Transcript
8/20/2019 McClure CPNI Manual.pdf
1/58
This manual and its contents are for the internal use only of the telephone company above and should not be
redistributed without the consent of the Vantage Point Solutions.
McClure Services LLC
CUSTOMER PROPRIETARY
NETWORK INFORMATION
(CPNI) MANUAL
Adopted: September 17, 2015
Created and Prepared by:
8/20/2019 McClure CPNI Manual.pdf
2/58
2-Cover Sheet MS.doc Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
McClure Services LLC
CUSTOMER PROPRIETARY NETWORK
INFORMATION (CPNI) MANUAL
(For McClure Services, LLC Internal Use Only)
This manual was developed by Vantage Point Solutions, Inc.(VPS), based on the Federal Communications Commission (FCC)
rules adopted on March 13, 2007, and the associated Order
released on April 2, 2007. These rules took effect is on
December 8, 2007.
Please contact VPS with any questions or concerns:
Wendy Harper, Senior Financial Analyst: (605) 995-1756Wendy.Harper@VantagePnt.com
JoAnn Hohrman, Senior Financial Analyst: (605) 995-1764
JoAnn.Hohrman@VantagePnt.com
Doug Eidahl, VP of Regulatory & Legal: (605) 995-1750
Doug.Eidahl@VantagePnt.com
mailto:Wendy.Harper@VantagePnt.commailto:Wendy.Harper@VantagePnt.commailto:JoAnn.Hohrman@VantagePnt.commailto:JoAnn.Hohrman@VantagePnt.commailto:Doug.Eidahl@VantagePnt.commailto:Doug.Eidahl@VantagePnt.commailto:Doug.Eidahl@VantagePnt.commailto:JoAnn.Hohrman@VantagePnt.commailto:Wendy.Harper@VantagePnt.com
8/20/2019 McClure CPNI Manual.pdf
3/58
3-TOC MS.doc Page 1 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Table of Contents
Section
Executive Summary ......................................................................................1
CPNI Background .........................................................................................2
Definitions ......................................................................................................3
CPNI Responsibilities ....................................................................................4Company Responsibilities .................................................................... 4.1
CPNI Compliance Officer Responsibilities ....................................... 4.2
Employee Responsibilities .................................................................... 4.3
CPNI Disciplinary Procedures .....................................................................5
Authorized Account Contacts .......................................................................6
Customer Authentication Procedures .........................................................7
Password Protection Procedures .................................................................8
On-line Account Access Requirements .......................................................9
Account Change/Activity Notification ..................................................... 10
Business Customer Exemption ................................................................. 11
Reporting Procedures ................................................................................. 12
Opt-In & Opt-Out Approval Requirements ............................................ 13
Frequently Asked Questions ...................................................................... 14
8/20/2019 McClure CPNI Manual.pdf
4/58
3-TOC MS.doc Page 2 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
Marketing Opportunities .......................................................................... 15
SAMPLE Customer Memo & Forms1 ..................................................... 16
Customer Notice Memo ...................................................................... 16.1
Authorized Account Contacts............................................................ 16.2Password Set Up ................................................................................. 16.3
Opt-In Notice ....................................................................................... 16.4
Opt-Out Notice .................................................................................... 16.5
Notice of Change/Activity .................................................................. 16.6
Certifications ............................................................................................... 17
CPNI Compliance Officer .................................................................. 17.1
Employee Acknowledgement of CPNI Compliance ........................ 17.2Sample Annual Certification Letter ................................................. 17.3
Appendices .................................................................................................. 18
Appendix A - Section 222 of the 1996 Telecom Act
Appendix B - FCC Title 47 CPNI Rules:
§ 64.2003 (Definitions)
§ 64.2005 (Use of CPNI without Customer Approval)
§ 64.2007 (Approval Required for Use of CPNI)
§ 64.2008 (Notice Required for Use of CPNI)§ 64.2009 (Safeguards Required for Use of CPNI)
§ 64.2010 (Safeguards of the Disclosure of CPNI)
§ 64.2011 (Notification of CPNI Security Breaches)
Appendix C - FCC Rule Amendments:
FCC 1st Report & Order, Executive Summary, April 2, 2007
Appendix B of the FCC 1st Report & Order, April 2, 2007
1 All forms should be discussed with the Company’s billing software vendor for tracking capabilities within
its system and non-duplication of any automated forms the software may generate. These are SAMPLES
of what may be used, however similar forms may exist within the software. The Company should work
closely with its vendor regarding the way the Company chooses to implement CPNI procedures.
