Dear Clients and Friends,

With so much activity at the FCC (and the courts) related to data privacy and security issues involving mobile service providers and others, we thought it might be useful to share a summary of what we are tracking — or at least some of what we are tracking on the privacy front which includes rules adopted under the Telephone Consumer Protection Act (TCPA), as the right to be left alone is the original American concept of privacy.

Upcoming filing and rule change effective dates lead us to recommend that all of our communications clients take a fresh look at their existing policies, practices, and training covering CPNI, privacy, network and data security, and consents to communicate. If your company needs to refresh, replace, or create policies, disclosures, or enrollment flows, we would be happy to help. 

Annual CPNI certification

Filings due March 1, 2025

Telecommunications carriers and interconnected Voice over Internet Protocol (VoIP) providers are obligated to file their annual certification documenting compliance with the Customer Proprietary Network Information (CPNI) rules by March 1. 

TCPA consent revocation rules effective April 11, 2025

On February 15, 2024, the FCC adopted the TCPA Consent Order addressing a consumer’s right to revoke consent to receive robocalls or robotexts:

On October 11, 2024, the FCC announced that compliance with the amendments and new rules set out in the TCPA Consent Order is required as of April 11, 2025.

The TCPA Consent Order contains the following requirements:

• A called party can use any reasonable method to revoke consent to receive calls or text messages.
• Any revocation request made using an automated, interactive voice or key press-activated opt-out mechanism on a call; using the words “stop,” “quit,” “end,” “revoke,” “opt-out,” “cancel,” or “unsubscribe” sent in reply to an incoming text message; or pursuant to a website or telephone number designated by the caller to process opt-out requests constitutes a reasonable means per se to revoke consent.
• There are other reasonable opt-out mechanisms, but additional requirements may apply to the use of those mechanisms.
• All requests to revoke consent must be honored within a reasonable time not to exceed ten business days from receipt of the request.
• When a consumer opts out via one method or from one list, this opt-out must be applied to all communications to the number (voice calls and texts, all subscriptions).  For example, if the consumer revokes consent using a reply text message, then consent must be deemed revoked not only to further robotexts but also to robocalls from that caller.

Changes to the CPNI rules to address Port-Out and SIM Swap Fraud

Rules likely to become effective within the next 90 days

On November 15, 2023, the FCC adopted a SIM Swap and Port-Out Order that adopts rules that when effective will require wireless providers to refine their customer authentication procedures, customer notification policies, and record retention practices to protect customers from fraud schemes.

SIM Swap Fraud. A mobile phone has a subscriber identity module (SIM) card, including a chip that identifies your phone number with that phone. SIM Swapping happens when a threat actor convinces a victim’s wireless provider to transfer the victim’s service from the victim’s device to the threat actor’s device. 

Port-Out Fraud. Port-out fraud involves the threat actor opening an account with a wireless provider on the victim’s behalf and arranging for the victim’s phone number to be ported out (transferred) to the new account.

The FCC revised a number of its rules to reduce the incidence of SIM Swap and Port-Out Fraud. Among other requirements, wireless providers must:

• Notify customers in advance regarding SIM change and port-out requests;
• Offer customers the option to lock their accounts to block processing of SIM changes and number ports
• Give customers notice of account protection mechanisms; and
• Investigate and remediate fraud promptly.

These revised rules will go into effect after the FCC publishes notice in the Federal Register of the Office of Management and Budget’s (OMB) approval issued on January 15, 2025. Implementing these rule changes could require changes to terms, policies, and procedures.

Stricter Robocall Mitigation Database filing requirements

Some rules are likely to become effective within the next 90 days

On December 30, 2024, the FCC adopted its Robocall Mitigation Database Filing Order adopting new Robocall Mitigation Database rules. These rules include:

• Requiring providers to re-certify annually (by March 1 of each year) to the accuracy of their Database submissions;
• Establishing a $100 filing/re-certification fee;
• Requiring all entities and individuals that register in the Commission’s Registration System (CORES) and use the Robocall Mitigation Database to update any information submitted to CORES within 10 business days of any change; and
• Directing the FCC’s Wireline Competition Bureau to establish a dedicated reporting mechanism, issue additional guidance and “best practices” for filers, and establish two-factor authentication protocols for access to the Database.

Some of the revised rules will become effective 30 days after publication in the Federal Register, others will become effective following OMB review, and still others will become effective following notice to Congress and updates to the FCC’s information technology systems and internal procedures.

New Data Breach rule changes

Effective date delayed pending order on appeal at the 6th Circuit Court of Appeals

On December 13, 2023, the FCC adopted its Data Breach Reporting Requirements Order significantly revising existing security breach rules for information relating to telecommunications customers and services, including interconnected VoIP services.  Accordingly, all telecommunications carriers and interconnected VOIP providers (collectively, “Service Providers”) would be subject to the revised rules.

On February 12, 2024, the Rules were published in the Federal Register, and their effective date was delayed indefinitely. Appeals of the Data Breach Reporting Requirements Order were consolidated in the 6th Circuit. On December 12, 2024, the Sixth Circuit heard oral argument.  We are tracking the case.  In the meantime, the FCC’s longstanding CPNI breach reporting rules continue to apply to telecommunications carriers, including wireless providers of telecommunications services.

