Prevention of Fraudulent Access to Phone Records Act - Makes it unlawful to attempt to obtain, or cause to be disclosed to any person, customer proprietary network information (CPNI) relating to any other person by: (1) making a false or fraudulent statement to an officer, employee, or agent of a telecommunications carrier; or (2) providing any document or other information to such officer, employee, or agent that the presenter knows or should have known to be forged, lost, stolen, or otherwise fraudulently obtained, or to contain a false or fraudulent statement or representation. Prohibits also: (1) the solicitation of another person to fraudulently obtain such information; and (2) the sale or other disclosure of CPNI obtained under false pretenses. Provides for enforcement through the Federal Trade Commission (FTC).
Amends the Communications Act of 1934 to expand responsibilities of telecommunications carriers with respect to the confidentiality of subscriber (customer) calling records, both cellular and land-line based. Allows a carrier to use individual calling records only for purposes such as increasing business or publishing directories, and prohibits a carrier from otherwise disclosing CPNI without express prior authorization by the subscriber. Directs the Federal Communications Commission (FCC) to prescribe regulations adopting more stringent security standards for CPNI (including detailed customer telephone records) to detect and prevent confidentiality violations. Provides penalties for such violations.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4943 Introduced in House (IH)]
109th CONGRESS
2d Session
H. R. 4943
To prohibit fraudulent access to telephone records.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 14, 2006
Mr. Barton of Texas (for himself, Mr. Dingell, Mr. Upton, Mr. Markey,
Mr. Stearns, Ms. Schakowsky, Mr. Gillmor, Mr. Gene Green of Texas, Mr.
Shimkus, Mr. Ross, Mrs. Wilson of New Mexico, Mr. Brown of Ohio, Mr.
Fossella, Ms. Baldwin, Mr. Buyer, Mrs. Capps, Mrs. Bono, Mr. Doyle, Mr.
Walden of Oregon, Ms. Solis, Mr. Burgess, Mr. Rush, Mr. Waxman, Mr.
Stupak, Mr. Gordon, Mr. Inslee, Mrs. Emerson, Mr. Lipinski, and Mr.
Wilson of South Carolina) introduced the following bill; which was
referred to the Committee on Energy and Commerce
_______________________________________________________________________
A BILL
To prohibit fraudulent access to telephone records.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Prevention of Fraudulent Access to
Phone Records Act''.
TITLE I--FEDERAL TRADE COMMISSION PROVISIONS
SEC. 101. FRAUDULENT ACCESS TO CUSTOMER TELEPHONE RECORDS.
(a) Prohibition on Obtaining Customer Information by False
Pretenses.--It shall be unlawful for any person to obtain or attempt to
obtain, or cause to be disclosed or attempt to cause to be disclosed to
any person, customer proprietary network information relating to any
other person by--
(1) making a false, fictitious, or fraudulent statement or
representation to an officer, employee, or agent of a
telecommunications carrier; or
(2) providing any document or other information to an
officer, employee, or agent of a telecommunications carrier
that the person knows or should know to be forged, counterfeit,
lost, stolen, or fraudulently obtained, or to contain a false,
fictitious, or fraudulent statement or representation.
(b) Prohibition on Solicitation of a Person to Obtain Customer
Information Under False Pretenses.--It shall be unlawful to request a
person to obtain from a telecommunications carrier customer proprietary
network information relating to any third person, if the person making
such a request knew or should have known that the person to whom such a
request is made will obtain or attempt to obtain such information in
the manner described in subsection (a).
(c) Prohibition on Sale or Other Disclosure of Customer Information
Obtained Under False Pretenses.--It shall be unlawful for any person to
sell or otherwise disclose to any person customer proprietary network
information relating to any other person if the person selling or
disclosing obtained such information in the manner described in
subsection (a).
SEC. 102. EXEMPTION.
No provision of section 101 shall be construed so as to prevent any
action by a law enforcement agency, or any officer, employee, or agent
of such agency, from obtaining or attempting to obtain customer
proprietary network information from a telecommunications carrier in
connection with the performance of the official duties of the agency,
in accordance with other applicable laws.
SEC. 103. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
A violation of section 101 shall be treated as a violation of a
rule defining an unfair or deceptive act or practice prescribed under
section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C.
