0715 Supporting Statement Sept 2017 (Final Version)

0715 Supporting Statement Sept 2017 (Final Version).docx

Telecommunications Carriers' Use of Customer Proprietary Network Information (CPNI) and Other Customer Information, CC Docket No. 96-115

OMB: 3060-0715

Document [docx]
Download: docx | pdf

Telecommunications Carriers’ Use of Customer Proprietary Network Information 3060-0715

(CPNI) and Other Customer Information, CC Docket No. 96-115 September 2017


SUPPORTING STATEMENT


A. Justification:


1. This information collection implements the statutory obligations of section 222 of the Communications Act of 1934, as amended (the Act).


Section 222 provides: “[e]very telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers, including telecommunications carriers reselling telecommunications services provided by a telecommunications carrier.” 47 U.S.C. § 222(a).


By definition, Customer Propriety Network Information (CPNI) means:


(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and


  1. information contained in the bills relating to telephone exchange service or telephone toll service received by a customer of a carrier; except that such term does not include subscriber list information.” 47 U.S.C. § 222(h)(1).


By definition, Subscriber List Information means any information:


(A) identifying the listed names of subscribers of a carrier and such subscribers’ telephone numbers, addresses, or primary advertising classifications (as such classifications are assigned at the time of the establishment of such service), or any combination of such listed names, numbers, addresses, or classifications, and


  1. that the carrier or an affiliate has published, caused to be published, or accepted for publication in any directory format.” 47 U.S.C. § 222(h)(3).1

On April 2, 2007, the FCC released a Report and Order and Further Notice of Proposed Rulemaking (FCC 07-22),2 which:


(1) modified the recordkeeping and/or reporting requirements in paragraphs (a) through (i) of this supporting statement to include providers of interconnected Voice over Internet Protocol (VoIP) service,


(2) added new information collection requirements in paragraphs (o) through (r) of this supporting statement, and


(3) made other modifications as specifically noted.


Information Collection Requirements:


(a) Customer Approval (47 USC Section 222(c)(1)): If carriers or providers of interconnected VoIP service choose to use CPNI to market service offerings outside the customer’s existing service, they must obtain customer approval.


Carriers and providers of interconnected VoIP service are permitted to obtain such approval through written, oral, or electronic means. Carriers and providers of interconnected VoIP service are permitted to use advanced technologies of their networks, including 800 numbers, 888 numbers, and e-mail, to obtain customer approval, in addition to using various types of written approval, such as billing inserts. All carriers and providers of interconnected VoIP service are permitted to use CPNI to engage in win back marketing campaigns to target valued former customers that have switched to other carriers.


47 CFR Section 64.2005 permits the use of CPNI for fraud prevention programs.


Where carriers or providers of interconnected VoIP service are required to obtain customer approval, they may still do so through written, oral, or electronic means. See 47 CFR Sections 64.2003(k), 64.2005 and 64.2007 and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).


(b) Customer Approval Documentation and Recordkeeping: Telecommunications carriers and providers of interconnected VoIP service must implement a system by which the status of a customer’s CPNI approval can be clearly established prior to the use of CPNI.


By way of example:


    1. carriers or providers of interconnected VoIP service that do not presently keep computerized records need not implement an electronic method of verifying approval status;


    1. carriers or providers of interconnected VoIP service that already have computerized records could implement flags or adopt procedures whereby they access a separate database to verify approval status; or


    1. carriers or providers of interconnected VoIP service could develop a combination of computerized and non-computerized systems as they see fit.


Telecommunications carriers and providers of interconnected VoIP service must train their personnel as to when they are and are not authorized to use CPNI, and carriers and providers of interconnected VoIP service must have an express disciplinary process in place.


Carriers and providers of interconnected VoIP service must maintain records of approval—whether written, oral, or electronic—for a period of at least one year, and be capable of producing them if the sufficiency of a customer's approval is challenged. See 47 CFR Sections 64.2003(k), 64.2007(e) and 64.2009 and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).


(c) Notification of CPNI Rights: All telecommunications carriers and providers of interconnected VoIP service that choose to solicit customer approval must provide their customers a one-time notification of their CPNI rights prior to any such solicitation.


Carriers and providers of interconnected VoIP service are required to give customers explicit notice of their CPNI rights prior to any solicitation for approval. A carrier or a provider of interconnected VoIP service is permitted to provide either written or oral notification.


Such notification may take the form of a bill insert, an individual letter or an oral presentation that advises the customer of his/her right to restrict carrier access to CPNI. At a minimum, customer notification, whether oral or written, must provide sufficient information to enable the customer to make an informed decision as to whether to permit a carrier or provider of interconnected VoIP service to use, disclose, or permit access to CPNI.


The notice must:

  • specify the types of information that constitute CPNI,


  • specify the specific entities that will receive the CPNI,


  • describe the purpose for which the CPNI will be used, and


  • inform the customer of his or her right to disapprove those uses, and to deny or withdraw access to CPNI at any time.


The notification also must:


  • advise customers of the precise steps they must take in order to grant or deny access to CPNI,


  • clearly state that a denial of approval will not affect the provision of any services to which the customer subscribes, and


  • be reasonably comprehensible and non-misleading.


If any portion of a notification is translated into another language, then all portions of the notification must be translated into the language. See 47 CFR Sections 64.2003(k) and 64.2007(f) and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).


(d) Notification Recordkeeping: Pursuant to this one-time notification requirement, these carriers and providers of interconnected VoIP service must maintain a record of such notifications.


Carriers and providers of interconnected VoIP service must maintain such records for a period of at least one year. See 47 CFR Sections 64.2003(k) and 64.2007(e), and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).


  1. Event Histories Recordkeeping: Telecommunications carriers and providers of interconnected VoIP service must establish a supervisory review process regarding carrier or provider compliance with the rules in Part 64 for outbound marketing situations.


To assure compliance with CPNI protections, sales personnel must obtain supervisory review of any proposed request to use CPNI for outbound marketing purposes. Carriers or providers of interconnected VoIP service are required to maintain a record of these event histories for at least one year from the date of the marketing campaign. See 47 CFR Section 64.2009(d).


Carriers or providers of interconnected VoIP service using CPNI for sales and marketing campaigns must record the date and purpose of the campaign, and what products and services were offered to customers. Carriers and providers of interconnected VoIP service are required to maintain these records for a period of at least one year. See 47 CFR Sections 64.2003(k), and 64.2009(c) and (d), and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).


  1. Compliance Certification: All telecommunications carriers and providers of interconnected VoIP service must file on an annual basis a certification signed by a current corporate officer attesting that he or she has personal knowledge that the carrier/provider is in compliance with the Commission’s Part 64 rules, and create an accompanying statement explaining how the carrier/provider is implementing our rules and safeguards.


In addition, the carrier/provider must include an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement Bureau on or before March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar year. See 47 CFR Section 64.2009(e) and paragraphs 51-53 of the 2007 CPNI Order (FCC 07-22).



(g) Aggregate Customer Information Disclosure Requirements (47 USC 222(c)(3)): LECs and providers of interconnected VoIP service must disclose aggregate customer information to others upon request, when they use or disclose the aggregate customer information for the purposes of marketing service to which the customer does not subscribe. See 47 CFR Section 64.2003(k) and paragraphs 54-59 of the Report and Order and Further Notice of Proposed Rulemaking (FCC 07-22).

(h) CPNI Disclosure to Third Parties: Section 222(c)(2) requires carriers, when presented with a customer’s affirmative written request, to provide that customer's CPNI to any person designated in the written authorization.


Section 222(c)(2) also imposes a disclosure requirement on carriers to ensure that any party with customer authorization, including unaffiliated third party competitors, can obtain access to individually identifiable CPNI.


As such, carriers and providers of interconnected VoIP service must provide a customer's CPNI to any party that has obtained an affirmative written authorization from the customer. See 47 CFR Section 64.2003(k) and paragraphs 54-59 of the Report and Order and Further Notice of Proposed Rulemaking (FCC 07-22).


  1. Safeguards Required for Use of CPNI: In instances where carriers or providers of interconnected VoIP service use the carriers opt-out mechanism, they must provide written notice within five business days to the Commission of any instance where the opt-out mechanisms do not work properly, to such a degree that consumers’ inability to opt-out is more than an anomaly.


The notice shall be in the form of a letter, and include the following:


  • carrier’s or provider’s name,


  • a description of the opt-out mechanism(s) used,


  • the problem(s) experienced,


  • the remedy proposed and when it will be/was implemented,


  • whether the relevant state commission(s) has been notified, and whether it has taken any action,


  • a copy of the notice provided to customers, and


  • contact information.