Basic Cybersecurity Practices Now Required for Telecommunications Carriers Subject to CALEA

Effective January 15, 2025

Critical infrastructure segments in the U.S., including communications, energy, transportation systems and water and wastewater systems, face the threat of frequent cyberattacks. Recent incidents, such as the Salt Typhoon and Flax Typhoon attacks, exposed vulnerabilities in the communications sector, highlighting the urgent need for stronger cybersecurity and supply chain protections.

In response, on January 15, 2025, a divided FCC (with now Chairman Carr and Commissioner Simington dissenting) issued a Declaratory Ruling clarifying that telecommunications carriers (including wireless carriers) have an affirmative obligation under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) to manage and protect their communications networks. This obligation is effective immediately.

The FCC outlined “basic cybersecurity hygiene practices” for the “communications systems and services” of telecommunications carriers, including:

• Implementing role-based access controls,
• Changing default passwords,
• Requiring minimum password strength,
• Adopting multifactor authentication;
• Patching known vulnerabilities; and
• Using best practices to respond to identified exploits.

The FCC also issued a Notice of Proposed Rulemaking to implement section 105 of CALEA. The proposal would require an array of communications service providers (“Covered Providers”) to create and maintain cybersecurity and supply chain risk management plans. These plans are designed to protect communications systems and services.

Comments are due 30 days from the date of publication in the Federal Register, and Reply Comments are due 60 days from the date of publication in the Federal Register.

Covered Providers that would be subject to the rules

The FCC proposes to adopt several cybersecurity and supply chain risk management requirements and apply these requirements to many different types of service providers (“Covered Providers”), including:

• facilities-based fixed and mobile broadband internet access service (BIAS) providers;
• all broadcasting stations;
• all cable systems
• wireline video systems;
• wireline communications providers;
• commercial radio operators;
• interconnected VoIP providers;
• telecommunications relay service (TRS) providers;
• satellite communications providers
• commercial mobile radio providers;
• wireless resellers and Mobile Virtual Network Operators (MVNOs);
• covered 911 service providers;
• covered 988 service providers; and
• international section 214 authorization holders.

Proposed compliance timeline for small Covered Providers

Based on the Small Business Administration’s (SBA’s) small business size standard, small Covered Providers (e.g. a wireless communications provider with 1500 or fewer employees) would have until 24 months after publication in the Federal Register of notice that the Office of Management and Budget (OMB) has completed review of the proposed rules to certify their implementation of the cybersecurity plans described below. “Non-small” Covered Providers, by contrast, would have a compliance timeframe of 12 months from notice of completion of OMB review.

Key requirements

Under the proposed rules, Covered Providers must take “reasonable measures” to protect the confidentiality, integrity, and availability of their systems and services.

These measures must be detailed in a “cybersecurity risk management plan” (“Plan”) which addresses:

• Identified cyber risks;
• Controls to mitigate those risks; and
• Processes to ensure effective application of these controls.

The Plan must address, but is not limited to, the following security controls:

• Changing default passwords prior to operation;
• Installing security updates in a timely manner;
• Securing equipment behind properly configured firewalls or using other segmentation practices;
• Requiring multifactor authentication where applicable;
• Addressing the replacement of end-of-life equipment; and
• Wiping, clearing, or encrypting user information before disposing of old devices.

Under the proposed rules, Covered Providers must annually certify the creation and implementation of their Plan.

Key takeaway

The FCC’s Declaratory Ruling and proposed security measures and requirements emphasize the importance of robust cybersecurity practices to protect critical infrastructure and sensitive information. Regardless of the fate of these actions in the new administration, communications providers should assess their cybersecurity practices and policies in order to protect their customers’ data and to improve the security and resilience of their systems.

Team Telecom Requirements to Create and Implement Security Policies and Practices

Effective now

The Committee for the Assessment of Foreign Participation in the United States Telecommunications Sector (known as “Team Telecom”) now requires the creation and implementation of security policies and practices meeting or exceeding the Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals (https://www.cisa.gov/cross-sector-cybersecurity-performance-goals).

The creation and implementation of these policies is a condition to the approval of International Section 214 applications involving foreign ownership.

These security policies and practices may include access control, service provider/supply chain risk management, personnel vetting, and incident response.

Need help?

We regularly work with clients on a range of privacy and security-related issues, including TCPA compliance and robocall mitigation plans. Whether you need guidance on how to authenticate a customer without using readily identifiable biographical information, or review of disclosures and consents to communicate and market to customers in an enrollment flow, or need help updating a public-facing privacy policy or internal-facing CPNI policy and training documents, or need to create a security policy from scratch, we can help with solutions that fit your needs and budget (e.g., our policy work can often be done on a predictable flat fee basis). The solutions we offer include:

• Privacy policies
• Broadband transparency statements
• Accessibility policies
• Terms and conditions
• CPNI policies and training
• CALEA policies
• Drafting and review of TCPA disclosures
• Creating Robocall Mitigation Database filings and mitigation plans
• Cybersecurity policies
   

Please feel free to contact us for a free consultation.