57a(a)(1)(B)). The Federal Trade Commission shall enforce this title in
the same manner, by the same means, and with the same jurisdiction as
though all applicable terms and provisions of the Federal Trade
Commission Act were incorporated into and made a part of this title.
SEC. 104. DEFINITIONS.
As used in this title--
(1) the term ``customer proprietary network information''
has the meaning given such term in section 222(j)(1) of the
Communications Act of 1934 (47 U.S.C. 222(j)(1)) (as
redesignated by section 203 of this Act);
(2) the term ``telecommunications carrier''--
(A) has the meaning given such term in section
3(44) of the Communications Act of 1934 (47 U.S.C.
153(44)); and
(B) includes any provider of real-time Internet
protocol-enabled voice communications; and
(3) the term ``real-time Internet protocol-enabled voice
communications'' means any service that is treated by the
Federal Communications Commission as a telecommunications
service provided by a telecommunications carrier for purposes
of section 222 of the Communications Act of 1934 (47 U.S.C.
222) under regulations promulgated pursuant to subsection (h)
of such section.
TITLE II--FEDERAL COMMUNICATIONS COMMISSION PROVISIONS
SEC. 201. FINDINGS.
The Congress finds the following:
(1) As our Nation's communications networks become more
ubiquitous and increasingly sophisticated, more individuals and
industries will be using such networks in greater amounts to
communicate and conduct commercial transactions.
(2) The ease of gathering and compiling sensitive personal
information as a result of such communications is becoming more
efficient and commonplace due to advances in digital technology
and the widespread use of the Internet.
(3) Ensuring the privacy of sensitive individual telephone
calling records, both wireline and wireless, is of utmost
importance. The information gathered and retained by
communications providers can convey details about intimate
aspects of an individual's life, including who they call, when
they call, the duration of such calls, the frequency of their
communications, information about their purchases,
informational inquiries, political or religious interests, or
other affiliations.
(4) Disclosure of personal telephone records can also lead
to harassment, intimidation, physical harm, and identity theft.
(5) The government has a compelling interest in protecting
sensitive personal information contained in customer telephone
records and ensuring that commercial interests adequately
protect such records in order to preserve individual freedom,
safeguard personal privacy, and ensure trust in electronic
commerce.
(6) Because customers have a proprietary interest in their
sensitive personal information, customers should have some
control over the use and disclosure of telephone calling
records.
(7) A telecommunications carrier may use aggregated data it
has obtained from its customer databases to improve services,
solicit new business, or market additional services to its
customers.
(8) A telecommunications carrier may communicate to all
consumers in order to broadly solicit new business, and may
also target specific communications to its own existing
customers, without use or disclosure of detailed customer
calling records and thus without the threat of compromising
customer privacy.
(9) The risk of compromising customer privacy is raised and
increased whenever additional entities or persons are permitted
use of, or access to, or receive disclosure of, customer
calling records beyond the carrier with which the customer has
an established business relationship.
(10) A telecommunications carrier which obtains or
possesses a customer's calling records has a duty to safeguard
the confidentiality of such customer's personal information.
Detailed customer calling records describing the customer's use
of telecommunications services should not be publicly available
or offered for commercial sale.
SEC. 202. EXPANDED PROTECTION FOR DETAILED CUSTOMER RECORDS.
(a) Confidentiality of Customer Information.--Paragraph (1) of
section 222(c) of the Communications Act of 1934 (47 U.S.C. 222(c)(1))
is amended to read as follows:
``(1) Privacy requirements for telecommunications
carriers.--
``(A) In general.--Except as required by law or as
permitted under the following provisions of this
paragraph, a telecommunications carrier that receives
or obtains individually identifiable customer
proprietary network information (including detailed
customer telephone records) by virtue of its provision
of a telecommunications service shall only use,
disclose, or permit access to such information or
records in the provision by such carrier of--
``(i) the telecommunications service from
which such information is derived; or
``(ii) services necessary to, or used in,
the provision of such telecommunications
service, including the publishing of
directories.
``(B) Requirements for disclosure of detailed
information.--A telecommunications carrier may only use
detailed customer telephone records through, or
disclose such records to, or permit access to such
records by, a joint venture partner, independent
contractor, or any other third party (other than an
affiliate) if the customer has given express prior
authorization for that use, disclosure, or access, and
that authorization has not been withdrawn.
