April 2, 2007 5:43 PM PDT

FCC imposes rules designed to prevent pretexting

The Federal Communications Commission hopes to prevent data burglaries with a set of new regulations for phone companies aimed at preventing the fraudulent practice called "pretexting."

On Monday, the FCC issued an order designed to strengthen its current privacy rules by requiring telephone and wireless operators to adopt additional safeguards to protect personal telephone records from being disclosed to unauthorized people.

The new regulations come as lawmakers have already outlawed the practice of "pretexting," which encompasses any technique used to fraudulently obtain personal information. Congress is now looking to impose stricter regulations on phone companies to protect customer data.

The issue came to a head last year when investigators hired by Hewlett-Packard, in a quest to trace the source of board room media leaks, employed pretexting to nab the phone records of journalists--including three from CNET News.com--and company board members.

Specifically, the FCC order prohibits carriers from releasing--either over the phone or online--sensitive personal data, such as call detail records, unless the customer provides a password. It also requires operators to notify customers immediately when changes are made to their accounts. And it requires providers to notify their customers in the event of a breach of confidentiality.

Phone companies, including wireless, fixed line and voice over IP (VoIP) providers, also must annually certify their compliance with these regulations, inform the FCC of any actions they have taken against data brokers, and provide a summary of the complaints they receive regarding the unauthorized release of personal customer information. The regulations also require telephone carriers to notify law enforcement authorities before customers when they suspect breaches have occurred--a provision that drew criticism from the two Democratic FCC commissioners and consumer privacy advocates.

"Particularly in light of the most recent report on the TJX fiasco, which makes clear the problem with failing to notify consumers once a breach occurs, we believe the FCC should have rejected that approach," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which petitioned the regulators in August 2005 to impose stronger security standards on telephone companies.

He was referring to recent reports that 45.7 million accounts for customers of the company that operates such discount retail chains as T.J. Maxx and Marshalls were compromised.

Rotenberg said his organization was nevertheless "generally pleased" with the rules.

The FCC has taken "commendable and important steps to strengthen consumer privacy, and commendably done so without taking away the right of states to enact stronger laws," said Ed Mierzwinski of the U.S. Public Interest Research Group, a consumer advocacy group, although he added that he shared concerns about the law enforcement notification rules.

Phone companies, such as Verizon Communications, say protecting customer information is a top priority for them, and they are constantly reevaluating their security practices to protect consumers' data. Several companies have taken data brokers to court.

But they also feel the FCC may be going too far with its requirements.

"The key is protecting (sensitive) information without disrupting legitimate consumer activities and customer service," said David Fish, a spokesman for Verizon. "We have strong concerns that parts of the FCC order may have the unintended consequence of undermining consumers' ability to receive useful information about new products, services and savings."

One of the biggest concerns phone companies have is that the FCC is making it difficult for them to work with partners and marketing contractors to bring new services to consumers, by mandating that they can only share customer data with these partners once they obtain customer consent.

"We are deeply concerned that the FCC is taking an overly broad approach far beyond protecting the legitimate privacy interests of call detail information to preventing any marketing of new services, bundled offerings and new applications--using joint venture partners or independent contractors--that can save consumers money," Walter McCormick Jr., president and CEO of USTelecom, said in a statement.

"This is an extremely anticonsumer outcome. This approach also will impede competition and will particularly impact the smaller rural service providers, who now will be unable to work with outside marketing partners, even though they have no connection to illegal pretexting."

But the FCC said that after an extensive investigation, it found that the phone companies' current steps to protect consumers' information has not been adequate.

"The former 'opt-out' approach to customer consent, whereby a carrier may disclose a customer's phone records provided that a customer does not expressly withhold consent to such use, shifted too much of the burden to consumers, and has resulted in a much broader dissemination of consumer phone records," FCC Chairman Kevin Martin said in a statement. "The 'opt-in' approach adopted in this order clearly is supported by the record, is consistent with applicable law, and directly advances our interest in protecting customer privacy."

The new rules will go into effect six months after the federal Office of Management and Budget approves them, a process that by itself could take 120 days or more.

See more CNET content tagged:
pretexting, regulation, Marc Rotenberg, telephone company, Verizon Communications


Join the conversation!
Add your comment
A friend of mine...
A friend of mine had someone call from "Verizon Wireless" and told him that it was Verizon Customer Service. They then told him that there was a problem with his account and they needed to text him a new password. They then asked him to repeat it back to verify it was him.

They now had access to his Verizon Wireless Account and Call Log.

Beware of these sort of things. They think they are slick and can get away with it. As soon as I heard him read the password back.. I said you need to go back and change your password right now!

Needless to say he was very upset and I'm only sharing this to warn others.
Posted by cchenoweth6 (61 comments )
Reply Link Flag
Warped Perspective
Mr. McCormick seems to have confused what is best for consumers and what is best for the telecom companies who he appears to represent. I would gladly sacrifice easier access to the deals that are out there in order to eliminate the annoying marketing materials and phone calls that result from unauthorized sharing of information collected during a transaction.
If all companies gave consumers the option to restrict distribution of personal information and then actually honored those instructions then consumers would not feel the need for legislation of the sort being proposed.
Posted by cspaulson (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.