operated for the entire year. Of this total, 307 firms had annual 
receipts of under $10 million, and 26 firms had receipts of $10 million 
to $24,999,999. Consequently, the Commission estimates that the 
majority of Satellite Telecommunications firms are small entities that 
might be affected by its action.
    44. The second category of Other Telecommunications ``comprises 
establishments primarily engaged in (1) providing specialized 
telecommunications applications, such as satellite tracking, 
communications telemetry, and radar station operations; or (2) 
providing satellite terminal stations and associated facilities 
operationally connected with one or more terrestrial communications 
systems and capable of transmitting telecommunications to or receiving 
telecommunications from satellite systems.'' For this category, Census 
Bureau data for 2002 show that there were a total of 332 firms that 
operated for the entire year. Of this total, 259 firms had annual 
receipts of under $10 million and 15 firms had annual receipts of $10 
million to $24,999,999. Consequently, the Commission estimates that the 
majority of Other Telecommunications firms are small entities that 
might be affected by its action.
c. Wireless Telecommunications Service Providers
    45. Below, for those services subject to auctions, the Commission 
notes that, as a general matter, the number of winning bidders that 
qualify as small businesses at the close of an auction does not 
necessarily represent the number of small businesses currently in 
service. Also, the Commission does not generally track subsequent 
business size unless, in the context of assignments or transfers, 
unjust enrichment issues are implicated.
    46. Wireless Service Providers. The SBA has developed a small 
business size standard for wireless firms within the two broad economic 
census categories of ``Paging'' and ``Cellular and Other Wireless 
Telecommunications.'' Under both SBA categories, a wireless business is 
small if it has 1,500 or fewer employees. For the census category of 
Paging, Census Bureau data for 2002 show that there were 807 firms in 
this category that operated for the entire year. Of this total, 804 
firms had employment of 999 or fewer employees, and three firms had 
employment of 1,000 employees or more. Thus, under this category and 
associated small business size standard, the majority of firms can be 
considered small. For the census category of Cellular and Other 
Wireless Telecommunications, Census Bureau data for 2002 show that 
there were 1,397 firms in this category that operated for the entire 
year. Of this total, 1,378 firms had employment of 999 or fewer 
employees, and 19 firms had employment of 1,000 employees or more. 
Thus, under this second category and size standard, the majority of 
firms can, again, be considered small.
    47. Cellular Licensees. The SBA has developed a small business size 
standard for wireless firms within the broad economic census category 
``Cellular and Other Wireless Telecommunications.'' Under this SBA 
category, a wireless business is small if it has 1,500 or fewer 
employees. For the census category of Cellular and Other Wireless 
Telecommunications, Census Bureau data for 2002 show that there were 
1,397 firms in this category that operated for the entire year. Of this 
total, 1,378 firms had employment of 999 or fewer employees, and 19 
firms had employment of 1,000 employees or more. Thus, under this 
category and size standard, the great majority of firms can be 
considered small. Also, according to Commission data, 437 carriers 
reported that they were engaged in the provision of cellular service, 
Personal Communications Service (PCS), or Specialized Mobile Radio 
(SMR) Telephony services, which are placed together in the data. The 
Commission has estimated that 260 of these are small, under the SBA 
small business size standard.
    48. Common Carrier Paging. The SBA has developed a small business 
size standard for wireless firms within the

[[Page 31954]]

broad economic census category, ``Cellular and Other Wireless 
Telecommunications.'' Under this SBA category, a wireless business is 
small if it has 1,500 or fewer employees. For the census category of 
Paging, Census Bureau data for 2002 show that there were 807 firms in 
this category that operated for the entire year. Of this total, 804 
firms had employment of 999 or fewer employees, and three firms had 
employment of 1,000 employees or more. Thus, under this category and 
associated small business size standard, the majority of firms can be 
considered small. In the Paging Third Report and Order, the Commission 
developed a small business size standard for ``small businesses'' and 
``very small businesses'' for purposes of determining their eligibility 
for special provisions such as bidding credits and installment 
payments. A ``small business'' is an entity that, together with its 
affiliates and controlling principals, has average gross revenues not 
exceeding $15 million for the preceding three years. Additionally, a 
``very small business'' is an entity that, together with its affiliates 
and controlling principals, has average gross revenues that are not 
more than $3 million for the preceding three years. The SBA has 
approved these small business size standards. An auction of 
Metropolitan Economic Area licenses commenced on February 24, 2000, and 
closed on March 2, 2000. Of the 985 licenses auctioned, 440 were sold. 
Fifty-seven companies claiming small business status won. Also, 
according to Commission data, 375 carriers reported that they were 
engaged in the provision of paging and messaging services. Of those, 
the Commission estimates that 370 are small, under the SBA-approved 
small business size standard.
    49. Wireless Communications Services. This service can be used for 
fixed, mobile, radiolocation, and digital audio broadcasting satellite 
uses. The Commission established small business size standards for the 
wireless communications services (WCS) auction. A ``small business'' is 
an entity with average gross revenues of $40 million for each of the 
three preceding years, and a ``very small business'' is an entity with 
average gross revenues of $15 million for each of the three preceding 
years. The SBA has approved these small business size standards. The 
Commission auctioned geographic area licenses in the WCS service. In 
the auction, there were seven winning bidders that qualified as ``very 
small business'' entities, and one that qualified as a ``small 
business'' entity.
    50. Wireless Telephony. Wireless telephony includes cellular, 
personal communications services (PCS), and specialized mobile radio 
(SMR) telephony carriers. As noted earlier, the SBA has developed a 
small business size standard for ``Cellular and Other Wireless 
Telecommunications'' services. Under that SBA small business size 
standard, a business is small if it has 1,500 or fewer employees. 
According to Commission data, 445 carriers reported that they were 
engaged in the provision of wireless telephony. The Commission has 
estimated that 245 of these are small under the SBA small business size 
standard.
    51. Broadband Personal Communications Service. The broadband 
Personal Communications Service (PCS) spectrum is divided into six 
frequency blocks designated A through F, and the Commission has held 
auctions for each block. The Commission defined ``small entity'' for 
Blocks C and F as an entity that has average gross revenues of $40 
million or less in the three previous calendar years. For Block F, an 
additional classification for ``very small business'' was added and is 
defined as an entity that, together with its affiliates, has average 
gross revenues of not more than $15 million for the preceding three 
calendar years.'' These standards defining ``small entity'' in the 
context of broadband PCS auctions have been approved by the SBA. No 
small businesses, within the SBA-approved small business size standards 
bid successfully for licenses in Blocks A and B. There were 90 winning 
bidders that qualified as small entities in the Block C auctions. A 
total of 93 small and very small business bidders won approximately 40 
percent of the 1,479 licenses for Blocks D, E, and F. On March 23, 
1999, the Commission re-auctioned 347 C, D, E, and F Block licenses. 
There were 48 small business winning bidders. On January 26, 2001, the 
Commission completed the auction of 422 C and F Broadband PCS licenses 
in Auction No. 35. Of the 35 winning bidders in this auction, 29 
qualified as ``small'' or ``very small'' businesses. Subsequent events, 
concerning Auction 35, including judicial and agency determinations, 
resulted in a total of 163 C and F Block licenses being available for 
grant.
    52. Narrowband Personal Communications Services. To date, two 
auctions of narrowband personal communications services (PCS) licenses 
have been conducted. For purposes of the two auctions that have already 
been held, ``small businesses'' were entities with average gross 
revenues for the prior three calendar years of $40 million or less. 
Through these auctions, the Commission has awarded a total of 41 
licenses, out of which 11 were obtained by small businesses. To ensure 
meaningful participation of small business entities in future auctions, 
the Commission has adopted a two-tiered small business size standard in 
the Narrowband PCS Second Report and Order. A ``small business'' is an 
entity that, together with affiliates and controlling interests, has 
average gross revenues for the three preceding years of not more than 
$40 million. A ``very small business'' is an entity that, together with 
affiliates and controlling interests, has average gross revenues for 
the three preceding years of not more than $15 million. The SBA has 
approved these small business size standards. In the future, the 
Commission will auction 459 licenses to serve Metropolitan Trading 
Areas (MTAs) and 408 response channel licenses. There is also one 
megahertz of narrowband PCS spectrum that has been held in reserve and 
that the Commission has not yet decided to release for licensing. The 
Commission cannot predict accurately the number of licenses that will 
be awarded to small entities in future auctions. However, four of the 
16 winning bidders in the two previous narrowband PCS auctions were 
small businesses, as that term was defined. The Commission assumes, for 
purposes of this analysis that a large portion of the remaining 
narrowband PCS licenses will be awarded to small entities. The 
Commission also assumes that at least some small businesses will 
acquire narrowband PCS licenses by means of the Commission's 
partitioning and disaggregation rules.
    53. 220 MHz Radio Service--Phase I Licensees. The 220 MHz service 
has both Phase I and Phase II licenses. Phase I licensing was conducted 
by lotteries in 1992 and 1993. There are approximately 1,515 such non-
nationwide licensees and four nationwide licensees currently authorized 
to operate in the 220 MHz band. The Commission has not developed a 
small business size standard for small entities specifically applicable 
to such incumbent 220 MHz Phase I licensees. To estimate the number of 
such licensees that are small businesses, the Commission applies the 
small business size standard under the SBA rules applicable to 
``Cellular and Other Wireless Telecommunications'' companies. This 
category provides that a small business is a wireless company employing 
no more than 1,500 persons. For the census category Cellular and Other 
Wireless Telecommunications, Census Bureau data for 1997 show that 
there were 977 firms in this category,

