USTelecom, Other Carrier Groups, Support CTIA Petition on Lifeline Data Security

CTIA noted in its reply comments it's challenging only a “discrete part” of the Lifeline order. CTIA isn't challenging a requirement that Lifeline providers retain customer eligibility documentation, just the data security requirements, CTIA said. Section 222(a) of the Communications Act “does not give the Commission authority over carriers’ data security practices beyond those related to Customer Proprietary Network Information,” CTIA said: Section 201(b) of the act “does not provide the Commission with authority over carriers’ data security practices.”

CTIA took aim at what it said was the only opposition filed to its recon petition, by Appalshop, Center for Democracy & Technology, Center for Digital Democracy, Center for Rural Strategies, Consumer Action, Consumer Federation of America, Consumer Watchdog, Free Press, New America’s Open Technology Institute, Public Knowledge, United Church of Christ Office of Communication and World Privacy Forum (see 1510090039). The association said the public interest groups “filed an unpersuasive Opposition that merely recites the statements that the Commission made in the Order and in the TerraCom/YourTel [notice of apparent liability] and ultimately fails to refute the arguments made in the Petition.”

Carriers have good reason to challenge the security provision, CTIA said. The group cited the FCC July order requiring TerraCom and YourTel America to pay $3.5 million for failing to protect confidential information filed by consumers applying for Lifeline support (see 1507090035). “When carriers fail to implement the Commission’s preferred security safeguards, the Commission may seek exorbitant and seemingly unbounded fines with no connection to any actual consumer injury,” CTIA said. “The Order will constrain carriers with the risk of huge fines if they implement new data security solutions that depart from the Order, even if those new solutions better protect consumers.”

“Personal information should be protected and privacy obligations remain a top priority of all carriers,” USTelecom said in reply comments. But it said various provisions of the Communications Act don't give the FCC the legal authority to take the steps it did in the Lifeline order. The FCC must not go further than Congress intended, USTelecom said. “In enacting Section 222, Congress struck a careful balance between the needs of carriers and interests of customers in the protection of the privacy of their proprietary network information,” USTelecom said. “Nothing in the Act suggests that the Commission has been delegated authority to impose customer data security regulations beyond those associated with the statutorily defined category of CPNI.”

NTCA, WTA and John Staurulakis Inc. also filed in support of CTIA. “Strong data security protections are of even greater importance for RLECs, as the owners, managers, and operators of these small carriers operating in small rural towns and outlying areas know their customers personally, often living in the communities they serve,” the rural groups and telco consultant said. But FCC orders must be grounded in the Communications Act, they said. “As the CTIA Petition and ACA comments in support state, neither the plain text of Section 222 nor precedent grant the Commission authority over customer data beyond Customer Proprietary Network Information.”