Such notice must be submitted even if the carrier or provider offers other methods by which consumers may opt-out. See 47 CFR Sections 64.2003(k) and 64.2009(f), paragraphs 114-117 in the Third Report and Order and Third Further Notice of Proposed Rulemaking (FCC 02-214),3 and paragraphs 54-59 of the 2007 CPNI Order (FCC 07-22).

Subscriber List Information Requirements


(j) Provision of Subscriber List Information: A telecommunications carrier that provides telephone exchange service must provide subscriber list information gathered in its capacity as a provider of such service on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions, to any person upon request for the purpose of publishing directories in any format. See 47 CFR Section 64.2309.


Carriers are obligated to provide updated subscriber list information to requesting directory publishers. For subscribers that have multiple telephone numbers, a carrier must provide requesting directory publishers with each telephone number that it has published, caused to be published, or accepted for publication in a directory. See Third R&O (FCC 99-227), paragraph 49.4


Upon request, a carrier that has received at least thirty days advance notice also must provide subscriber list information on any periodic basis that the carrier's internal systems can accommodate.


(k) Notifications: A carrier must provide subscriber list information at the time requested by the directory publisher, provided that the directory publisher has given at least thirty days advance notice and the carrier's internal systems permit the request to be filled within that timeframe. If a carrier's internal systems do not permit the carrier to provide subscriber list information within the requested timeframe, the carrier must inform the directory publisher that the requested schedule cannot be accommodated and tell the directory publisher which schedules can be accommodated. See 47 CFR Section 64.2313.


A directory publisher may request that a carrier unbundle subscriber list information on any basis for the purpose of publishing one or more directories. If the carrier's internal systems do not permit it to unbundle subscriber list information on the basis a directory publisher requests, the carrier must inform the directory publisher that it cannot unbundle subscriber list information on the requested basis and tell the directory publisher the basis on which the carrier can unbundle subscriber list information; and provide subscriber list information to the directory publisher on the basis the directory publisher chooses from among the available bases. See 47 CFR Section 64.2317.


A carrier shall provide subscriber list information obtained in its capacity as a provider of telephone exchange service to a requesting directory publisher in the format the publisher specifies, if the carrier's internal systems can accommodate that format.


If a carrier’s internal systems do not permit the carrier to provide subscriber list information in the format the directory publisher specifies, the carrier shall within thirty days of receiving the publisher's request:


  • inform the directory publisher that the requested format cannot be accommodated,


  • tell the directory publisher which formats can be accommodated, and


  • provide the requested subscriber list information in the format the directory publisher chooses from among the available formats. See 47 CFR Section 64.2329.


If a carrier finds that it cannot accommodate all of a group of multiple or conflicting requests for subscriber list information within the specified timeframes, the carrier shall respond to those requests on a nondiscriminatory basis.


The carrier shall inform each affected directory publisher of such requests within thirty days of when it receives the publisher’s request. See Third R&O (FCC 99-227), paragraph 68.


(l) Cost Study: In the event a directory publisher files a complaint regarding a carrier's subscriber list information rates, the carrier must present a cost study providing credible and verifiable cost data to justify each challenged rate. This cost study must clearly and specifically identify and justify:


  • incremental costs,


  • common costs,


  • overheads, and


  • other information.


The carrier should provide this information separately for both base file and updated subscriber list information if the complainant challenges both types of rates. See Third R&O (FCC 99-227), paragraph 106.


(m) Certification: A telecommunications carrier may require persons requesting subscriber list information pursuant to section 222(e) of the Act or section 64.2309 to certify that the publisher will use the information only for purposes of publishing a directory. The certification may be either oral or written, at the carrier’s option. See 47 CFR Section 64.2337.


(n) Disclosure of Contracts, Rates, Terms and Conditions and Recordkeeping:5 A telecommunications carrier must retain, for at least one year after its expiration, each written contract that it has executed for the provision of subscriber list information for directory publishing purposes to itself, an affiliate, or an entity that publishes directories on the carrier's behalf.


A telecommunications carrier must maintain, for at least one year after the carrier provides subscriber list information for directory publishing purposes to itself, an affiliate, or an entity that publishes directories on the carrier’s behalf, records of any of its rates, terms, and conditions for providing that subscriber list information which are not set forth in a written contract.


These records and contracts shall be made available to Commission and to any directory publisher upon request. Carriers, however, may withhold from disclosure those portions of their subscriber list contracts that are wholly unrelated to the provision of subscriber list information. Carrier also may subject disclosure to confidentiality agreements. See 47 CFR Section 64.2341.



Safeguards on the Disclosure of CPNI:


(o) Password and Back-up Authentication Methods for Lost or Forgotten Passwords for Call Detail Telephone Access and Online Access: If a telecommunications carrier or provider of interconnected VoIP service decides to provide call detail CPNI to the customer over the telephone during a customer-initiated telephone call, then it would be required to collect and maintain a database of any customer chosen passwords or response(s) to a back-up authentication methods. See 47 CFR Section 64.2010(a) – (e) and paragraphs 13-22 in the 2007 CPNI Order (FCC 07-22).


(p) Notification of Account Changes: A telecommunications carrier or provider of interconnected VoIP service must notify its customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record, and must not reveal the changed information or be sent to the new account information. See 47 CFR Section 64.2010(f) and paragraph 24 in the 2007 CPNI Order (FCC 07-22).


(q) Notification of CPNI Security Breaches: Telecommunications carriers and providers of interconnected VoIP service shall notify law enforcement of a breach of their customers’ CPNI through a central reporting facility located at http://www.fcc.gov/eb/cpni within seven business days after a reasonable determination of a breach. The carrier or provider shall notify its customers of the security breach after it has completed the process of notifying law enforcement. See 47 CFR Section 64.2011 and paragraphs 26-32 in the 2007 CPNI Order (FCC 07-22).


(r) Breach Notification Recordkeeping: Telecommunications carriers and providers of interconnected VoIP service must maintain a record, electronically or in some other manner, for a minimum period of two years, of any breaches discovered, notifications made to the United States Secret Service and the FBI, and notifications made to customers. This record must include, if available, dates of discovery and notification, a detailed description of the CPNI that was subject of the breach, and the circumstances of the breach. See 47 CFR Section 64.2011(c) and paragraph 29 in the Report and Order and Further Notice of Proposed Rulemaking (FCC 07-22).


Statutory authority for this collection of information is contained in sections 1, 4(i), 4(j), 201-205, 208, 222, 251, 303(r), and 403 of the Act, 47 U.S.C. §§ 151, 154(i), 154(j), 201-205, 208, 222, 303(r), and 403.


This information collection does affect individuals or households; thus, there are impacts under the Privacy Act. However, the information that is related to individuals or households is collected by third parties; and as a consequence, the Commission is not required to complete a privacy impact assessment.6


2. All of the information collection requirements are used to ensure that telecommunications carriers and providers of interconnected VoIP service comply with the requirements the Commission promulgates in its orders and to implement section 222 of the Act.


3. While the Commission anticipates that carriers and providers may choose to record CPNI using electronic or other technological collection techniques, the means of compliance is at the discretion of the carrier. We expect that information technology, including the use of voice menu systems and automated response recognition systems will be used by carriers, as they have in the past, to comply with the requirements.


4. This information collection does not duplicate any other information collection—the information that is being sought is unique to each carrier.


5. The collection of information will affect all telecommunications carriers and providers of interconnected VoIP service, some of which may be “small entities” within the meaning of the Small Business Act, 5 U.S.C. § 601(6). The current collection does not take explicit steps to minimize the burden on small entities.


6. Failing to collect the information identified as collections (e) and (f) above (and required by 47 CFR § 64.2009(c), (d), and (e)), or collecting it less frequently, may have minimal impact. In the 2016 Privacy Report and Order, the Commission examined the “the specific compliance recordkeeping and annual certification requirements in Section 64.2009 for voice providers” and concluded that “[e]liminating these requirements reduces burdens for all carriers, and particularly small carriers, which often may not need to record approval if they do not use or share customer PI for purposes other than the provision of service. We find that carriers are likely to keep records necessary to allow for any necessary enforcement without the need for specific requirements.” 31 FCC Rcd at 14005, para. 234 (footnote omitted).


Otherwise failing to collect the information outlined here, or collecting it less frequently, may violate the language and/or intent of the Act.


7. The only special circumstance that would require a carrier or provider to report information more than quarterly is the requirement that carriers and providers notify law enforcement and customers in the event of a CPNI breach.