[[Page 31955]]

total, that operated for the entire year. Of this total, 965 firms had 
employment of 999 or fewer employees, and an additional 12 firms had 
employment of 1,000 employees or more. Thus, under this second category 
and size standard, the majority of firms can, again, be considered 
small. Assuming this general ratio continues in the context of Phase I 
220 MHz licensees, the Commission estimates that nearly all such 
licensees are small businesses under the SBA's small business size 
standard. In addition, limited preliminary census data for 2002 
indicate that the total number of cellular and other wireless 
telecommunications carriers increased approximately 321 percent from 
1997 to 2002.
    54. 220 MHz Radio Service--Phase II Licensees. The 220 MHz service 
has both Phase I and Phase II licenses. The Phase II 220 MHz service is 
a new service, and is subject to spectrum auctions. In the 220 MHz 
Third Report and Order, the Commission adopted a small business size 
standard for ``small'' and ``very small'' businesses for purposes of 
determining their eligibility for special provisions such as bidding 
credits and installment payments. This small business size standard 
indicates that a ``small business'' is an entity that, together with 
its affiliates and controlling principals, has average gross revenues 
not exceeding $15 million for the preceding three years. A ``very small 
business'' is an entity that, together with its affiliates and 
controlling principals, has average gross revenues that do not exceed 
$3 million for the preceding three years. The SBA has approved these 
small business size standards. Auctions of Phase II licenses commenced 
on September 15, 1998, and closed on October 22, 1998. In the first 
auction, 908 licenses were auctioned in three different-sized 
geographic areas: three nationwide licenses, 30 Regional Economic Area 
Group (EAG) Licenses, and 875 Economic Area (EA) Licenses. Of the 908 
licenses auctioned, 693 were sold. Thirty-nine small businesses won 
licenses in the first 220 MHz auction. The second auction included 225 
licenses: 216 EA licenses and 9 EAG licenses. Fourteen companies 
claiming small business status won 158 licenses.
    55. 800 MHz and 900 MHz Specialized Mobile Radio Licenses. The 
Commission awards ``small entity'' and ``very small entity'' bidding 
credits in auctions for Specialized Mobile Radio (SMR) geographic area 
licenses in the 800 MHz and 900 MHz bands to firms that had revenues of 
no more than $15 million in each of the three previous calendar years, 
or that had revenues of no more than $3 million in each of the previous 
calendar years, respectively. These bidding credits apply to SMR 
providers in the 800 MHz and 900 MHz bands that either hold geographic 
area licenses or have obtained extended implementation authorizations. 
The Commission does not know how many firms provide 800 MHz or 900 MHz 
geographic area SMR service pursuant to extended implementation 
authorizations, nor how many of these providers have annual revenues of 
no more than $15 million. One firm has over $15 million in revenues. 
The Commission assumes, for purposes here, that all of the remaining 
existing extended implementation authorizations are held by small 
entities, as that term is defined by the SBA. The Commission has held 
auctions for geographic area licenses in the 800 MHz and 900 MHz SMR 
bands. There were 60 winning bidders that qualified as small or very 
small entities in the 900 MHz SMR auctions. Of the 1,020 licenses won 
in the 900 MHz auction, bidders qualifying as small or very small 
entities won 263 licenses. In the 800 MHz auction, 38 of the 524 
licenses won were won by small and very small entities.
    56. 700 MHz Guard Band Licensees. In the 700 MHz Guard Band Order, 
the Commission adopted a small business size standard for ``small 
businesses'' and ``very small businesses'' for purposes of determining 
their eligibility for special provisions such as bidding credits and 
installment payments. A ``small business'' as an entity that, together 
with its affiliates and controlling principals, has average gross 
revenues not exceeding $15 million for the preceding three years. 
Additionally, a ``very small business'' is an entity that, together 
with its affiliates and controlling principals, has average gross 
revenues that are not more than $3 million for the preceding three 
years. An auction of 52 Major Economic Area (MEA) licenses commenced on 
September 6, 2000, and closed on September 21, 2000. Of the 104 
licenses auctioned, 96 licenses were sold to nine bidders. Five of 
these bidders were small businesses that won a total of 26 licenses. A 
second auction of 700 MHz Guard Band licenses commenced on February 13, 
2001 and closed on February 21, 2001. All eight of the licenses 
auctioned were sold to three bidders. One of these bidders was a small 
business that won a total of two licenses.
    57. Rural Radiotelephone Service. The Commission has not adopted a 
size standard for small businesses specific to the Rural Radiotelephone 
Service. A significant subset of the Rural Radiotelephone Service is 
the Basic Exchange Telephone Radio System (BETRS). The Commission uses 
the SBA's small business size standard applicable to ``Cellular and 
Other Wireless Telecommunications,'' i.e., an entity employing no more 
than 1,500 persons. There are approximately 1,000 licensees in the 
Rural Radiotelephone Service, and the Commission estimates that there 
are 1,000 or fewer small entity licensees in the Rural Radiotelephone 
Service that may be affected by the rules and policies adopted herein.
    58. Air-Ground Radiotelephone Service. The Commission has not 
adopted a small business size standard specific to the Air-Ground 
Radiotelephone Service. The Commission will use SBA's small business 
size standard applicable to ``Cellular and Other Wireless 
Telecommunications,'' i.e., an entity employing no more than 1,500 
persons. There are approximately 100 licensees in the Air-Ground 
Radiotelephone Service, and the Commission estimates that almost all of 
them qualify as small under the SBA small business size standard.
    59. Aviation and Marine Radio Services. Small businesses in the 
aviation and marine radio services use a very high frequency (VHF) 
marine or aircraft radio and, as appropriate, an emergency position-
indicating radio beacon (and/or radar) or an emergency locator 
transmitter. The Commission has not developed a small business size 
standard specifically applicable to these small businesses. For 
purposes of this analysis, the Commission uses the SBA small business 
size standard for the category ``Cellular and Other 
Telecommunications,'' which is 1,500 or fewer employees. Most 
applicants for recreational licenses are individuals. Approximately 
581,000 ship station licensees and 131,000 aircraft station licensees 
operate domestically and are not subject to the radio carriage 
requirements of any statute or treaty. For purposes of the Commission's 
evaluations in this analysis, the Commission estimates that there are 
up to approximately 712,000 licensees that are small businesses (or 
individuals) under the SBA standard. In addition, between December 3, 
1998 and December 14, 1998, the Commission held an auction of 42 VHF 
Public Coast licenses in the 157.1875-157.4500 MHz (ship transmit) and 
161.775-162.0125 MHz (coast transmit) bands. For purposes of the 
auction, the Commission defined a ``small'' business as an entity that, 
together with controlling interests and affiliates, has average gross 
revenues for the preceding