8/20/2019 McClure CPNI Manual.pdf
5/58
Section1-ExecSumm MS.doc Page 1 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Executive Summary
Federal Communication Commission (FCC) Customer Proprietary Network Information
(CPNI) rules require that MCCLURE SERVICES LLC (“Company”) and its employeesmust take reasonable measures to discover and protect CPNI.
CPNI is information that is obtained due to the carrier-customer relationship and is not public knowledge. CPNI includes call detail and non-call detail. CPNI call detail
information examples include, but are not limited to, information such as the calling
number, called number, and the length of time for a call. Non-call detail information is
account information contained in the bills to a customer pertaining to local exchangeand/or toll services, such as calling features, calling plan subscribed to, dollar amounts,
etc.
The Company must train its personnel as to when they are and are not authorized to use
or distribute CPNI, and the Company must have an express disciplinary process in place
to be used in the event that a CPNI breach occurs.
The Company must have an officer sign a compliance certificate on an annual basis (due
March 1st of each year for the prior year), which includes an explanation of any actionstaken against data brokers, as well as a summary of all consumer complaints received in
the previous year regarding the unauthorized release of CPNI.
In addition, the Company must establish a supervisory review process regarding carrier
compliance for outbound marketing situations and must also maintain records of carrier
compliance. Specifically, sales personnel must obtain supervisory approval by the CPNI
Compliance Officer of any proposed outbound marketing request for customer approval.
The Company is required to notify both law enforcement and customers in the event of a
CPNI breach within seven days of the discovered breach; however law enforcement must be notified seven days before the customer is notified or longer if law enforcement
requests a delay in notifying the customer.
The Company prohibits its employees from releasing call detail information to customers
during customer-initiated telephone contact, except when the authorized customer
provides a password. Further, if the authorized customer does not provide a pre-
established password, the FCC prohibits the release of call detail information except bysending the information to an address of record, or by calling the customer at the
telephone number of record. As an alternative, the customer may come into the office
and show valid, government-issued photo identification in order to be authenticated.
8/20/2019 McClure CPNI Manual.pdf
6/58
Section1-ExecSumm MS.doc Page 2 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
The Company also requires password protection for any online account access. All
account information accessed online must have a password input before obtaining accessto any of the account information. (Note: Password, whether for call detail or online
access, must not be based on readily available historical information such as a social
security number, mother’s maiden name, etc.)
The Company is required to notify the customer immediately when a password, customer
response to a security question is utilized for the authentication for lost or forgotten
passwords, online account, or address of record is created or changed. This notificationmust be generic and not state the specifics of the change or activity. For example if the
address of record was changed, the Company must not provide the new address, but only
state the address was changed.
The Company must obtain opt-in consent from a customer before disclosing a customer’s
CPNI to a joint venture partner, independent contractor, or a third party for the purpose of
marketing communications-related services to that customer.
For business customers, if the Company has established a dedicated account
representative for a particular business customer and the Company has a contractualagreement with that business customer that specifically addresses the carrier’s protection
of CPNI, then the contract CPNI requirements shall replace the FCC CPNI requirements
contained in this manual.
The opt-out and opt-in approval requirements must be followed for marketing related
services to the customer or for distribution to Company affiliates or third parties.
When customer approval of CPNI use is necessary, it may be obtained through written,
oral, or electronic methods. The Company must maintain records of approval, whetheroral, written, or electronic. The Company must implement a system by which the status
of a customer’s CPNI approval can be clearly established prior to the use of CPNI.
The company must provide notification to the customer of the customer’s right to restrictuse of, disclosure of, and access to that customer’s CPNI. The company must maintain
records of notification.
8/20/2019 McClure CPNI Manual.pdf
7/58
Section2-CPNI Background MS.doc Page 1 of 3 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLCCPNI MANUAL
CPNI Background
CPNI Definition
CPNI is defined as “(A) information that relates to the quantity, technical configuration,type, destination, location, and amount of use of a telecommunications service subscribed
to by any customer of a telecommunications carrier, and that is made available to the
carrier by the customer solely by virtue of the carrier-customer relationship; and (B)information contained in the bills pertaining to telephone exchange service or telephone
toll service received by a customer of a carrier.”1
Practically speaking, CPNI includes information such as the phone numbers called by a
consumer; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting. CPNI, therefore, includes some highly-sensitive
personal information.