8. Pursuant to 5 CFR § 1320.8, the Commission placed a notice in the Federal Register soliciting public comment. See 82 FR 214814 (May 10, 2017). The Commission received two comments in response to the notice, from CTIA and a joint response from the USTelecom Association and the Voice on the Net Coalition (VON). (USTelecom/VON Comments). CTIA asserts that the events history recordkeeping and annual compliance certifications requirements, in 47 CFR § 64.2009(c), (d), and (e) no longer serve “a practical and necessary program purpose” as OMB directs.7 CTIA asserts that because the Commission found last year, in the 2016 Privacy Report and Order, that such regulations were unnecessary, it is unclear how the Commission can assure OMB that the event history recordkeeping and compliance certification requirements have any practical utility.8 CTIA further asserts that the actual burdens of complying with these requirements “go far beyond the Commission’s previous estimates.”9 CTIA asserts that compliance with the CPNI event history recordkeeping and annual compliance certification requirements “involves many complex interactions among individuals in the business that are not and cannot be automated through technology.”10 CTIA asserts that for the annual certification requirement, “estimates suggest that compliance involves . . . no less than 35 to 45 total personnel hours each year and potentially more than 1,000 personnel hours depending upon the number of business units involved.”11 CTIA does not provide a burden estimate for the CPNI marketing campaign and supervisory approval recordkeeping requirements in Section 64.2009(c) and (d).


USTelecom and VON argue that the Commission should eliminate “the administrative requirements in Section 64.2009 of the Commission rules, including the annual certification requirement” because “the unnecessary paperwork burden outweighs whatever benefit it provides, and because eliminating the collection would not negatively affect consumers.”12 USTelecom and VON explain that if, however, the Commission elects not to entirely eliminate Section 64.2009 of the Commission’s rules, it should reduce the compliance burden by eliminating the annual certification requirements.13 USTelecom and VON explain that “[t]he original basis for the annual certification, as well as the other requirements of [Section] 64.2009, was to act as a safeguard to ensure that carriers were complying with the customer notice, consent and choice provisions of the CPNI rules. The safeguards established by [Section] 64.2009 are no longer necessary since the customer notice, consent and choice rules have been in effect for so long that compliance is already a well-established part of carriers’ and VoIP providers’ operating systems.”14 USTelecom and VON further assert that requiring carriers and interconnected VoIP providers to have the certification made at the officer level increases the burden because “to get a signed certification at the officer level companies have to jump through many layers of administrative hoops creating an unnecessarily high threshold for this compliance requirement.”15 USTelecom and VON assert that the remaining requirements of section 64.2009 are burdensome and should be eliminated because they have grown unnecessary over time and fail to provide any benefit to consumers.16 Finally, USTelecom and VON assert that the Commission’s burden estimate for the certification requirement is “grossly understated,” and asserts that the appropriate burden estimate for the certification requirements is 212,907 hours and $4,000,000.17 USTelecom and VON do not provide burden estimates for the other requirements in Section 64.2009.


On October 27, 2016, the Commission adopted a Report and Order in WC Docket No. 16-106, which amended the rules under 47 CFR Part 64, Subpart U, the subject of this collection, adopting instead other rules applicable inter alia to CPNI imposing certain notice, customer approval, data security, data breach notification, and other obligations, and eliminating “the specific compliance recordkeeping and annual certification requirements in Section 64.2009 for voice providers.” In that order, the Commission explained that “[e]liminating these requirements reduced burdens for all carriers.”18 The Commission found that carriers “are likely to keep records necessary to allow for any necessary enforcement without the need for specific requirements, and that notifications of data breaches to customers and to enforcement agencies (including the Commission under the new rules) will ensure compliance with the rules and a workable level of transparency for customers.”19 On March 23, 2017, the Senate passed a resolution of disapproval (S.J. Res. 34) of the Report and Order under the Congressional Review Act. The House of Representatives then passed S.J. Res. 34 on March 28, 2017. President Trump signed the resolution into law as Public Law 115-22 on April 3, 2017. Therefore, under the terms of the Congressional Review Act, the Report and Order shall be “treated as though such a rule had never taken effect.” 5 U.S.C. 801(f).


In June 2017, the Commission adopted an Order providing guidance that the Commission’s rules implementing Section 222 of the Communications Act for telecommunications carriers that were in existence prior to the 2016 Privacy Report and Order were again in effect pursuant to the resolution of disapproval of that Report and Order under the Congressional Review Act, “including the annual compliance certification requirements and recordkeeping requirements set out in Section 64.2009(e) and (c).” The Order further stated that “barring further action by the Commission, carriers subject to the annual compliance certification requirement must file such a certification no later than March 1, 2018.”


The Commission is currently reviewing the provisions identified by CTIA, USTelecom, and VON and their information collection implications in light of the comments raised in response to the PRA. However, given the timing for renewal of this collection, we seek approval of the entirety of the information collection, including the provisions for which commenters raise concerns.


In reviewing the revised burden estimates provided by the commenters, we agree that the Commission’s previous estimates for the certification requirement and the event histories recordkeeping requirement should be revised. As CTIA explains, for larger providers, coordination among various departments necessary to preparing the certification and event histories recordkeeping may in some cases take significantly longer that the 0.5 to 3 hours estimated by the Commission. However, commenters do not provide a methodology for determining either their burden hour estimates (which range from 35 to 59 to 1000 burden hours per provider), or the total burden amount (which range from $4 million to $9 million to $255 million). Further, we note that the burden hours we calculate are averaged across all providers; so, while some large providers may have heavier burdens to prepare the certification, the vast majority of providers are small providers that would not have the same complex business organizations in place. Taking all of these values and factors into consideration in recalculating the burden for the certification requirement, we revise our burden hours estimate as follows: For the event histories recordkeeping requirement, we increase the estimate from 0.5 hours/report to 41 hours/report. Based on the comments received regarding the complexity of compliance, this number was calculated by assuming escalating amounts of burden based on provider size (ranging from 20 hours for the smallest to 1000 hours for the four largest). Averaging the assumed values results in approximately 41 hours per respondent, for a total of 147,600 annual burden hours and a cost of approximately $11,672,060.40. We use this same methodology to determine the estimated burden hours for the certification requirement, revising from 3 hours/certification to 41 hours/certification, for a total of 147,600 annual burden hours, and a cost of approximately $12,701,496.60.


The purposes of the remaining provisions of Section 64.2009 are to ensure that all telecommunications carriers establish effective safeguards to protect against unauthorized access to CPNI by their employees or agents, or by unaffiliated third parties. USTelecom and VON provide no explanation of why the requirements to implement procedures by which the status of a customer’s CPNI approval can be clearly established prior to the use of CPNI (47 CFR § 64.2009(a)), to provide employee training in the authorized use of CPNI (47 CFR § 64.2009(b)), to establish a supervisory review process for sales and marketing (47 CFR § 64.2009(d)) (as distinct from the requirement to maintain records of such a process for one year), and to notify the Commission when opt-out mechanisms do not work (47 CFR § 64.2009(f)) properly provide no benefit to consumers and have grown unnecessary over time. If, as USTelecom and VON assert, carriers and interconnected VoIP providers have already established such procedures, then the burden on such carriers would be minimal. Further, we assume that such carriers have some level of employee turnover and that these requirements remain a necessary element in protecting customers’ CPNI. In addition, we find that establishing such procedures for new providers entering the market remains necessary to protect the CPNI of customers of such carriers.


9. The Commission does not anticipate providing any payment or gift to respondents.


  1. The Commission is not requesting that respondents submit confidential information. Any respondent who submits information to the Commission, which the respondent believes is confidential, may request confidential treatment of such information under section 0.459 of the Commission's rules. See 47 CFR Section 0.459.


11. There are no questions of a sensitive nature with respect to the information collected.


12. The following represents the Commission’s estimate of the annual hour burden of the collections of information:


The Commission makes several assumptions:


  1. The number of respondents is 3,600.20


  1. The Commission believes that as respondents have adopted information technology, office automation techniques, and standardized business practices and routines to increase efficiency in most areas of their businesses functions, including collection and protection of CPNI, and that the respondents will adopt similar information technology, office automation techniques, and standardized business practices and routines to reduce the hourly burden requirements, “in house” costs, and annual costs that are required to collect the information.


(3) The Commission believes that most of these respondents will use their “in house” staff to comply with these requirements, since, as noted above, we believe that technology allows them to adjust their business and office practices and functions to meet these requirements with only minimal changes, i.e., IT software has evolved to provide businesses with functional flexibility and adaptability.