[[Page 31956]]

three years not to exceed $15 million dollars. In addition, a ``very 
small'' business is one that, together with controlling interests and 
affiliates, has average gross revenues for the preceding three years 
not to exceed $3 million dollars. There are approximately 10,672 
licensees in the Marine Coast Service, and the Commission estimates 
that almost all of them qualify as ``small'' businesses under the above 
special small business size standards.
    60. Offshore Radiotelephone Service. This service operates on 
several UHF television broadcast channels that are not used for 
television broadcasting in the coastal areas of states bordering the 
Gulf of Mexico. There are presently approximately 55 licensees in this 
service. The Commission is unable to estimate at this time the number 
of licensees that would qualify as small under the SBA's small business 
size standard for ``Cellular and Other Wireless Telecommunications'' 
services. Under that SBA small business size standard, a business is 
small if it has 1,500 or fewer employees.
    61. 39 GHz Service. The Commission created a special small business 
size standard for 39 GHz licenses--an entity that has average gross 
revenues of $40 million or less in the three previous calendar years. 
An additional size standard for ``very small business'' is: an entity 
that, together with affiliates, has average gross revenues of not more 
than $15 million for the preceding three calendar years. The SBA has 
approved these small business size standards. The auction of the 2,173 
39 GHz licenses began on April 12, 2000 and closed on May 8, 2000. The 
18 bidders who claimed small business status won 849 licenses. 
Consequently, the Commission estimates that 18 or fewer 39 GHz 
licensees are small entities that may be affected by the rules and 
polices adopted herein.
    62. Multipoint Distribution Service, Multichannel Multipoint 
Distribution Service, and ITFS. Multichannel Multipoint Distribution 
Service (MMDS) systems, often referred to as ``wireless cable,'' 
transmit video programming to subscribers using the microwave 
frequencies of the Multipoint Distribution Service (MDS) and 
Instructional Television Fixed Service (ITFS). In connection with the 
1996 MDS auction, the Commission established a small business size 
standard as an entity that had annual average gross revenues of less 
than $40 million in the previous three calendar years. The MDS auctions 
resulted in 67 successful bidders obtaining licensing opportunities for 
493 Basic Trading Areas (BTAs). Of the 67 auction winners, 61 met the 
definition of a small business. MDS also includes licensees of stations 
authorized prior to the auction. In addition, the SBA has developed a 
small business size standard for Cable and Other Program Distribution, 
which includes all such companies generating $12.5 million or less in 
annual receipts. According to Census Bureau data for 1997, there were a 
total of 1,311 firms in this category, total, that had operated for the 
entire year. Of this total, 1,180 firms had annual receipts of under 
$10 million and an additional 52 firms had receipts of $10 million or 
more but less than $25 million. Consequently, the Commission estimates 
that the majority of providers in this service category are small 
businesses that may be affected by the rules and policies adopted 
herein. This SBA small business size standard also appears applicable 
to ITFS. There are presently 2,032 ITFS licensees. All but 100 of these 
licenses are held by educational institutions. Educational institutions 
are included in this analysis as small entities. Thus, the Commission 
tentatively conclude that at least 1,932 licensees are small 
businesses.
    63. Local Multipoint Distribution Service. Local Multipoint 
Distribution Service (LMDS) is a fixed broadband point-to-multipoint 
microwave service that provides for two-way video telecommunications. 
The auction of the 1,030 Local Multipoint Distribution Service (LMDS) 
licenses began on February 18, 1998 and closed on March 25, 1998. The 
Commission established a small business size standard for LMDS licenses 
as an entity that has average gross revenues of less than $40 million 
in the three previous calendar years. An additional small business size 
standard for ``very small business'' was added as an entity that, 
together with its affiliates, has average gross revenues of not more 
than $15 million for the preceding three calendar years. The SBA has 
approved these small business size standards in the context of LMDS 
auctions. There were 93 winning bidders that qualified as small 
entities in the LMDS auctions. A total of 93 small and very small 
business bidders won approximately 277 A Block licenses and 387 B Block 
licenses. On March 27, 1999, the Commission re-auctioned 161 licenses; 
there were 40 winning bidders. Based on this information, the 
Commission concludes that the number of small LMDS licenses consists of 
the 93 winning bidders in the first auction and the 40 winning bidders 
in the re-auction, for a total of 133 small entity LMDS providers.
    64. 218-219 MHz Service. The first auction of 218-219 MHz spectrum 
resulted in 170 entities winning licenses for 594 Metropolitan 
Statistical Area (MSA) licenses. Of the 594 licenses, 557 were won by 
entities qualifying as a small business. For that auction, the small 
business size standard was an entity that, together with its 
affiliates, has no more than a $6 million net worth and, after federal 
income taxes (excluding any carry over losses), has no more than $2 
million in annual profits each year for the previous two years. In the 
218-219 MHz Report and Order and Memorandum Opinion and Order, the 
Commission established a small business size standard for a ``small 
business'' as an entity that, together with its affiliates and persons 
or entities that hold interests in such an entity and their affiliates, 
has average annual gross revenues not to exceed $15 million for the 
preceding three years. A ``very small business'' is defined as an 
entity that, together with its affiliates and persons or entities that 
hold interests in such an entity and its affiliates, has average annual 
gross revenues not to exceed $3 million for the preceding three years. 
The Commission cannot estimate, however, the number of licenses that 
will be won by entities qualifying as small or very small businesses 
under its rules in future auctions of 218-219 MHz spectrum.
    65. 24 GHz--Incumbent Licensees. This analysis may affect incumbent 
licensees who were relocated to the 24 GHz band from the 18 GHz band, 
and applicants who wish to provide services in the 24 GHz band. The 
applicable SBA small business size standard is that of ``Cellular and 
Other Wireless Telecommunications'' companies. This category provides 
that such a company is small if it employs no more than 1,500 persons. 
According to Census Bureau data for 1997, there were 977 firms in this 
category, total, that operated for the entire year. Of this total, 965 
firms had employment of 999 or fewer employees, and an additional 12 
firms had employment of 1,000 employees or more. Thus, under this size 
standard, the great majority of firms can be considered small. These 
broader census data notwithstanding, the Commission believes that there 
are only two licensees in the 24 GHz band that were relocated from the 
18 GHz band, Teligent and TRW, Inc. It is the Commisson's understanding 
that Teligent and its related companies have less than 1,500 employees, 
though this may change in the future. TRW is not a small entity. Thus, 
only one incumbent licensee in the 24 GHz band is a small business 
entity.
    66. 24 GHz--Future Licensees. With respect to new applicants in the 
24 GHz