Section 222 of the Telecom Act of 1996
In the Telecom Act, Congress created a framework to govern telecommunications
carriers’ protection and use of information obtained by virtue of providing atelecommunications service. The Section 222 framework calibrates the protection of
such information from disclosure based on the sensitivity of the information. It places
fewer restrictions on the dissemination of information that is not highly sensitive and oninformation that the customer authorizes to be released, than on the dissemination of
more sensitive information the carrier has gathered about particular customers. Congress
has accorded CPNI the greatest level of protection under the framework of Section 222.
Section 222 reflects the balance Congress sought to achieve between giving each
customer ready access to his or her own CPNI, and protecting customers from
unauthorized use or disclosure of CPNI. Every telecommunications carrier has a generalduty, pursuant to Section 222(a), to protect the confidentiality of CPNI. In addition,
Section 222(c)(1) provides that a carrier may only use, disclose, or permit access to
customers’ CPNI in limited circumstances:(1) as required by law;2
(2) with the customer’s approval; or
1 47 U.S.C. § 222(h)(1)2 See, e.g., Implementation of the Telecommunications Act of 1996: Telecommunications carriers’ Use of
Customer Proprietary Network Information and Other Customer Information, CC Docket No. 96-115,
Declaratory Ruling, 21 FCC Rcd 9990 (2006) (clarifying that Section 222 does not prevent a
telecommunications carrier from complying with the obligation in 42 U.S.C. § 13032 to report violations of
specific federal statutes relating to child pornography).
8/20/2019 McClure CPNI Manual.pdf
8/58
Section2-CPNI Background MS.doc Page 2 of 3 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
(3) in its provision of the telecommunications service from which such
information is derived, or services necessary to, or used in the provision of,
such telecommunications service.
Section 222 also guarantees that customers have a right to obtain access to, and compel
disclosure of, their own CPNI.
CPNI Order of 1998
In 1998, the Federal Communications Commission (FCC or Commission) released theCPNI Order in which it adopted a set of rules implementing Section 222. In this Order,the Commission outlined the extent to which Section 222 permits carriers to use CPNI to
render the telecommunications service from which the CPNI was derived. Beyond such
use, the Commission’s rules require carriers to obtain a customer’s knowing consent before using or disclosing CPNI. Under these rules, telecommunications carriers must
receive Opt-Out consent before disclosing CPNI to joint venture partners and
independent contractors for the purposes of marketing communications-related services
to customers. In addition, the Commission also adopted a set of rules designed to ensure
that telecommunications carriers establish effective safeguards to protect againstunauthorized use or disclosure of CPNI. Among these safeguards are rules that:
• require carriers to design their customer service records in such a way that the
status of a customer’s CPNI approval can be clearly established;
• require telecommunications carriers to train their personnel as to when theyare and are not authorized to use CPNI;
• require carriers to have an express disciplinary process in place;
• require carriers to maintain records that track access to customer CPNI
records and to maintain such records for a period of at least one year;
• require the establishment of a supervisory review process for outbound
marketing campaigns; and
•
require each carrier to certify annually regarding its compliance with thecarrier’s CPNI requirements and to make this certification publicly available.
Temporary Opt-Out Clarification - 2001
In a 2001 clarification to the above Order, the FCC permitted carriers to rely on Opt-Out
measures for customer approval of using their CPNI for marketing.
Opt-In Requirement - 2002
In 2002, the FCC then issued rules requiring Opt-In measures for customer approval for
carriers’ release of CPNI to Third Parties; however, Opt-Out provisions were allowed for
the release of CPNI to Affiliated Parties.
EPIC Petition - 2005
In 2005, Electronic Privacy Information Center (EPIC) filed a petition with theCommission asking the Commission to investigate telecommunications carriers’ current
security practices and to initiate a rulemaking proceeding to consider establishing more
8/20/2019 McClure CPNI Manual.pdf
9/58
Section2-CPNI Background MS.doc Page 3 of 3 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
stringent security standards for telecommunications carriers to govern the disclosure of
CPNI. In particular, EPIC proposed that the Commission consider requiring the use of
consumer-set passwords, creating audit trails, employing encryption, limiting dataretention, and improving notice procedures.