Information Collection Requirements: These information collection requirements were last approved by OMB in a Notice of Action on September 9, 2014.


a. Customer approval:


  1. Number of Respondents: 3,600


Under the CPNI rules, all telecommunications carriers and interconnected VoIP providers must file from January 1 to March 1 their annual reports certifying compliance with the Commission’s rules protecting CPNI.21 For our estimate, we base the number of respondents on the total number of annual CPNI reports filed from January 1, 2016 to March 1, 2016 (for calendar year 2015).22 We also add an additional 2% to capture the number of filers that may not have met the March 1, 2016 deadline.


FCC Web-Based Electronic Filers = 1,700. For the 2015 reporting period, there were approximately 1,700 compliance certifications filed on the FCC web portal from January 1, 2016 to March 1, 2016.


ECFS Filings = 1,825. For the 2015 reporting period, there were approximately 1,825 certifications filed via ECFS from January 1, 2016 to March 1, 2016.


Additional Filers = 70. While we are unsure on the exact number of filers that do not comply with the annual filings, we added an additional 2% to capture the number of filers that may not meet the March 1 deadline.


FCC Web-Based Filers (1,700) + ECFS Filings (1,825) = 3,525 total

2% of 3,525 = 70


Total respondents: 1,700 + 1,825 + 70 = 3,595. We round the estimate up to 3,600.


(2) Frequency of Response: On occasion reporting requirement.


(3) Total Number of Responses Annually: 3,600 (reporting requirement)


3,600 respondents x 1 response/notification designed and sent to customers = 3,600 responses


(4) Total Annual Hour Burden: 3,420 hours


The Commission estimates that the respondents will require approximately two hours to design the notification, giving the respondents permission from their customers to use CPNI to market service offerings outside a customer’s existing service relationship. The rules have been in place since 2007 and we believe that only new entrants to the market will need to create the notification. We estimate approximately 10% of the 3,600 respondents are new entrants (3,600 x 10% = 360).


360 respondents x 2 hours/notification design = 720 hours


Once the customer grants the respondent permission to use his/her CPNI to market services outside the existing service relationship, the respondent does not have to seek approval again for the purpose for which it informed the customer.


However, if the respondent uses the opt-out approval mechanism, it must send a notice of customers’ rights to each customer biennially.


The Commission estimates that a respondent will require approximately 45 minutes (0.75 hours) to transmit this notice to its customers. The Commission believes that respondents can comply with this requirement by using sophisticated IT software, which poses only a minimal, incremental hourly burden on the respondents.


3,600 x 0.75 hours/transmit notification = 2,700 hours


Total Annual Hourly Burden: 720 + 2,700 = 3,420 hours


(5) Total “In-House” Costs: $142,615.98


We assume that respondents will use personnel comparable in pay to a GS-14/Step 5 ($60.83/hour) Federal employee,23 plus 30% overhead, to design the customer approval solicitation device. The rules have been in place since 2007 and we believe that only new entrants to the market will need to create the notification. We estimate approximately 10% of the 3,600 respondents are new entrants (3,600 x 10% = 360).


360 respondents x 2 hours/notification x $60.83/hour = $43,797.60


We also assume that respondents use personnel comparable in pay to a GS-7/Step 5 ($24.41/hour) Federal employee, plus 30% overhead, to transmit the solicitation.


3,600 respondents x 0.75 hours/notification transmission x $24.41/hour = $65,907.00


$43,797.60 + $65,907.00 = $109,704.60

30% overhead = $32,911.38

Total: $142,615.98


b. Customer Approval Documentation and Recordkeeping.


(1) Number of Respondents: 3,600


(2) Frequency of Response: Recordkeeping requirement


(3) Total Number of Responses Annually: 3,600 responses (recordkeeping)


3,600 respondents x 1 recordkeeping requirement/annum = 3,600 responses

(4) Total Annual Hourly Burden: 1,800 hours


The Commission estimates that a respondent will require approximately 30 minutes (0.5 hours) annually to maintain records of approval, whether written, oral, or electronic for a period of at least one year, and be capable of producing them if the sufficiency of a customer's approval is challenged.


3,600 respondents x 0.50 hours/recordkeeping for customer’s CPNI status = 1,800 hours


(5) Total “In-House” Cost: $57,119.40


The Commission assumes that the respondents use personnel comparable in pay to a GS-7/Step 5 ($24.41/hour) Federal employee, plus 30% for overhead, to comply with the recordkeeping requirement:


3,600 respondents x 0.5 hours/recordkeeping for CPNI status x $24.41/hour = $43,938.00

30% overhead = $13.181.40

Total: $57,119.40


c. Notification of CPNI Rights Requirement.


(1) Number of Respondents: 3,600


(2) Frequency of Response: One-time notification reporting requirement.


The timing of this notification is at the discretion of the carrier or provider.


(3) Total Number of Responses Annually: 3,600 responses (reporting requirement)


3,600 respondents x 1 response/notification design and sent to customers = 3,600 responses


(4) Total Annual Hourly Burden: 3,420 hours


The Commission estimates that all the respondents that choose to solicit customer approval will require approximately 2 hours to create the one-time notification that they must provide to their customers informing them of their CPNI rights prior to any such solicitation. The rules have been in place since 2007 and we believe that only new entrants to the market will need to create the notification. We estimate approximately 10% of the 3,600 respondents (360).


360 x 2 hours/notification design = 720 hours


The Commission estimates that a respondent will require approximately 45 minutes (0.75 hours) to transmit this notification to their customers. The Commission believes that respondents can comply with this requirement by using sophisticated IT software, which poses only a minimal, incremental hourly burden on the respondents.


3,600 respondents x 0.75 hours/notification transmission = 2,700 hours


Total Annual Hourly Burden: 720 + 2,700 = 3,420 hours


(5) Total “In-House” Costs: $142,615.98


We assume that respondents use personnel comparable in pay to a GS-14/Step 5 ($60.83/hour) Federal employee, plus 30% overhead, to design the notification statement. The rules have been in place since 2007 and we believe that only new entrants to the market will need to create the notification. We estimate approximately 10% of the 3,600 respondents (360).


360 respondents x 2 hours/notification x $60.83/hour = $43,797.60


We also assume that respondents use personnel comparable in pay to a GS-7/Step 5 ($24.41/hour) Federal employee, plus 30% overhead, to transmit the solicitation.


3,600 respondents x 0.75 hours/notification transmission x $24.41/hour = $65,907.00


$43,797.60 + $65,907.00 = $109,704.60

30% overhead = $ 32,911.38

Total: $142,615.98


d. Notification Recordkeeping.

(1) Number of Respondents: 3,600


  1. Frequency of Response: Recordkeeping requirement


(3) Total Number of Responses Annually: 3,600 responses (recordkeeping requirement)


3,600 respondents x 1 recordkeeping requirement = 3,600 recordkeeping requirements


(3) Total Annual Hourly Burden: 1,800 hours


The Commission estimates that a respondent will require approximately 30 minutes (0.5 hours) to maintain records of their one-time notification to customers of each customer’s CPNI rights prior to any solicitations.


3,600 respondents x 0.50 hours/recordkeeping for customer’s CPNI status = 1,800 hours


  1. Total “In-House” Cost: $57,119.40


The Commission assumes that respondents use personnel comparable in pay to a GS-7/Step 5 ($24.41) Federal employee, plus 30% for overhead, to comply with the recordkeeping requirement.


3,600 respondents x 0.5 hours x $24.41/hour = $43.938.00

30% overhead = $13,181.40

Total: $57,119.40


e. Event Histories Recordkeeping.


(1) Number of Respondents: 3,600


(2) Frequency of Response: Recordkeeping requirement


(3) Total Number of Responses Annually: 3,600 (recordkeeping responses)


3,600 respondents x 1 recordkeeping requirement = 3,600 recordkeeping responses

(4) Total Annual Hourly Burden: 147,600 hours


The Commission estimates that respondents will require approximately 41 hours annually to comply with the recordkeeping requirement that they record the date and purpose of the campaign, and what products and services were offered to customers, when they use customer CPNI for sales and marketing campaigns. Based on the comments received regarding the complexity of compliance, this number was calculated by assuming escalating amounts of burden based on provider size (ranging from 20 hours for the smallest to 1,000 hours for the four largest). Averaging the assumed values results in approximately 41 hours per respondent.


3,600 respondents x 41 hours/annual recordkeeping requirement = 147,600 hours


(5) Total “In-House” Cost: $11,672,060.40


The Commission estimates that respondents will use personnel comparable in pay to a GS-14/Step 5 ($60.83/hour) Federal employee because a number of the steps involved in gathering this information require the input of employees in a supervisory capacity, plus 30% for overhead, to comply with the recordkeeping requirement:


3,600 respondents x 41 hours x $60.83/hour = $8,978,508.00

30% overhead = $2,693,552.40

Total: $11,672,060.40

f. Compliance Certificate.