[[Page 31957]]

band, the small business size standard for ``small business'' is an 
entity that, together with controlling interests and affiliates, has 
average annual gross revenues for the three preceding years not in 
excess of $15 million. ``Very small business'' in the 24 GHz band is an 
entity that, together with controlling interests and affiliates, has 
average gross revenues not exceeding $3 million for the preceding three 
years. The SBA has approved these small business size standards. These 
size standards will apply to the future auction, if held.
2. Cable and OVS Operators
    67. Cable and Other Program Distribution. This category includes 
cable systems operators, closed circuit television services, direct 
broadcast satellite services, multipoint distribution systems, 
satellite master antenna systems, and subscription television services. 
The SBA has developed small business size standard for this census 
category, which includes all such companies generating $12.5 million or 
less in revenue annually. According to Census Bureau data for 2002, 
there were a total of 1,191 firms in this category that operated for 
the entire year. Of this total, 1,087 firms had annual receipts of 
under $10 million, and 43 firms had receipts of $10 million or more but 
less than $25 million. Consequently, the Commission estimates that the 
majority of providers in this service category are small businesses 
that may be affected by the rules and policies adopted herein.
    68. Cable System Operators. The Commission has developed its own 
small business size standards for cable system operators, for purposes 
of rate regulation. Under the Commission's rules, a ``small cable 
company'' is one serving fewer than 400,000 subscribers nationwide. In 
addition, a ``small system'' is a system serving 15,000 or fewer 
subscribers.
    69. Cable System Operators (Telecom Act Standard). The 
Communications Act of 1934, as amended, also contains a size standard 
for small cable system operators, which is ``a cable operator that, 
directly or through an affiliate, serves in the aggregate fewer than 1 
percent of all subscribers in the United States and is not affiliated 
with any entity or entities whose gross annual revenues in the 
aggregate exceed $250,000,000.'' The Commission has determined that 
there are approximately 67,700,000 subscribers in the United States. 
Therefore, an operator serving fewer than 677,000 subscribers shall be 
deemed a small operator, if its annual revenues, when combined with the 
total annual revenues of all its affiliates, do not exceed $250 million 
in the aggregate. Based on available data, the Commission estimates 
that the number of cable operators serving 677,000 subscribers or 
fewer, totals 1,450. The Commission neither requests nor collects 
information on whether cable system operators are affiliated with 
entities whose gross annual revenues exceed $250 million, and therefore 
is unable, at this time, to estimate more accurately the number of 
cable system operators that would qualify as small cable operators 
under the size standard contained in the Communications Act of 1934.
    70. Open Video Services. Open Video Service (OVS) systems provide 
subscription services. The SBA has created a small business size 
standard for Cable and Other Program Distribution. This standard 
provides that a small entity is one with $12.5 million or less in 
annual receipts. The Commission has certified approximately 25 OVS 
operators to serve 75 areas, and some of these are currently providing 
service. Affiliates of Residential Communications Network, Inc. (RCN) 
received approval to operate OVS systems in New York City, Boston, 
Washington, DC, and other areas. RCN has sufficient revenues to assure 
that they do not qualify as a small business entity. Little financial 
information is available for the other entities that are authorized to 
provide OVS and are not yet operational. Given that some entities 
authorized to provide OVS service have not yet begun to generate 
revenues, the Commission concludes that up to 24 OVS operators (those 
remaining) might qualify as small businesses that may be affected by 
the rules and policies adopted herein.
3. Internet Service Providers
    71. Internet Service Providers. The SBA has developed a small 
business size standard for Internet Service Providers (ISPs). ISPs 
``provide clients access to the Internet and generally provide related 
services such as Web hosting, Web page designing, and hardware or 
software consulting related to Internet connectivity.'' Under the SBA 
size standard, such a business is small if it has average annual 
receipts of $21 million or less. According to Census Bureau data for 
2002, there were 2,529 firms in this category that operated for the 
entire year. Of these, 2,437 firms had annual receipts of under $10 
million, and 47 firms had receipts of $10 million or more but less then 
$25 million. Consequently, the Commission estimates that the majority 
of these firms are small entities that may be affected by its action.
4. Other Internet-Related Entities
    72. Web Search Portals. The Commission's action pertains to 
interconnected VoIP services, which could be provided by entities that 
provide other services such as e-mail, online gaming, Web browsing, 
video conferencing, instant messaging, and other, similar IP-enabled 
services. The Commission has not adopted a size standard for entities 
that create or provide these types of services or applications. 
However, the census bureau has identified firms that ``operate Web 
sites that use a search engine to generate and maintain extensive 
databases of Internet addresses and content in an easily searchable 
format. Web search portals often provide additional Internet services, 
such as e-mail, connections to other Web sites, auctions, news, and 
other limited content, and serve as a home base for Internet users.'' 
The SBA has developed a small business size standard for this category; 
that size standard is $6 million or less in average annual receipts. 
According to Census Bureau data for 1997, there were 195 firms in this 
category that operated for the entire year. Of these, 172 had annual 
receipts of under $5 million, and an additional nine firms had receipts 
of between $5 million and $9,999,999. Consequently, the Commission 
estimates that the majority of these firms are small entities that may 
be affected by its action.
    73. Data Processing, Hosting, and Related Services. Entities in 
this category ``primarily * * * provid[e] infrastructure for hosting or 
data processing services.'' The SBA has developed a small business size 
standard for this category; that size standard is $21 million or less 
in average annual receipts. According to Census Bureau data for 1997, 
there were 3,700 firms in this category that operated for the entire 
year. Of these, 3,477 had annual receipts of under $10 million, and an 
additional 108 firms had receipts of between $10 million and 
$24,999,999. Consequently, the Commission estimates that the majority 
of these firms are small entities that may be affected by its action.
    74. All Other Information Services. ``This industry comprises 
establishments primarily engaged in providing other information 
services (except new syndicates and libraries and archives).'' The 
Commission's action pertains to interconnected VoIP services, which 
could be provided by entities that provide other services such as 
email, online gaming, web browsing, video conferencing, instant 
messaging,

[[Page 31958]]