CPNI Report and Order of 2007
In April 2007, the FCC released its Report and Order and Further Notice of ProposedRulemaking regarding Telecommunications Carriers’ Use of CPNI and Other Customer
Information, on which this manual is based. The manual will be updated when
necessary.
CPNI Summary
Since the CPNI Order of 1998, telecommunications carriers have sued many people
whom they accuse of fraudulently obtaining phone records. These people are referred toas “pretexters”. Pretexting is a practice where an individual impersonates another person and employs false pretenses, or otherwise uses trickery to obtain records. For
example, in one of the cases filed by Cingular, Cingular stated that the defendant pretexter posed as an employee of Cingular and as a customer of Cingular in order to
induce Cingular’s customer service representatives to provide them with the call records
of a targeted customer.
In addition to individual pretexters, data brokers are businesses that operate (often via awebsite) by offering phone records as well as other personal information for a fee. The
data brokers retrieve the personal information through pretexting. Numerous complaintshave been filed with the Federal Trade Commission (FTC) against data brokers.
Additionally, numerous states have sued data brokers for pretexting phone records.
However, the data brokers have generally responded that there is no law prohibiting themfrom selling phone records.
However, recently several telecommunications carriers have been fined for failing tosafeguard customer information and complying with FCC CPNI regulations. Evensmall carriers have been given hefty fines in the range of $100,000.
8/20/2019 McClure CPNI Manual.pdf
10/58
Section3-Definitions MS.doc Page 1 of 3 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
CPNI-Related Terms and Definitions
Address of Record
Either postal or electronic (email) that the carrier has associated with the customer’saccount for at least 30 days.
Affiliate
A person that (directly or indirectly) owns or controls, is owned or controlled by, or is
under common ownership or control with, another person. For purposes of this
paragraph, the term “own” means to own an equity interest (or the equivalent thereof) of
more than 10 percent.
Breach
When a person, without authorization or exceeding authorization, has intentionallygained access to, used, or disclosed CPNI.
Call Detail Information
Any information that pertains to the inbound and/or outbound calls. For example,
telephone records containing date, time, calling number, called number, length of call,
etc. This information is considered CPNI and requires the highest level of privacy,according to the current FCC rules.
CustomerA person or entity to which the telecommunications carrier is currently providing
services.
Communications-related Services
Telecommunications services, information services typically provided by
telecommunications carriers, and services related to the provision or maintenance of
customer premises equipment.
Customer Authentication
By using not-readily available biographical information, the customer’s identity isconfirmed.
8/20/2019 McClure CPNI Manual.pdf
11/58
Section3-Definitions MS.doc Page 2 of 3 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
Customer Proprietary Network Information (CPNI)
Defined as “(A) information that relates to the quantity, technical configuration, type,destination, location, and amount of use of a telecommunications service subscribed to by
any customer of a telecommunications carrier, and that is made available to the carrier by
the customer solely by virtue of the carrier-customer relationship; and (B) informationcontained in the bills pertaining to telephone exchange service or telephone toll service
received by a customer of a carrier.”1
Practically speaking, CPNI includes information such as the phone numbers called by aconsumer; the frequency, duration, and timing of such calls; and any services purchased
by the consumer, such as calling features like call waiting or voicemail. CPNI, therefore,
includes some highly-sensitive personal information.
Data Brokers
Businesses that operate (often via a website) by offering phone records as well as other
personal information for a fee. The data brokers retrieve the personal informationthrough pretexting.
Existing Customer Relationship
Based on the provisioning of services requested by the customer that establishes a
business relationship between a company and its customer.
Independent Contractor
Third party company which the telephone company engages in business.
Information Service
Information services typically provided by telecommunications carriers, such as Internet
access or voice mail services. Information services in this paragraph do not include retailconsumer services provided using Internet websites (such as travel reservation services or
mortgage lending services), whether or not such services may otherwise be considered to
be information services.
Interconnected Voice Over Internet Protocol
A service that: (1) enables real-time, two-way voice communications; (2) requires a
broadband connection from the user’s location; (3) requires Internet protocol-compatiblecustomer premises equipment; and (4) permits users generally to receive calls that
originate on the public switched telephone network and to terminate calls to the public
switched telephone network.