``(C) Requirements for affiliate use of both
general and detailed information.--A telecommunications
carrier may not, except with the approval of a
customer, use individually identifiable customer
proprietary network information (including detailed
customer telephone records) through, or disclose such
information or records to, or permit access to such
information or records by, an affiliate of such carrier
in the provision by such affiliate of the services
described in clause (i) or (ii) of subparagraph (A).
``(D) Requirements for partner and contractor use
of general information.--A telecommunications carrier
may not, except with the approval of the customer, use
individually identifiable customer proprietary network
information (other than detailed customer telephone
records) through, or disclose such information to, or
permit access to such information by, a joint venture
partner or independent contractor in the provision by
such partner or contractor of the services described in
clause (i) or (ii) of subparagraph (A).
``(E) Access to wireless telephone numbers.--A
telecommunications carrier may not, except with prior
express authorization from the customer, disclose the
wireless telephone number of any customer or permit
access to the wireless telephone number of any
customer.''.
(b) Disclosure of Detailed Information on Request by Customer.--
Section 222(c)(2) of such Act is amended by inserting ``(including a
detailed customer telephone record)'' after ``customer proprietary
network information''.
(c) Aggregate Data.--Section 222(c)(3) of such Act is amended by
adding at the end the following new sentence: ``Aggregation of data
that is conducted by a third party may be treated for purposes of this
subsection as aggregation by the carrier if such aggregation is
conducted in a secure manner under the control or supervision of the
carrier.''.
(d) Prohibition of Sale of General or Detailed Information.--
Section 222(c) of such Act is further amended by adding at the end the
following new paragraph:
``(4) Prohibition of sale of general or detailed
information.--Except for the purposes for which use,
disclosure, or access is permitted under subsection (d), it
shall be unlawful for any person to sell, rent, lease, or
otherwise make available for remuneration or other
consideration the customer proprietary network information
(including the detailed customer telephone records) of any
customer.''.
(e) Exceptions to Limitations on Disclosures of Detailed
Information.--Section 222(d) of such Act is amended--
(1) by striking ``its agents'' and inserting ``its joint
venture partners, contractors, or agents''; and
(2) in paragraph (1), by inserting after
``telecommunications services'' the following: ``, or provide
customer service with respect to telecommunications services to
which the customer subscribes''.
SEC. 203. PREVENTION BY TELECOMMUNICATIONS CARRIERS OF FRAUDULENT
ACCESS TO PHONE RECORDS.
Section 222 of the Communications Act of 1934 (47 U.S.C. 222) is
further amended--
(1) by redesignating subsection (h) as subsection (j);
(2) by inserting after subsection (g) the following new
subsections:
``(h) Prevention of Fraudulent Access to Phone Records.--
``(1) Regulations.--Within 180 days after the date of
enactment of the Prevention of Fraudulent Access to Phone
Records Act, the Commission shall prescribe regulations
adopting more stringent security standards for customer
proprietary network information (including detailed customer
telephone records) to detect and prevent violations of this
section. The Commission--
``(A) shall prescribe regulations--
``(i) to require timely notice (written or
electronic) to each customer upon breach of the
regulations under this section with respect to
customer proprietary network information
relating to that customer;
``(ii) to require timely notice to the
Commission upon breach of the regulations under
this section with respect to customer
proprietary network information relating to any
customer;
``(iii) to require periodic audits by the
Commission of telecommunication carriers and
their agents to determine compliance with this
section;
``(iv) to require telecommunications
carriers and their agents to maintain records--
``(I) of each time customer
proprietary network information is
requested or accessed by, or disclosed
to, a person purporting to be the
customer or to be acting at the request
or direction of the customer; and
``(II) if such access or disclosure
was granted to such a person, of how
the person's identity or authority was
verified;
``(v) to require telecommunications
carriers to establish a security policy that
includes appropriate standards relating to
administrative, technical, and physical
safeguards to ensure the security and
confidentiality of customer proprietary network
information;
``(vi) to prohibit any telecommunications
carrier from obtaining or attempting to obtain,
or causing to be disclosed or attempting to
cause to be disclosed to that carrier or its
agent or employee, customer proprietary network
information relating to any customer of another
carrier--
``(I) by using a false, fictitious,
or fraudulent statement or
representation to an officer, employee,
or agent of another telecommunications
carrier; or
``(II) by making a false,
fictitious, or fraudulent statement or
representation to a customer of another
telecommunications carrier; and
``(vii) only for the purposes of this
section, to treat as a telecommunications
service provided by a telecommunications
carrier any real-time Internet protocol-enabled
voice communications offered by any person to
the public, or such classes of users as to be
effectively available to the public, that
allows a user to originate traffic to, or
terminate traffic from, the public switched
telephone network; and
``(B) shall consider prescribing regulations--
``(i) to require telecommunications
carriers to institute customer-specific
identifiers in order to access customer
proprietary network information;
``(ii) to require encryption of customer
proprietary network information data or other
safeguards to better secure such data; and
``(iii) to require deletion of customer
proprietary network information data after a
reasonable period of time if such data is no
longer necessary for the purpose for which it
was collected or for the purpose of an
exception contained in section (d), and there
are no pending requests for access to such
information.