and other, similar IP-enabled services. The SBA has developed a small 
business size standard for this category; that size standard is $6 
million or less in average annual receipts. According to Census Bureau 
data for 1997, there were 195 firms in this category that operated for 
the entire year. Of these, 172 had annual receipts of under $5 million, 
and an additional nine firms had receipts of between $5 million and 
$9,999,999. Consequently, the Commission estimates that the majority of 
these firms are small entities that may be affected by its action.
    75. Internet Publishing and Broadcasting. ``This industry comprises 
establishments engaged in publishing and/or broadcasting content on the 
Internet exclusively. These establishments do not provide traditional 
(non-Internet) versions of the content that they publish or 
broadcast.'' The SBA has developed a small business size standard for 
this new (2002) census category; that size standard is 500 or fewer 
employees. To assess the prevalence of small entities in this category, 
the Commission will use 1997 Census Bureau data for a relevant, now-
superseded census category, ``All Other Information Services.'' The SBA 
small business size standard for that prior category was $6 million or 
less in average annual receipts. According to Census Bureau data for 
1997, there were 195 firms in the prior category that operated for the 
entire year. Of these, 172 had annual receipts of under $5 million, and 
an additional nine firms had receipts of between $5 million and 
$9,999,999. Consequently, the Commission estimates that the majority of 
the firms in this current category are small entities that may be 
affected by its action.
    76. Software Publishers. These companies may design, develop or 
publish software and may provide other support services to software 
purchasers, such as providing documentation or assisting in 
installation. The companies may also design software to meet the needs 
of specific users. The SBA has developed a small business size standard 
of $21 million or less in average annual receipts for all of the 
following pertinent categories: Software Publishers, Custom Computer 
Programming Services, and Other Computer Related Services. For Software 
Publishers, Census Bureau data for 1997 indicate that there were 8,188 
firms in the category that operated for the entire year. Of these, 
7,633 had annual receipts under $10 million, and an additional 289 
firms had receipts of between $10 million and $24, 999,999. For 
providers of Custom Computer Programming Services, the Census Bureau 
data indicate that there were 19,334 firms that operated for the entire 
year. Of these, 18,786 had annual receipts of under $10 million, and an 
additional 352 firms had receipts of between $10 million and 
$24,999,999. For providers of Other Computer Related Services, the 
Census Bureau data indicate that there were 5,524 firms that operated 
for the entire year. Of these, 5,484 had annual receipts of under $10 
million, and an additional 28 firms had receipts of between $10 million 
and $24,999,999. Consequently, the Commission estimates that the 
majority of the firms in each of these three categories are small 
entities that may be affected by its action.
5. Equipment Manufacturers
    77. The equipment manufacturers described in this section are 
merely indirectly affected by the Commission's current action, and 
therefore are not formally a part of this RFA analysis. The Commission 
has included them, however, to broaden the record in this proceeding 
and to alert them to its decisions.
    78. Wireless Communications Equipment Manufacturers. The SBA has 
established a small business size standard for Radio and Television 
Broadcasting and Wireless Communications Equipment Manufacturing. 
Examples of products in this category include ``transmitting and 
receiving antennas, cable television equipment, GPS equipment, pagers, 
cellular phones, mobile communications equipment, and radio and 
television studio and broadcasting equipment'' and may include other 
devices that transmit and receive IP-enabled services, such as personal 
digital assistants (PDAs). Under the SBA size standard, firms are 
considered small if they have 750 or fewer employees. According to 
Census Bureau data for 1997, there were 1,215 establishments in this 
category that operated for the entire year. Of those, there were 1,150 
that had employment of under 500, and an additional 37 that had 
employment of 500 to 999. The percentage of wireless equipment 
manufacturers in this category was approximately 61.35%, so the 
Commission estimates that the number of wireless equipment 
manufacturers with employment of under 500 was actually closer to 706, 
with an additional 23 establishments having employment of between 500 
and 999. Consequently, the Commission estimates that the majority of 
wireless communications equipment manufacturers are small entities that 
may be affected by its action.
    79. Telephone Apparatus Manufacturing. This category ``comprises 
establishments primarily engaged primarily in manufacturing wire 
telephone and data communications equipment.'' Examples of pertinent 
products are ``central office switching equipment, cordless telephones 
(except cellular), PBX equipment, telephones, telephone answering 
machines, and data communications equipment, such as bridges, routers, 
and gateways.'' The SBA has developed a small business size standard 
for this category of manufacturing; that size standard is 1,000 or 
fewer employees. According to Census Bureau data for 1997, there were 
598 establishments in this category that operated for the entire year. 
Of these, 574 had employment of under 1,000, and an additional 17 
establishments had employment of 1,000 to 2,499. Consequently, the 
Commission estimates that the majority of these establishments are 
small entities that may be affected by its action.
    80. Electronic Computer Manufacturing. This category ``comprises 
establishments primarily engaged in manufacturing and/or assembling 
electronic computers, such as mainframes, personal computers, 
workstations, laptops, and computer servers.'' The SBA has developed a 
small business size standard for this category of manufacturing; that 
size standard is 1,000 or fewer employees. According to Census Bureau 
data for 1997, there were 563 establishments in this category that 
operated for the entire year. Of these, 544 had employment of under 
1,000, and an additional 11 establishments had employment of 1,000 to 
2,499. Consequently, the Commission estimates that the majority of 
these establishments are small entities that may be affected by its 
action.
    81. Computer Terminal Manufacturing. ``Computer terminals are 
input/output devices that connect with a central computer for 
processing.'' The SBA has developed a small business size standard for 
this category of manufacturing; that size standard is 1,000 or fewer 
employees. According to Census Bureau data for 1997, there were 142 
establishments in this category that operated for the entire year, and 
all of the establishments had employment of under 1,000. Consequently, 
the Commission estimates that the majority or all of these 
establishments are small entities that may be affected by it action.
    82. Other Computer Peripheral Equipment Manufacturing. Examples of

[[Page 31959]]

peripheral equipment in this category include keyboards, mouse devices, 
monitors, and scanners. The SBA has developed a small business size 
standard for this category of manufacturing; that size standard is 
1,000 or fewer employees. According to Census Bureau data for 1997, 
there were 1061 establishments in this category that operated for the 
entire year. Of these, 1,046 had employment of under 1,000, and an 
additional six establishments had employment of 1,000 to 2,499. 
Consequently, the Commission estimates that the majority of these 
establishments are small entities that may be affected by its action.
    83. Fiber Optic Cable Manufacturing. These establishments 
manufacture ``insulated fiber-optic cable from purchased fiber-optic 
strand.'' The SBA has developed a small business size standard for this 
category of manufacturing; that size standard is 1,000 or fewer 
employees. According to Census Bureau data for 1997, there were 38 
establishments in this category that operated for the entire year. Of 
these, 37 had employment of under 1,000, and one establishment had 
employment of 1,000 to 2,499. Consequently, the Commission estimates 
that the majority of these establishments are small entities that may 
be affected by its action.
    84. Other Communication and Energy Wire Manufacturing. These 
establishments manufacture ``insulated wire and cable of nonferrous 
metals from purchased wire.'' The SBA has developed a small business 
size standard for this category of manufacturing; that size standard is 
1,000 or fewer employees. According to Census Bureau data for 1997, 
there were 275 establishments in this category that operated for the 
entire year. Of these, 271 had employment of under 1,000, and four 
establishments had employment of 1,000 to 2,499. Consequently, the 
Commission estimates that the majority or all of these establishments 
are small entities that may be affected by its action.
    85. Audio and Video Equipment Manufacturing. These establishments 
manufacture ``electronic audio and video equipment for home 
entertainment, motor vehicle, public address and musical instrument 
amplifications.'' The SBA has developed a small business size standard 
for this category of manufacturing; that size standard is 750 or fewer 
employees. According to Census Bureau data for 1997, there were 554 
establishments in this category that operated for the entire year. Of 
these, 542 had employment of under 500, and nine establishments had 
employment of 500 to 999. Consequently, the Commission estimates that 
the majority of these establishments are small entities that may be 
affected by its action.
    86. Electron Tube Manufacturing. These establishments are 
``primarily engaged in manufacturing electron tubes and parts (except 
glass blanks).'' The SBA has developed a small business size standard 
for this category of manufacturing; that size standard is 750 or fewer 
employees. According to Census Bureau data for 1997, there were 158 
establishments in this category that operated for the entire year. Of 
these, 148 had employment of under 500, and three establishments had 
employment of 500 to 999. Consequently, the Commission estimates that 
the majority of these establishments are small entities that may be 
affected by its action.
    87. Bare Printed Circuit Board Manufacturing. These establishments 
are ``primarily engaged in manufacturing bare (i.e., rigid or flexible) 
printed circuit boards without mounted electronic components.'' The SBA 
has developed a small business size standard for this category of 
manufacturing; that size standard is 500 or fewer employees. According 
to Census Bureau data for 1997, there were 1,389 establishments in this 
category that operated for the entire year. Of these, 1,369 had 
employment of under 500, and 16 establishments had employment of 500 to 
999. Consequently, the Commission estimates that the majority of these 
establishments are small entities that may be affected by its action.
    88. Semiconductor and Related Device Manufacturing. These 
establishments manufacture ``computer storage devices that allow the 
storage and retrieval of data from a phase change, magnetic, optical, 
or magnetic/optical media.'' The SBA has developed a small business 
size standard for this category of manufacturing; that size standard is 
500 or fewer employees. According to Census Bureau data for 1997, there 
were 1,082 establishments in this category that operated for the entire 
year. Of these, 987 had employment of under 500, and 52 establishments 
had employment of 500 to 999.
    89. Electronic Capacitor Manufacturing. These establishments 
manufacture ``electronic fixed and variable capacitors and 
condensers.'' The SBA has developed a small business size standard for 
this category of manufacturing; that size standard is 500 or fewer 
employees. According to Census Bureau data for 1997, there were 128 
establishments in this category that operated for the entire year. Of 
these, 121 had employment of under 500, and four establishments had 
employment of 500 to 999.
    90. Electronic Resistor Manufacturing. These establishments 
manufacture ``electronic resistors, such as fixed and variable 
resistors, resistor networks, thermistors, and varistors.'' The SBA has 
developed a small business size standard for this category of 
manufacturing; that size standard is 500 or fewer employees. According 
to Census Bureau data for 1997, there were 118 establishments in this 
category that operated for the entire year. Of these, 113 had 
employment of under 500, and 5 establishments had employment of 500 to 
999.
    91. Electronic Coil, Transformer, and Other Inductor Manufacturing. 
These establishments manufacture ``electronic inductors, such as coils 
and transformers.'' The SBA has developed a small business size 
standard for this category of manufacturing; that size standard is 500 
or fewer employees. According to Census Bureau data for 1997, there 
were 448 establishments in this category that operated for the entire 
year. Of these, 446 had employment of under 500, and two establishments 
had employment of 500 to 999.
    92. Electronic Connector Manufacturing. These establishments 
manufacture ``electronic connectors, such as coaxial, cylindrical, rack 
and panel, pin and sleeve, printed circuit and fiber optic.'' The SBA 
has developed a small business size standard for this category of 
manufacturing; that size standard is 500 or fewer employees. According 
to Census Bureau data for 1997, there were 347 establishments in this 
category that operated for the entire year. Of these, 332 had 
employment of under 500, and 12 establishments had employment of 500 to 
999.
    93. Printed Circuit Assembly (Electronic Assembly) Manufacturing. 
These are establishments ``primarily engaged in loading components onto 
printed circuit boards or who manufacture and ship loaded printed 
circuit boards.'' The SBA has developed a small business size standard 
for this category of manufacturing; that size standard is 500 or fewer 
employees. According to Census Bureau data for 1997, there were 714 
establishments in this category that operated for the entire year. Of 
these, 673 had employment of under 500, and 24 establishments had 
employment of 500 to 999.