(1) Number of Respondents: 3,600


(2) Frequency of Response: Annual reporting requirement.


(3) Total Number of Responses Annually: 3,600 responses


3,600 respondents x 1 response/annum = 3,600 responses (reporting requirement)


(4) Total Annual Hourly Burden: 147,600 hours


The Commission estimates that respondents will take approximately 41 hours annually to comply with the requirement that they file their compliance certificate. Based on the comments received regarding the complexity of compliance, this number was calculated by assuming escalating amounts of burden based on provider size (ranging from 20 hours for the smallest to 1,000 hours for the four largest). Averaging the assumed values results in approximately 41 hours per respondent.


3,600 respondents x 41 hours/certification certificate = 147,600 hours


  1. Total “In-House” Cost: $12,701,496.60


The Commission estimates that respondents will use personnel comparable in pay to a GS-15/Step 5 ($71.56/hour) Federal employee for approximately half of the burden hours, and personnel comparable in pay to a GS-14/Step 5 ($60.83/hour) for approximately half of the burden hours, plus 30% overhead, to prepare this compliance report.


(3,600 respondents x 20.5 hours/compliance report x $71.56/ hour) = (3600 respondents x 20.5 hours/compliance report x $60.83/hour) = $9,770,382.00

30% overhead = $2,931,114.60

Total: $12,701,496.60

g. Aggregate Customer Information Disclosure Requirements.


(1) Number of Respondents: 1,476


We are unable to quantify the exact number and used the same percentages as the last submission from the total respondents to estimate incumbent LECs, competitive LECs, and interconnected VoIP providers:

21% of total respondents are incumbent LECs 21% x 3,600 = 756

14% of total respondents are competitive LECs 14% x 3,600 = 504

6% of total respondents are interconnected VoIP providers 6% x 3,600 = 216

Total: 1,476


(2) Frequency of Response: On occasion reporting requirements.


(3) Total Number of Responses Annually: 1,476 responses (reporting requirement)


1,476 respondents x 1 response/annum = 1,476 responses


(4) Total Annual Hourly Burden: 2,952 hours


The Commission estimates that respondents will require approximately 2 hours to comply with the requirement.


We believe that a respondent will have this information readily available in their electronic database(s) and use sophisticated IT software, which poses only a minimal, incremental burden on the respondents.


756 respondents x 2 hours/disclosure requirements = 1,512 hours

504 respondents x 2 hours/disclosure requirements = 1,008 hours

216 respondents x 2 hours/disclosure requirements = 432 hours

Total hours = 2,952 hours


(5) Total “In-House” Costs: $93,675.82


The Commission assumes that a respondent will use personnel comparable in pay to a GS-7/Step 5 ($24.41/hour) Federal employee, plus 30% overhead, to comply with this disclosure requirement.


756 respondents x 2 hours/disclosure requirement x $24.41/hour = $36,907.92

504 respondents x 2 hours/disclosure requirement x $24.41/hour = $24,605.28

216 respondents x 2 hours/disclosure requirement x $24.41/hour = $10,545.12

$72,058.32
30% overhead =
$21,617.50

Total: $93,675.82


h. CPNI Disclosure to Third Parties (47 U.S.C. Section 222(c)(2))


(1) Number of respondents: 500


(2) Frequency of Response: On occasion reporting requirement; third party disclosure requirement.


This obligation will arise when third parties that have obtained affirmative written customer authorization request access to CPNI. We believe that although all telecommunications carriers and providers of interconnected VoIP service are subject to Section 222(c)(2), on average, carriers will be required to respond to 500 or fewer requests for access to CPNI from third parties.

(3) Total Number of Responses Annually: 500 responses (third party disclosures)


500 respondents x 1 CPNI disclosure/annum = 500 responses


(4) Total Annual Hourly Burden: 1,000 hours


The Commission estimates that the respondents will require approximately two hours (2.0 hours) to respond annually to approximately 500 requests for access to CPNI from third parties, pursuant to affirmative written customer authorization.


This obligation will arise when these third parties that have obtained affirmative written customer authorization request access to CPNI.


The Commission estimates that the respondents will use sophisticated IT software, automation, and office standardization procedures, which make it possible for respondents to provide this information quickly to those third parties who request the information with the customer’s written authorization.


500 respondents x 2 hours/CPNI disclosures annually = 1,000 hours (third party disclosures)


(5) Total “In-House” Cost: $31,733.00,960.00


The Commission assumes that respondents will use personnel comparable in pay to a GS-7/Step 5 Federal employee ($24.41/hour), plus 30% overhead, to provide this CPNI information to these third party requesters:


500 respondents x 2 hours/CPNI disclosure x $24.41/hour = $24,410.00

30% overhead = $7,323.00

Total: $31,733.00


i. Safeguards Required for Use of CPNI.


(1) Number of Respondents: 5


(2) Frequency of Response: On occasion reporting requirement.


(3) Total Number of Responses Annually: 5


5 respondents x 1 response/annum = 5 responses (reporting requirement)


(4) Total Annual Hour Burden: 25 hours


The Commission believes that the instances where the respondents must report to the Commission any instances when the opt-out mechanisms did not work will require approximately five hours (5.0 hours) annually.


5 respondents x 5 hours/opt-out notification safeguard/annum = 25 hours


(5) Total “In-House” Costs: $1,976.98


The Commission assumes that respondents will use personnel comparable in pay to a GS-14/Step 5 Federal employee ($60.83), plus 30% for overhead, to comply with this notification requirement.


5 respondents x 5 hours/annum x $60.83 /hour = $1,520.75

30% overhead = $ 456.23

Total: $1,976.98



j. Subscriber List Information Disclosure:


  1. Number of Respondents: 1,188


The Commission believes that there are approximately 1,188 telecommunications carriers providing telephone exchange service

We are unable to quantify the exact number and used the same percentages as the last submission from the total respondents: 33% of total respondents provide telephone exchange (33% x 3,600 = 1,188).


(2) Frequency of Response: On occasion reporting requirements; third party disclosure requirements

(3) Total Number of Responses Annually: 7,128 responses (third party disclosure requirements)


1,188 respondents x 6 responses/annum = 7,128 responses

(4) Total Annual Hourly Burden: 14,256 hours


The Commission estimates that, on average, most respondents will be required to provide subscriber list information to directory publishers six times a year, including requests for updated subscriber list information and that the respondents will require approximately two hours annually to comply with this requirement.


The Commission also believes that because these requests are likely to be routine requests, the respondents will use advanced IT software, automation, and standardized business procedures to assemble the information quickly and to e-mail it to the directory publisher.


1,188 respondents x 2 hours/response x 6 times/annum = 14,256 hours.


(5) Total “In-House” Costs: $802,284.91


The Commission estimates that the respondents will use staff comparable in pay to a GS-12/Step 5 ($43.29/hour) Federal employee, plus 30% overhead, to comply with this requirement that they provide updated subscriber list information to requesting directory publishers.


14,256 hours/subscriber list requests x $43.29/hour = $617,142.24

30% overhead = $185,142.67

Total: $802,284.91


k. Notifications.


(1) Number of Respondents: 1,000


(2) Frequency of Response: On occasion reporting requirement; third party disclosure requirement.


(3) Total Number of Responses Annually: 1,000 responses (third party disclosure)


The Commission estimates that the respondents may receive approximately 1,000 requests from directory publishers annually for information on the carriers’ subscriber list information.


1,000 requests x 1 subscriber list request/annum = 1,000 responses


(4) Total Annual Hourly Burden: 2,000 hours


The Commission estimates that respondents will take approximately two hours to fulfill each directory publisher’s subscriber list information requests, which the carrier must do at the time it is requested by the directory publisher, provided that the directory publisher has given advance notice, and the carrier’s internal systems permit the request to be filled within that time frame.


The Commission believes that respondents are likely to use sophisticated IT software to create an automated and standardized process to assemble the subscriber list information requests quickly and expeditiously so that the information can be sent via e-mail to the directory publisher.


1,000 requests for subscriber list information x 2 hours/request = 2,000 hours (third party disclosure)


(5) Total “In-House” Cost: $112,554.00


The Commission estimates that the respondents will use personnel comparable in pay to a GS-12/Step 5 ($43.29/hour) Federal employee, plus 30% overhead, to comply with this requirement to provide the subscriber list information whenever directory publishers make such requests.


2,000 hours/subscriber list information request x $43.29/hour = $86,580.00

30% overhead = $25,974.00

Total: $112,554.00


l. Cost Study.