``(2) Reports.--
``(A) Assessment and recommendations.--Within 12
months after the date on which the Commission's
regulations under paragraph (1) are prescribed, and
again not later than 3 years later, the Commission
shall submit to the Committee on Energy and Commerce of
the House of Representatives and the Committee on
Commerce, Science, and Transportation of the Senate a
report containing--
``(i) an assessment of the efficacy and
adequacy of the regulations and remedies
provided in accordance with this subsection in
protecting customer proprietary network
information;
``(ii) an assessment of the efficacy and
adequacy of telecommunications carriers'
safeguards to secure such data, security plans,
and notification procedures; and
``(iii) any recommendations for additional
legislative or regulatory action to address
threats to the privacy of customer information.
``(B) Annual report.--The Federal Communications
Commission shall submit to Congress an annual report
containing--
``(i) the number and disposition of all
enforcement actions taken pursuant to this
subsection; and
``(ii) the number and type of notifications
received under paragraph (1)(A)(ii) and the
methodology, including the basis for the
selection of carriers to be audited, and the
results of each audit conducted under paragraph
(1)(A)(iii).
``(3) Dual regulation prohibited.--Any person that is
treated as a telecommunications carrier providing a
telecommunications service with respect to the offering of
real-time Internet protocol-enabled voice communications by the
regulations prescribed under paragraph (1)(A)(vii) shall not be
subject to the provisions of section 631 with respect to the
offering of such communications.
``(i) Forfeiture Penalties.--
``(1) Increased penalties.--In any case in which the
violator is determined by the Commission under section
503(b)(1) to have violated this section or the regulations
thereunder, section 503(b)(2)(B) shall be applied--
``(A) by substituting `$300,000' for `$100,000';
and
``(B) by substituting `$3,000,000' for
`$1,000,000'.
``(2) No first warnings.--Paragraph (5) of section 503(b)
shall not apply to the determination of forfeiture liability
under such section with respect to a violation of this section
or the regulations thereunder by any telecommunications carrier
or any agent of such a carrier.''; and
(3) in subsection (g), by striking ``subsection (i)(3)(A)''
and inserting ``subsection (j)(3)(A)''.
SEC. 204. DEFINITIONS.
Subsection (j) of section 222 of the Communications Act of 1934 (47
U.S.C. 222(j)), as redesignated by section 203(1) of this Act, is
amended by adding at the end the following new paragraphs:
``(8) Detailed customer telephone record.--The term
`detailed customer telephone record' means customer proprietary
network information that contains the specific and detailed
destinations, locations, duration, time, and date of
telecommunications to or from a customer, as typically
contained in the bills for such service. Such term does not
mean aggregate data or subscriber list information.
``(9) Wireless telephone number.--The term `wireless
telephone number' means the telephone number of a subscriber to
a commercial mobile service.''.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Energy and Commerce.
Reported by the Committee on Energy and Commerce. H. Rept. 109-398.
Reported by the Committee on Energy and Commerce. H. Rept. 109-398.
Placed on the Union Calendar, Calendar No. 217.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line