[[Page 31960]]

    94. Other Electronic Component Manufacturing. These are 
establishments ``primarily engaged in loading components onto printed 
circuit boards or who manufacture and ship loaded printed circuit 
boards.'' The SBA has developed a small business size standard for this 
category of manufacturing; that size standard is 500 or fewer 
employees. According to Census Bureau data for 1997, there were 1,835 
establishments in this category that operated for the entire year. Of 
these, 1,814 had employment of under 500, and 18 establishments had 
employment of 500 to 999.
    95. Computer Storage Device Manufacturing. These establishments 
manufacture ``computer storage devices that allow the storage and 
retrieval of data from a phase change, magnetic, optical, or magnetic/
optical media.'' The SBA has developed a small business size standard 
for this category of manufacturing; that size standard is 1,000 or 
fewer employees. According to Census Bureau data for 1997, there were 
209 establishments in this category that operated for the entire year. 
Of these, 197 had employment of under 500, and eight establishments had 
employment of 500 to 999.

D. Description of Projected Reporting, Recordkeeping and Other 
Compliance Requirements

    96. The Commission is requiring telecommunications carriers and 
providers of interconnected VoIP service to collect certain information 
and take other actions to comply with its rules regarding the use of 
CPNI. For example, carriers must have an officer, as an agent of the 
carrier, sign and file with the Commission a compliance certificate on 
an annual basis stating that the officer has personal knowledge that 
the carrier has established procedures that are adequate to ensure 
compliance with the CPNI rules. The carrier must also provide a 
statement accompanying the certificate explaining how its operating 
procedures ensure that it is or is not in compliance with the CPNI 
rules. Further, the carrier must include an explanation of any actions 
taken against data brokers and a summary of all consumer complaints 
received in the past year concerning the unauthorized release of CPNI. 
Additionally, carriers must obtain opt-in approval before sharing CPNI 
with their joint venture partners or independent contractors for the 
purposes of marketing communications-related services to customers. 
Also, carriers are required to maintain a record of any discovered 
breaches, notifications to the United States Secret Service (USSS) and 
the Federal Bureau of Investigation (FBI) regarding those breaches, as 
well as the USSS and FBI response to those notifications for a period 
of at least two years.
    97. The Commission also imposes other requirements on 
telecommunications carriers and providers of interconnected VoIP 
service. Specifically, the Order prohibits carriers from releasing call 
detail information over the phone during customer-initiated telephone 
calls except by those methods provided for in the Order. The Order also 
requires that a carrier not permit customers to gain access to an 
online account without first properly authenticating the customer and, 
for subsequent access, without a customer password or response to a 
back-up authentication method for lost or forgotten passwords, neither 
of which may be based on a carrier prompt for readily available 
biographical information, or account information. For the rules 
pertaining to online carrier authentication, the Commission provides 
carriers that satisfy the definition of a ``small entity'' or a ``small 
business concern'' under the RFA or SBA an additional six months to 
implement these rules.
    98. The Order also requires that carriers notify customers through 
a carrier-originated voicemail or text message to the telephone number 
of record, or by mail or email to the address of record whenever a 
password, customer response to a back-up means of authentication for 
lost or forgotten passwords, online account, or address of record is 
created or changed. Further, the Order requires that carriers notify 
the USSS and the FBI no later than seven days after a reasonable 
determination of a CPNI breach.

E. Steps Taken to Minimize Significant Economic Impact on Small 
Entities, and Significant Alternatives Considered

    99. The RFA requires an agency to describe any significant 
alternatives that it has considered in reaching its proposed approach, 
which may include (among others) the following four alternatives: (1) 
The establishment of differing compliance or reporting requirements or 
timetables that take into account the resources available to small 
entities; (2) the clarification, consolidation, or simplification of 
compliance or reporting requirements under the rule for small entities; 
(3) the use of performance, rather than design, standards; and (4) an 
exemption from coverage of the rule, or any part thereof, for small 
entities.
    100. The notices invited comment on a number of issues related to 
small entities. For example, the Commission sought comment on the 
effect the various proposals described in the EPIC CPNI Notice will 
have on small entities, and on what effect alternative rules would have 
on those entities. Additionally, the Commission invited comment on ways 
in which the Commission can achieve its goal of protecting consumers 
while at the same time imposing minimal burdens on small 
telecommunications service providers. With respect to any of the 
Commission consumer protection regulations already in place, the 
Commission sought comment on whether it has adopted any provisions for 
small entities that the Commission should similarly consider in this 
proceeding? The Commission also invited comment on whether the problems 
identified by EPIC were better or worse at smaller carriers. The 
Commission invited comment on whether small carriers should be exempt 
from password-related security procedures to protect CPNI. The 
Commission invited comment on the benefits and burdens of recording 
audit trails for the disclosure of CPNI on small carriers. The 
Commission invited comment on whether requiring a small carrier to 
encrypt its stored data would be unduly burdensome. The Commission 
solicited comment on the cost to a small carrier of notifying a 
customer upon release of CPNI. The Commission sought comment on whether 
the Commission should amend its rules to require carriers to file 
annual certifications concerning CPNI and whether this requirement 
should extend to only telecommunications carriers that are not small 
telephone companies as defined by the Small Business Administration, 
and whether small carriers should be subject to different CPNI-related 
obligations.
    101. The Commission has considered each of the alternatives 
described above, and in this Order, imposes minimal regulation on small 
entities to the extent consistent with its goal of ensuring that 
carriers and providers of interconnected VoIP service protect against 
the unauthorized release of CPNI. Specifically, the Commission extended 
the implementation date for the rules pertaining to online 
authentication by six months so that small businesses will have 
additional time to come into compliance with the Order's rules.
    102. As stated above, the Commission must assess the interests of 
small businesses in light of the overriding public interest of 
protecting against the unlawful release of CPNI. The Order discusses 
that CPNI is made up of very personal data. Therefore, the

[[Page 31961]]

Commission concluded that it was important for all telecommunications 
carriers and providers of interconnected VoIP service, including small 
businesses, to comply with the rules the Commission adopts in this 
Order six months after the Order's effective date or on receipt of OMB 
approval, as required by the Paperwork Reduction Act, whichever is 
later. For example, the Commission concluded that carriers and 
providers of interconnected VoIP service must stop releasing call 
detail information based on customer-initiated telephone calls except 
by those methods provided for in the Order. Additionally, the 
Commission concluded that it was important for all telecommunications 
carriers and providers of interconnected VoIP service to report 
breaches of CPNI data to law enforcement. The Commission therefore 
rejected solutions that would exempt small businesses. The record 
indicated that exempting small carriers from these regulations would 
compromise the Commission's goal of protecting all Americans from the 
unauthorized release of CPNI.
    103. Report to Congress: The Commission will send a copy of the 
Order, including this FRFA, in a report to be sent to Congress and the 
Government Accountability Office pursuant to the Congressional Review 
Act. In addition, the Commission will send a copy of the Order, 
including this FRFA, to the Chief Counsel for Advocacy of the SBA. A 
copy of the Order and FRFA (or summaries thereof) will also be 
published in the Federal Register.