(1) Number of Respondents: 100


The Commission estimates that approximately 100 carriers may receive complaints from directory publishers (third parties) annually regarding the carrier’s subscriber list information rates.


(2) Frequency of response: On occasion reporting requirements; third party disclosure requirement.


(3) Total Number of Responses Annually: 100 responses (third party disclosures)


100 respondent carriers x 1 complaint/directory publisher = 100 complaint responses


(4) Total Annual Hourly Burden: 2,550 hours


The Commission estimates that respondents who receive a complaint regarding their subscriber list information rates will require approximately 50 hours to compile a “cost study” that provides credible and verifiable cost data to justify the challenge to their subscriber list information rates.


The Commission believes that respondents will have this information readily available because of the sophisticated IT software recordkeeping, automated accounting, and office management systems that they use in their business practices, making it easy to assemble the requisite data for the cost study as necessary to refute the publisher’s complaint.


Furthermore, the Commission believes that approximately 50% of the respondents will contract out this requirement.

100 respondents x 0.50/contracting out this requirement = 50 respondents


50 respondents x 50 hours/cost study “in-house” = 2,500 hours.


The Commission believes that the 50 respondents that contract out this requirement will spend approximately one hour in consultation with the contractors who prepared the cost studies.


50 respondents x 1 hour/consultation = 50 hours

Total: 2,500 hours + 50 hours = 2,550 hours

(5) Total “In-House” Costs: $237,221.40


The Commission estimates that the respondents will use personnel comparable in pay to a GS-15/Step 5 Federal employee ($71.56), plus 30% for overhead, to prepare the cost study or to consult with their consultants:


2,500 hours/cost study preparation x $71.56/hour = $178,900.00

50 hours/consultants conference x $71.56/hour = $3,578.00

$182,478.00

30% overhead = $54,743.40

Total: $237,221.40


m. Certification.


(1) Number of Respondents: 2,000


(2) Frequency of Response: On occasion reporting requirements; third party disclosure requirement.


(3) Total Number of Responses Annually: 2,000


2,000 respondents x 1 response/annum = 2,000 responses (third party disclosure)


(4) Total Annual Hourly Burden: 1,000 hours

The Commission estimates that publishers who request subscriber lists from the respondents are required to certify that the publisher will use the information only for the purposes of publishing a directory. The Commission estimates that the directory publishers will require approximately 30 minutes (0.5 hours) to comply with this third party requirement.


2,000 directory publishers (third parties) x 0.5 hours/certification = 1,000 hours (third party disclosure)


(5) Total “In-House” Cost: $93,028.00


The Commission estimates that the third party directory publishers who are required to provide this certification to the telecommunications carriers will use staff comparable in pay to a GS-15/Step 5 ($71.56/hour) Federal employee, plus 30% for overhead, to prepare the certification to send to the third party carriers certifying that they will use the subscriber information only for publishing their directory.


1,000 hours/certifications x $71.56/hour = $71,560.00

30% overhead = $21,468.00

Total: $93,028.00


n. Disclosure of Contract Rates, Terms, and Conditions and Recordkeeping.


(1) Number of Respondents: 1,188


We are unable to quantify the exact number and used the same percentages as the last submission from the total respondents: 33% of total respondents comply with requirement (33% x 3,600 = 1,188).


(2) Frequency of response: Recordkeeping requirements; third party disclosure requirement.


(3) Total Number of Responses Annually: 4,752 responses (recordkeeping and third party disclosures)


There are two recordkeeping requirements and one third party disclosure requirement for respondents as explained in (a), (b), and (c) below. The Commission also estimates that respondents will receive approximately two requests annually to provide the contract disclosure information to third party directory publishers in (c) below.


(a) they maintain records on their contract rates, terms, and conditions for at least one year,


1,188 respondents x 1 recordkeeping for contract records/annum = 1,188 responses


(b) they maintain records for at least one year after the carrier provides subscriber list information to directory publishers, and


1,188 respondents x 1 recordkeeping for subscriber list information/annum = 1,188 responses


(c) they make these records available to the FCC and to any directory publisher upon request.


1,188 respondents x 2 disclosures to directory publishers/annum = 2,376 third party disclosures


Total: 1,188 + 1,188 + 2,376 = 4,752 responses

(4) Total Annual Hour Burden: 3,564 hours


The Commission estimates that respondents will require approximately 30 minutes (0.5 hours) annually to comply with each of these two recordkeeping requirements below (a) and (b). The Commission also estimates that respondents will require approximately one hour to furnish the records to directory publishers twice annually in (c) below.


  1. they maintain records on their contract rates, terms, and conditions for at least one year,


1,188 respondents x 1 recordkeeping requirement/annum x 0.5 hours/response = 594 hours


  1. they maintain records for at least one year after the carrier provides subscriber list information to directory publishers, and


1,188 respondents x 1 recordkeeping requirement/annum x 0.5 hours/response = 594 hours


(c) they make these records available to the FCC and to any directory publisher upon request

1,188 respondents x 2 responses/annum x 1 hour/third party response = 2,376 hours (third party disclosure)


Total: 594 hours + 594 hours + 2,376 hours = 3,564 hours


(5) Total “In-House” Costs: $200,571.23


The Commission estimates that respondents will use staff comparable in pay to a GS-12/Step 5 ($43.29/hour) Federal employee, plus 30% overhead, to maintain these records and to disclose the contract and subscriber list information to publishers and the FCC, upon request, e.g., third party disclosure requirement.


594 hours/recordkeeping requirements x $43.29/hour = $25,714.26

594 hours/recordkeeping requirements x $43.29/hour = $25,714.26

2,376 hours/disclosure requirements x $43.29/hour = $102,857.04

$154,285.56

30% over head = $ 46,258.67

Total: $200,571.23

o. Password and Back-up Authentication Methods for Lost or Forgotten Passwords for Call Detail Telephone Access and Online Access.


(1) Number of Respondents: 3,600


(2) Frequency of Response: Recordkeeping requirement; reporting requirement.


(3) Total Number of Responses Annually: 39,603,600 responses (recordkeeping and reporting)


3,600 respondents x 1 recordkeeping requirement = 3,600 recordkeeping responses

The Commission believes that 20% of all customers will request a new password at least once: 24

198,000,000 customers x .20 x 1.0 responses/customer = 39,600,000 responses

Total: 3,600 responses + 39,600,000 responses = 39,603,600 responses


(4) Total Annual Hourly Burden: 82,800 hours


The Commission estimates that respondents that provide call detail CPNI to their customers over the telephone will require approximately one hour to design the password and back-up authentication mechanism for customers who lose or forget their passwords and need access to their call detail telephone access and on-line access. The rules have been in place since 2007 and we believe that most carriers have designed their authentication mechanism and only new entrants to the market will need to create the notification. The Commission estimates that respondents will use advanced IT software to design the recordkeeping mechanism for the password and back-up authentication that can virtually automate this process, and therefore, minimize both the response time and the cost for the carriers and VoIP providers.

3,600 respondents x 1 hour/recordkeeping = 3,600 hours


Finally, the Commission estimates that using similar sophisticated IT software and automation systems, these respondents can provide their customers who may request passwords using the back-up authentication process quickly and expeditiously in as little as 6 seconds (0.002 hours).

39,600,000 customers x 0.002 hours/password authentication = 79,200 hours


Total: 3,600 hours + 79,200 hours = 82,800 hours


(5) Total “In-House” Costs: $2,715.850.80


The Commission assumes the respondent carriers and providers use these comparable staff:


GS-12/Step 5 ($43.29/hour) Federal employee, plus 30% overhead, to manage the password and back-up authentication processes; and


GS-7, Step 5 ($24.41) Federal employee, plus 30% for overhead, to do the recordkeeping.


3,600 hours x $43.29/hour/recordkeeping = $155,844.00

79,200 hours x $24.41/hour/customer password and back-up authentications = $1,933,272.00 $2,089,116.00

30% overhead = $626,734.80

Total $2,715,850.80


  1. Notification of Account Changes.


(1) Number of Respondents: 3,600.


(2) Frequency of Response: On occasion reporting requirement; recordkeeping requirement.


(3) Total Number of Responses Annually: 39,600,000 responses (reporting and recordkeeping)


We assume 20% of the total customers may receive notification of account changes in any given year.

198,000,000 customers x 1 response/customer x .20= 39,600,000 responses


(4) Total Annual Hourly Burden: 79,560 hours


The Commission estimates that respondents will require approximately one hour to design the notification. The rules have been in place since 2007 and we believe that most carriers have designed the notification and only new entrants to the market will need to create it. We estimate approximately 10% of the 3,600 respondents are new entrants (3,600 x 10% = 360).

360 respondents x 1 hour/notification design = 360 hours


It is difficult to estimate the time involved because the Commission does not know how many of the respondents’ customers change their account information annually. We estimate that the respondents’ 39,600,000 customers may change their account information once annually, which will require approximately 6 seconds (0.002 hours) for the respondents to transmit this notification to these customers:


39,600,000 customers x 0.002 hours/notification transmission = 79,200 hours


Total: 360 hours + 79,200 hours = 79,560 hours



(5) Total “In-House” Costs: $2,541,722.04


The Commission believes that respondents will use personnel comparable in pay to a GS-14/ Step 5 ($60.83) Federal employee, plus 30% overhead, to design the recordkeeping device and a GS-7, Step 5 ($24.41) Federal employee, plus 30% for overhead, to do the recordkeeping. The rules have been in place since 2007 and we believe that most carriers have designed their recordkeeping device and only new entrants to the market will need to create the device. We estimate approximately 10% of the 3,600 respondents are new entrants (3,600 x 10% = 360).


360 hours x $60.83/hour = $21,898.80

79,200hours x $24.41/hour = $1,933,272.00

$1,955,170.80

30% overhead = $586,551.24

Total: $2,541,722.04


  1. Notification of CPNI Security Breaches.


(1) Number of Respondents: 100.


(2) Frequency of Response: On occasion reporting requirements; third party disclosure requirement.


(3) Total Number of Responses Annually: 200 responses (reporting and third party disclosure)


100 respondents x 1 law enforcement notification = 100 responses (third party disclosure)

100 respondents x 1 customer notification = 100 responses

Total = 200 responses

(4) Total Annual Hourly Burden: 60 hours


It is difficult to estimate the time involved because this reporting requirement only exists in the event of a CPNI security breach.


The Commission estimates that the respondents will require approximately 30 minutes (0.5 hours) to notify law enforcement officials of a breach of their customers’ CPNI via a central reporting facility located at http://www.fcc.gov/eb/cpni within seven business days.


The Commission estimates that these same respondents will also require approximately 6 minutes (0.10 hours) to notify a customer whose CPNI has been breached, once the FCC has been notified.


100 respondents x 0.5 hours/CPNI breach notification (“triggering event”) = 50.0 hours (third party disclosure)

100 respondents x 0.10 hours/customer CPNI breach notification = 10.0 hours


Total: 50.0 hours + 10.0 hours = 60 hours

(5) Total “In-House” Costs: $4,744.74


The Commission believes that respondents will use personnel comparable in pay to a GS-14/ Step 5 ($60.83) Federal employee plus 30% for overhead, to comply with the two notification requirements: (1) to law enforcement officials and (2) to the customers of the carrier or provider:


100 respondents x 0.5 hours/notification x $60.83/hour = $3,041.50

100 respondents x 0.10 hours/notification x $60.83/hour = $ 608.30

$3,649.80

30% Overhead = $1,094.94

Total: $4,744.74


  1. Breach Notification Recordkeeping.

(1) Total Number of Respondents: 100


(2) Frequency of Response: recordkeeping requirement.


(3) Total Number of Responses Annually: 100 responses (recordkeeping)


The Commission estimates that approximately 100 respondents may experience a CPNI breach annually, for which respondents are required to maintain records.


100 respondents x 1 recordkeeping requirement per breach = 100 responses/annum


(4) Total Annual Hour Burden: 100 hours

Because of the seriousness of such breaches, the Commission believes that the respondents will have a rapid response plan in place.


We believe that a plan will identify such CPNI breaches and respond quickly and efficiently to remedy these situations using advanced IT software to maintain a record of any breach situations—including discovery of the breach and subsequent notifications to the United States Secret Service and the FBI and to customers; and if available, the dates of discovery and notification, a detailed description of the CPNI that was subject of the breach, and the circumstances of the breach.

The Commission believes that it will take respondents approximately one hour to maintain the records for any breach emergencies using advanced IT software and office automation systems as part of a “breach emergency” plan.


100 breaches/annum x 1 hours/recordkeeping = 100 hours


  1. Total “In-House” Costs: $5,627.70


The Commission assumes that the respondents will use personnel comparable in pay to a GS-12/ Step 5 ($43.29/hour) Federal employee, plus 30% overhead, to maintain this recordkeeping requirement for CPNI breaches.


100 recordkeeping hours/annum x $43.29/hour = $4,329.00

30% overhead = $1,298.70

Total: $5,627.70


INFORMATION COLLECTION BURDEN ESTIMATES

Information Collection



Number of Respondents

Number of Responses

Time per Response

(Hours)

Total Hourly

Burden

In House” Cost

Total
“In House” Plus 30% Overhead


a. Customer Approval


Notification Design


360


360


2.0


720


$43,797.60

$142,615.98


Transmission


3,600


3,600


0.75


2,700


$65,907.00

b. Customer Approval Documentation and Recordkeeping

Recordkeeping

3,600



3,600

0.5

1,800

$43.938.00


$57,119.40


c. Notification of CPNI Rights Requirement

Notification Design

360

360

2.0

720

$43,797.60

$142,615.98

Transmission

3,600


3,600

0.75

2,700

$65,907.00

d. Notification Recordkeeping

Recordkeeping

3,600


3,600

0.5

1,800

$43.938.00

$57,119.40

e. Event Histories Recordkeeping

Recordkeeping

3,600


3,600

41.0

147,600

$8,978,508.00

$11,672,060.40

f. Compliance Guidance

Certificate

3,600


3,600

41.0

147,600

$9,770,382.00

$12,701,496.60

g. Aggregate Customer Information Disclosure Requirements

Recordkeeping

1,476



1,476

2.0

2,952

$72,058.32

$93,675.82

h. CPNI Disclosure to Third Parties

Disclosure

500


500

2.0

1,000

$24,410.00

$31,733.00

i. Safeguards Required for Use of CPNI

Safeguards

5


5

5.0

25

$1,520.75

$1,976.98

j. Subscriber List Information Disclosure Requirement for Providers of Telephone Exchange Service


Disclosure


1,188




7,128


2.0


14,256


$617,142.24

$802,284.91

k. Notifications

Notifications

1,000


1,000

2.0

2,000

$86,580.00

$112,554.00


l. Cost Study

Cost Study

50


50

50.0

2,500

$178,900.00

$237,221.40

Cost Study

50


50

1.0

50

$3,578.00

m. Certifications

Certifications

2,000


2,000

0.5

1,000

$71,560.00

$93,028.00


n. Disclosure of Contract Rules, Terms, and Conditions and Recordkeeping

Recordkeeping

1,188


1,188

0.5

594

25,714.26

$200,571.23

Records and Contracts

1,188


1,188

0.5

594

$25,714.26

Disclosures to Publishers


1,188


2,376


1.0


2,376


$102,857.04


o. Password and Back-up Authentication Methods for Lost or Forgotten Passwords for Call Detail Telephone Access and Online Access



Recordkeeping



3,600





3,600



1.0



3,600



$155,844.00

$2,715,850.80


Customers

39,600,000


39,600,000


0.002

79,200


$1,933.272.00

p. Notification of Account Changes

Notification Design


360


360


1.0


360


$21,898.80

$2,541,722.04

Transmission

39,600,000


39,600,000

0.002

79,200

$1,933,272.00

q. Notification of CPNI Security Breaches

Disclosure

100


100

0.5

50

$3,041.50

$4,744.74


Disclosure


100


100


0.1


10


$608.30

r. Breach Notification and Recordkeeping

Recordkeeping

100


100

1.0

100

$4,329.00

$5,627.70

CUMULATIVE TOTALS


3,600


79,243,541


495,507

$24,318,475.70


$31,614,018.40


Total Number of Respondents: 3,600

Total Number of Responses Annually [Cumulative]: 79,243,541

Total Annual Hourly Burden [Cumulative]: 495,507 hours

Total Annual “In-House” Costs [Cumulative]: $31,614,018.40





13. This is the Commission’s estimate of the annual cost burden to respondents for the information collection requirements:


(a) Total annualized capital/startup costs: $0.00


(b) Total annualized costs (O&M): $4,000,000.00


(c) Total annualized cost requested: $4,000,000.00


The Commission believes that while the 3,550 largest respondents will have sufficient “in-house” staff to perform cost studies, the 50 smallest respondents will need to contract out this requirement.