Ordering Clauses

    104. Accordingly, It is ordered that pursuant to sections 1, 4(i), 
4(j), 222, and 303(r) of the Communications Act of 1934, as amended, 47 
U.S.C. 151, 154(i)-(j), 222, 303(r), this Report and Order and Further 
Notice of Proposed Rulemaking in CC Docket No. 96-115 and WC Docket No. 
04-36 is adopted, and that Part 64 of the Commission's rules, 47 CFR 
Part 64, is amended as set forth in Appendix B. The Order shall become 
effective upon publication in the Federal Register subject to OMB 
approval for new information collection requirements or six months 
after the Order's effective date, whichever is later.
    105. It Is Further Ordered that the Commission's Consumer and 
Governmental Affairs Bureau, Reference Information Center, shall send a 
copy of this Report and Order and Further Notice of Proposed 
Rulemaking, including the Final Regulatory Flexibility Analysis and the 
Initial Regulatory Flexibility Analysis, to the Chief Counsel for 
Advocacy of the Small Business Administration.

 List of Subjects in 47 CFR Part 64

    Customer proprietary network information, Reporting and 
recordkeeping requirements, Telecommunications.

Federal Communications Commission.
Marlene H. Dortch,
Secretary.

Final Rules

0
For the reasons discussed in the preamble, the FCC amends 47 CFR part 
64 as follows:

PART 64--MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

0
1. The authority citation for part 64 continues to read as follows:

    Authority: 47 U.S.C. 154, 254(k); secs. 403(b)(2)(B),(c), Pub. 
L. 104-104, 110 Stat. 56. Interpret or apply 47 U.S.C. 201, 218, 
222, 225, 226, 228, and 254(k) unless otherwise noted.


0
2. Revise Sec.  64.2003 to read as follows:


Sec.  64.2003  Definitions.

    (a) Account information. ``Account information'' is information 
that is specifically connected to the customer's service relationship 
with the carrier, including such things as an account number or any 
component thereof, the telephone number associated with the account, or 
the bill's amount.
    (b) Address of record. An ``address of record,'' whether postal or 
electronic, is an address that the carrier has associated with the 
customer's account for at least 30 days.
    (c) Affiliate. The term ``affiliate'' has the same meaning given 
such term in section 3(1) of the Communications Act of 1934, as 
amended, 47 U.S.C. 153(1).
    (d) Call detail information. Any information that pertains to the 
transmission of specific telephone calls, including, for outbound 
calls, the number called, and the time, location, or duration of any 
call and, for inbound calls, the number from which the call was placed, 
and the time, location, or duration of any call.
    (e) Communications-related services. The term ``communications-
related services'' means telecommunications services, information 
services typically provided by telecommunications carriers, and 
services related to the provision or maintenance of customer premises 
equipment.
    (f) Customer. A customer of a telecommunications carrier is a 
person or entity to which the telecommunications carrier is currently 
providing service.
    (g) Customer proprietary network information (CPNI). The term 
``customer proprietary network information (CPNI)'' has the same 
meaning given to such term in section 222(h)(1) of the Communications 
Act of 1934, as amended, 47 U.S.C. 222(h)(1).
    (h) Customer premises equipment (CPE). The term ``customer premises 
equipment (CPE)'' has the same meaning given to such term in section 
3(14) of the Communications Act of 1934, as amended, 47 U.S.C. 153(14).
    (i) Information services typically provided by telecommunications 
carriers. The phrase ``information services typically provided by 
telecommunications carriers'' means only those information services (as 
defined in section 3(20) of the Communication Act of 1934, as amended, 
47 U.S.C. 153(20)) that are typically provided by telecommunications 
carriers, such as Internet access or voice mail services. Such phrase 
``information services typically provided by telecommunications 
carriers,'' as used in this subpart, shall not include retail consumer 
services provided using Internet Web sites (such as travel reservation 
services or mortgage lending services), whether or not such services 
may otherwise be considered to be information services.
    (j) Local exchange carrier (LEC). The term ``local exchange carrier 
(LEC)'' has the same meaning given to such term in section 3(26) of the 
Communications Act of 1934, as amended, 47 U.S.C. 153(26).
    (k) Opt-in approval. The term ``opt-in approval'' refers to a 
method for obtaining customer consent to use, disclose, or permit 
access to the customer's CPNI. This approval method requires that the 
carrier obtain from the customer affirmative, express consent allowing 
the requested CPNI usage, disclosure, or access after the customer is 
provided appropriate notification of the carrier's request consistent 
with the requirements set forth in this subpart.
    (l) Opt-out approval. The term ``opt-out approval'' refers to a 
method for obtaining customer consent to use, disclose, or permit 
access to the customer's CPNI. Under this approval method, a customer 
is deemed to have consented to the use, disclosure, or access to the 
customer's CPNI if the customer has failed to object thereto within the 
waiting period described in Sec.  64.2008(d)(1) after the customer is 
provided appropriate notification of the carrier's request for consent 
consistent with the rules in this subpart.
    (m) Readily available biographical information. ``Readily available

[[Page 31962]]

biographical information'' is information drawn from the customer's 
life history and includes such things as the customer's social security 
number, or the last four digits of that number; mother's maiden name; 
home address; or date of birth.
    (n) Subscriber list information (SLI). The term ``subscriber list 
information (SLI)'' has the same meaning given to such term in section 
222(h)(3) of the Communications Act of 1934, as amended, 47 U.S.C. 
222(h)(3).
    (o) Telecommunications carrier or carrier. The terms 
``telecommunications carrier'' or ``carrier'' shall have the same 
meaning as set forth in section 3(44) of the Communications Act of 
1934, as amended, 47 U.S.C. 153(44). For the purposes of this subpart, 
the term ``telecommunications carrier'' or ``carrier'' shall include an 
entity that provides interconnected VoIP service, as that term is 
defined in section 9.3 of these rules.
    (p) Telecommunications service. The term ``telecommunications 
service'' has the same meaning given to such term in section 3(46) of 
the Communications Act of 1934, as amended, 47 U.S.C. 153(46).
    (q) Telephone number of record. The telephone number associated 
with the underlying service, not the telephone number supplied as a 
customer's ``contact information.''
    (r) Valid photo ID. A ``valid photo ID'' is a government-issued 
means of personal identification with a photograph such as a driver's 
license, passport, or comparable ID that is not expired.

0
3. Section 64.2005 is amended by revising paragraph (c)(3) to read as 
follows:


Sec.  64.2005  Use of customer proprietary network information without 
customer approval.

* * * * *
    (c) * * *
    (3) LECs, CMRS providers, and entities that provide interconnected 
VoIP service as that term is defined in Sec.  9.3 of this chapter, may 
use CPNI, without customer approval, to market services formerly known 
as adjunct-to-basic services, such as, but not limited to, speed 
dialing, computer-provided directory assistance, call monitoring, call 
tracing, call blocking, call return, repeat dialing, call tracking, 
call waiting, caller I.D., call forwarding, and certain centrex 
features.
* * * * *

0
4. Section 64.2007 is amended by revising paragraph (b) to read as 
follows:


Sec.  64.2007  Approval required for use of customer proprietary 
network information.

* * * * *
    (b) Use of Opt-Out and Opt-In Approval Processes. A 
telecommunications carrier may, subject to opt-out approval or opt-in 
approval, use its customer's individually identifiable CPNI for the 
purpose of marketing communications-related services to that customer. 
A telecommunications carrier may, subject to opt-out approval or opt-in 
approval, disclose its customer's individually identifiable CPNI, for 
the purpose of marketing communications-related services to that 
customer, to its agents and its affiliates that provide communications-
related services. A telecommunications carrier may also permit such 
persons or entities to obtain access to such CPNI for such purposes. 
Except for use and disclosure of CPNI that is permitted without 
customer approval under section Sec.  64.2005, or that is described in 
this paragraph, or as otherwise provided in section 222 of the 
Communications Act of 1934, as amended, a telecommunications carrier 
may only use, disclose, or permit access to its customer's individually 
identifiable CPNI subject to opt-in approval.

0
5. Section 64.2009 is amended by revising paragraph (e) to read as 
follows:


Sec.  64.2009  Safeguards required for use of customer proprietary 
network information.

* * * * *
    (e) A telecommunications carrier must have an officer, as an agent 
of the carrier, sign and file with the Commission a compliance 
certificate on an annual basis. The officer must state in the 
certification that he or she has personal knowledge that the company 
has established operating procedures that are adequate to ensure 
compliance with the rules in this subpart. The carrier must provide a 
statement accompanying the certificate explaining how its operating 
procedures ensure that it is or is not in compliance with the rules in 
this subpart. In addition, the carrier must include an explanation of 
any actions taken against data brokers and a summary of all customer 
complaints received in the past year concerning the unauthorized 
release of CPNI. This filing must be made annually with the Enforcement 
Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining 
to the previous calendar year.
* * * * *

0
6. Section 64.2010 is added to subpart U to read as follows:


Sec.  64.2010  Safeguards on the disclosure of customer proprietary 
network information.

    (a) Safeguarding CPNI. Telecommunications carriers must take 
reasonable measures to discover and protect against attempts to gain 
unauthorized access to CPNI. Telecommunications carriers must properly 
authenticate a customer prior to disclosing CPNI based on customer-
initiated telephone contact, online account access, or an in-store 
visit.
    (b) Telephone access to CPNI. Telecommunications carriers may only 
disclose call detail information over the telephone, based on customer-
initiated telephone contact, if the customer first provides the carrier 
with a password, as described in paragraph (e) of this section, that is 
not prompted by the carrier asking for readily available biographical 
information, or account information. If the customer does not provide a 
password, the telecommunications carrier may only disclose call detail 
information by sending it to the customer's address of record, or by 
calling the customer at the telephone number of record. If the customer 
is able to provide call detail information to the telecommunications 
carrier during a customer-initiated call without the telecommunications 
carrier's assistance, then the telecommunications carrier is permitted 
to discuss the call detail information provided by the customer.
    (c) Online access to CPNI. A telecommunications carrier must 
authenticate a customer without the use of readily available 
biographical information, or account information, prior to allowing the 
customer online access to CPNI related to a telecommunications service 
account. Once authenticated, the customer may only obtain online access 
to CPNI related to a telecommunications service account through a 
password, as described in paragraph (e) of this section, that is not 
prompted by the carrier asking for readily available biographical 
information, or account information.
    (d) In-store access to CPNI. A telecommunications carrier may 
disclose CPNI to a customer who, at a carrier's retail location, first 
presents to the telecommunications carrier or its agent a valid photo 
ID matching the customer's account information.
    (e) Establishment of a Password and Back-up Authentication Methods 
for Lost or Forgotten Passwords. To establish a password, a 
telecommunications carrier must authenticate the customer without the 
use of readily available biographical information, or account 
information.

[[Page 31963]]

Telecommunications carriers may create a back-up customer 
authentication method in the event of a lost or forgotten password, but 
such back-up customer authentication method may not prompt the customer 
for readily available biographical information, or account information. 
If a customer cannot provide the correct password or the correct 
response for the back-up customer authentication method, the customer 
must establish a new password as described in this paragraph.
    (f) Notification of account changes. Telecommunications carriers 
must notify customers immediately whenever a password, customer 
response to a back-up means of authentication for lost or forgotten 
passwords, online account, or address of record is created or changed. 
This notification is not required when the customer initiates service, 
including the selection of a password at service initiation. This 
notification may be through a carrier-originated voicemail or text 
message to the telephone number of record, or by mail to the address of 
record, and must not reveal the changed information or be sent to the 
new account information.
    (g) Business customer exemption. Telecommunications carriers may 
bind themselves contractually to authentication regimes other than 
those described in this section for services they provide to their 
business customers that have both a dedicated account representative 
and a contract that specifically addresses the carriers' protection of 
CPNI.

0
7. Section 64.2011 is added to subpart U to read as follows:


Sec.  64.2011  Notification of customer proprietary network information 
security breaches.

    (a) A telecommunications carrier shall notify law enforcement of a 
breach of its customers' CPNI as provided in this section. The carrier 
shall not notify its customers or disclose the breach publicly, whether 
voluntarily or under state or local law or these rules, until it has 
completed the process of notifying law enforcement pursuant to 
paragraph (b) of this section.
    (b) As soon as practicable, and in no event later than seven (7) 
business days, after reasonable determination of the breach, the 
telecommunications carrier shall electronically notify the United 
States Secret Service (USSS) and the Federal Bureau of Investigation 
(FBI) through a central reporting facility. The Commission will 
maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni.
    (1) Notwithstanding any state law to the contrary, the carrier 
shall not notify customers or disclose the breach to the public until 7 
full business days have passed after notification to the USSS and the 
FBI except as provided in paragraphs (b)(2) and (b)(3) of this section.
    (2) If the carrier believes that there is an extraordinarily urgent 
need to notify any class of affected customers sooner than otherwise 
allowed under paragraph (b)(1) of this section, in order to avoid 
immediate and irreparable harm, it shall so indicate in its 
notification and may proceed to immediately notify its affected 
customers only after consultation with the relevant investigating 
agency. The carrier shall cooperate with the relevant investigating 
agency's request to minimize any adverse effects of such customer 
notification.
    (3) If the relevant investigating agency determines that public 
disclosure or notice to customers would impede or compromise an ongoing 
or potential criminal investigation or national security, such agency 
may direct the carrier not to so disclose or notify for an initial 
period of up to 30 days. Such period may be extended by the agency as 
reasonably necessary in the judgment of the agency. If such direction 
is given, the agency shall notify the carrier when it appears that 
public disclosure or notice to affected customers will no longer impede 
or compromise a criminal investigation or national security. The agency 
shall provide in writing its initial direction to the carrier, any 
subsequent extension, and any notification that notice will no longer 
impede or compromise a criminal investigation or national security and 
such writings shall be contemporaneously logged on the same reporting 
facility that contains records of notifications filed by carriers.
    (c) Customer notification. After a telecommunications carrier has 
completed the process of notifying law enforcement pursuant to 
paragraph (b) of this section, it shall notify its customers of a 
breach of those customers' CPNI.
    (d) Recordkeeping. All carriers shall maintain a record, 
electronically or in some other manner, of any breaches discovered, 
notifications made to the USSS and the FBI pursuant to paragraph (b) of 
this section, and notifications made to customers. The record must 
include, if available, dates of discovery and notification, a detailed 
description of the CPNI that was the subject of the breach, and the 
circumstances of the breach. Carriers shall retain the record for a 
minimum of 2 years.
    (e) Definitions. As used in this section, a ``breach'' has occurred 
when a person, without authorization or exceeding authorization, has 
intentionally gained access to, used, or disclosed CPNI.
    (f) This section does not supersede any statute, regulation, order, 
or interpretation in any State, except to the extent that such statute, 
regulation, order, or interpretation is inconsistent with the 
provisions of this section, and then only to the extent of the 
inconsistency.

 [FR Doc. E7-10732 Filed 6-7-07; 8:45 am]
BILLING CODE 6712-01-P