The Commission estimates that each consultant will employ the following staff:


j. Cost Studies:


Two accountants at a cost of $250.00/hour = $500.00

Two economists at a cost of $250.00/hour = $500.00

Two attorneys at a cost of $300.00/hour = $600.00

Total: $1,600.00/hour


50 respondents x $1, 600.00 hour/consultant staff x 50 hour/cost study = $4,000,000.00


Total Cost: $4,000,000.00


14. The Commission will incur some costs as a result of this information collection because the Commission will need to remind carriers of their annual certification filing obligation, and then process those filings. We estimate these tasks will take the Commission approximately 40 hours/year at the GS-14, Step 5 level ($60.83/hour) for a total of $2,433.20 per year.


15. The Commission made the following adjustments to these estimates:


For the Password and Back Up Authentication Methods collection, the total number of annual responses decreased from 87,479,280 to 39,603,600, a decrease of 47,875,680. The previous collection incorrectly calculated the total number of customers nationwide at 437,378,400 instead of the correct number of 198,000,000, based on the Voice Telephone Services Report (formerly Local Telephone Competition Report). Because the number of responses has been reduced, the total burden hours are also decreased in turn, from 178,551 to 82,800, a decrease of 95,751.


For the same reason, the total number of responses for the Notification of Account Changes collection decreased from 87,476,040 to 39,600,360, a decrease of 47,875,680, and the burden hours decreased from 175,311 to 79,560, a decrease of 95,751 burden hours.


Based upon comments received in response to the Federal Register notice on this collection asserting that the burden hour for this collection was too low, the burden hours for the Compliance Guidance Certification requirement increased from 10,800 total burden hours to 147,600 total burden hours, an increase of 136,800 hours. For the same reasons, the burden hours for the Event Histories Recordkeeping requirement increased from 1,800 total burden hours to 147,600 total burden hours, an increase of 145,800 hours.


Based on these adjustments to this collection, the total annual responses decreased by -95,751,360 and the total annual burden hours increased by 91,098.


Also, the total annual cost has increased from $3,000,000.00 to $4,000,000.00 (+$1,000,000.00) due to an increase in the salary per hour of employing outside consultants.


There are no program changes.


16. The Commission does not anticipate publishing any of the information collected.


17. The Commission is not seeking approval to not display the expiration date for Office of Management and Budget (OMB) approval of the information collection because the collection does not include a form number.


18. When the 60-Day Notice was published in the Federal Register on May 10, 2017, (82 FR 21814)

the Commission reported the total burden hours as 212,907. However, the Commission received two comments

from the public requesting to revise the certification requirement and the event histories recordkeeping

requirement because they were understated. Based on their comments, we have updated our previous burden

estimates which increased the total burden hours from 212,907 to 495,507. These estimates are reflected in

both the 30-Day Notice and submission to OMB.


There are no other exceptions to the Certification Statement.


B. Collections of Information Employing Statistical Methods:


The Commission does not anticipate that the collection of information will employ statistical methods.

1 The original CPNI rules were adopted on August 23, 1999 and released on September 9, 1999. Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Local Competition Provisions of the Telecommunications Act of 1996; and Provisions of Directory Listing Information under the Telecommunications Act of 1934, as amended, CC Docket Nos. 96-115, 96-98, 99-273, Third Report and Order, Second Order on Reconsideration, and Notice of Proposed Rulemaking, 14 FCC Rcd 15550 (1999) (Third R&O).

2

3 Implementation Of The Telecommunications Act Of 1996:Telecommunications Carriers' Use Of Customer Proprietary Network Information And Other Customer Information; CC Docket No. 96-115 Implementation Of The Non-Accounting Safeguards Of Sections 271 And 272 Of The Communications Act Of 1934, As Amended CC Docket No. 96-149, 2000 Biennial Regulatory Review -- Review Of Policies And Rules Concerning Unauthorized Changes Of Consumers’ Long Distance Carriers, CC Docket Nos. 96-115, 96-149, 00-257, Third Report and Order and Third Further Notice of Proposed Rulemaking, 17 FCC Rcd 14860 (2002) (Third R&O and Third FNPRM).

4 Third R&O.

5 On September 13, 2004, the FCC modified the information collection requirement described in paragraph (l). Implementation of the Telecommunications Act of 1996: Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115, Memorandum Opinion and Order on Reconsideration, 19 FCC Rcd 18439 (2004).

6 The FCC has no direct involvement in the collection of the information on individuals or households, i.e., the information collection requirements affect the telecommunications carriers and providers of interconnected VoIP service, although the Commission does require these telecommunications carriers and providers of interconnected VoIP service to abide by the requirements of 47 U.S.C. § 222 of the Act. The Commission believes, therefore, that 47 U.S.C. § 222 provides sufficient safeguards to protect the information on individuals or households that these respondent carriers and interconnected VoIP service providers collect or use.

7 CTIA Comments at 2.

8 CTIA Comments at 4-5.

9 CTIA Comments at 5.

10 CTIA Comments at 7.

11 CTIA Comments at 8.

12 USTelecom/VON Comments at 2.

13 Id.

14 USTelecom/VON Comments at 3.

15 USTelecom/VON Comments at 4.

16 USTelecom/VON Comments at 5 (citing the requirement for carriers to implement procedures by which the status of a customer’s CPNI approval can be clearly established prior to the use of CPNI; provide employee training in the authorized use of CPNI, including the establishment of a supervisory review process for sales personnel and marketing; maintain a record for one year of all marketing campaigns that use customer CPNI; and provide notice to the FCC within five days of an opt-out failure)

17 USTelecom/VON Comments at 6-7.

18 2016 Privacy Report and Order, FCC 16-148, para. 234.

19 Id.

20 There are approximately 3,600 telecommunications carriers and providers of interconnected VoIP service that might be subject to our notification requirement; however, to the extent carriers or providers do not choose to use CPNI or do not want to market new service categories using CPNI, the information collection requirements would not apply to them.

21 47 C.F.R. 2009(e) The annual certification filing for each calendar year is due no sooner than January 1, but no later than, March 1. FCC Enforcement Advisory - Telecommunications Carriers and Interconnected VoIP Providers Subject to the Commission’s CPNI Rules Must File Annual Reports Certifying Compliance with Commission Rules Protecting Customer Proprietary Network Information, EB Docket No. 06-36, Public Notice, 31 FCC Rcd 2938 (Enf. Bur. 2016). The annual CPNI certifications may be filed: (1) using the Commission’s web-based application; (2) using the Commission’s Electronic Comment Filing System (ECFS); or (3) by filing paper copies. The Commission’s web-based application can be found at http://apps.fcc.gov/eb/CPNI. Any paper filings submitted to the Commission are then added to the FCC’s ECFS Docket No. 06-36.

22 This requirement was eliminated by the Commission for a short period of time after adoption of the 2016 Privacy Order. See Protecting the Privacy of Customers of Broadband and Other Telecommunications Services, WC Docket No. 16-106, Report and Order, 31 FCC Rcd 13911, 14005, para. 234 (2016) (2016 Privacy Order). That Order, however, was vacated pursuant to the Congressional Review Act. Because of the brief elimination of this requirement, we do not have certification data for calendar year 2016.

23 The Commission used the General Schedule Salary Table, as of January 2017, for the locality pay area of Washington-Baltimore-Arlington, DC-MD-VA-WV-PA.

24 It is difficult to estimate the time involved because respondents will utilize various methods to establish and record keep their customers’ passwords and back-up authentication passwords. Also, it is difficult to determine the number of customers for each respondent. Our estimate is based on the total number of customers industry wide. At the end of 2015 there were approximately 68 million wireline residential retail voice service connections and approximately 335 million mobile telephone subscribers. See FCC, Voice Telephone Services: Status as of December 31, 2015 3 at fig.2 (Wireline Comp. Bur. 2015) (2015 FCC Voice Services Report). The mobile telephone subscribers represents the number of devices and not customers. To account for multiple handset contracts in a household, we divide the number of mobile subscriptions by the average number of people in household, which is 2.58 to yield approximately 130 million mobile customers (335/2.58 = 129.84). See U.S. Census Bureau, Households and Families: 2010, 2010 Census Briefs 1, https://www.census.gov/prod/cen2010/briefs/c2010br-14.pdf. The total number of wireline and mobile customers is estimated at 198 million customers (68 + 130 = 198). In estimating the burden, some respondents actually may have a greater or lesser burden depending upon how many customers they have. The total customers are estimated at 198,000,000. We assume, on average, 20 percent of a respondent’s customers may request a new password in any given year. Thus, the total number of customers for this requirement is 39,600,000 (198,000,000 x .20 = 39,600,000).



39


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title3060-0715
AuthorThomas.Butler
File Modified0000-00-00
File Created2021-01-22

© 2024 OMB.report | Privacy Policy