Joint-Venture Partner
Another business in which the telephone company may be invested in ownership.
1 47 U.S.C. § 222(h)(1)
8/20/2019 McClure CPNI Manual.pdf
12/58
Section3-Definitions MS.doc Page 3 of 3 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
Pretexting
Practice where an individual impersonates another person and employs false pretenses, orotherwise uses trickery to obtain records.
Readily Available Biographic InformationInformation that is created from the customer’s life history (i.e. social security number or
last four digits, home address, mother’s maiden name, date of birth).
Section 222
Requires carriers to protect CPNI as part of the Telecommunications Act of 1996.
Telephone Number of Record
The telephone number associated with the underlying service and can not be a supplied
number as the customer’s “contact information”.
Valid Photo IDGovernment-issued unexpired personal identification with a photograph (i.e. driver’s
license or passport).
8/20/2019 McClure CPNI Manual.pdf
13/58
Section4.1-CompanyRespons. MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Company Responsibilities
MCCLURE SERVICES LLC (MCCLURE ) has outlined the followingresponsibilities for CPNI compliance based upon the FCC rules:
Create a CPNI Manual. A CPNI manual has been created for all employees of the
company to read, understand, and abide by for CPNI compliance. The CPNI manual
should be adopted by the Board of Directors.
Employee Acknowledgement and Disciplinary Actions. After employees have
received training on the CPNI rules and regulations, each MCCLURE employee
should sign the Employee Acknowledgement of CPNI Compliance Certification andunderstand the disciplinary actions for unauthorized release of CPNI.
Designate a CPNI Compliance Officer (CPNI CO). A CPNI CO will be assigned
to overlook all MCCLURE CPNI compliance of the FCC rules. This CPNI CO will
sign the CPNI Compliance Certification Form after reading and thoroughly
understanding the CPNI manual. The CPNI CO duties are detailed in the Compliance
Officer Responsibilities section of this CPNI manual. See Section 5 for MCCLURE
’s duties as assigned to the CPNI CO.
Network Security. MCCLURE is responsible for the safeguarding of CPNI when it
is stored in a database. Encryption is not required by the FCC; however, safeguardmeasures must be taken to protect the stored CPNI information.
Note: The FCC stressed its expectation that carriers will take affirmative measuresto discover and protect against activity that is indicative of pretexting beyond what
is required by the FCC’s current rules, and reminded carriers that the Telecom Act
imposes on them the duty of instituting effective measures to protect the privacy ofCPNI.1
1 Federal Communications Commission, First Report and Order Regarding Telecommunications
Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, CC
Docket No. 96-115 and WC Docket No. 04-36, released April 2, 2007. (Page 21, #35)
8/20/2019 McClure CPNI Manual.pdf
14/58
Section4.2-CORespons. MS.doc Page 1 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Compliance Officer Responsibilities
MCCLURE SERVICES LLC (MCCLURE) has designated the following employee
as the CPNI Compliance Officer (CPNI CO):
____________________ (Mary Claire Cartwright)_
_________________________
CPNI CO responsibilities have been added to the designated employee’s job
responsibilities and duties. The CPNI CO responsibilities include:
Annual Compliance Certification Filing. MCCLURE CPNI Compliance Officer
will act as an agent of MCCLURE in certifying compliance with the FCC rules on anannual basis, stating that he/she has personal knowledge that the company has
established operating procedures that are adequate to ensure compliance with theFCC’s CPNI rules. The CPNI CO will be required to make this filing annually with
the Enforcement Bureau on or before March 1st of each year for previous year’s data.
Company’s Main CPNI Point of Contact. The CPNI CO will be the company’s
main point of contact for employees, customers, and other parties.
Maintenance and Security of CPNI. The CPNI CO is responsible for ensuring
proper maintenance and security of the CPNI files.
Track CPNI Complaints. CPNI CO must track all customer complaints regarding
the unauthorized release of CPNI and include a summary of all those complaints that
were received during the past year in the annual certification filing.
Track Actions Taken Against Data Brokers. This summary needs to be included
in the annual certification filing with the FCC.
Track CPNI Breaches. CPNI CO must track all CPNI breaches and actions taken
against data brokers and maintain the records for a minimum period of 2 years.
Notification of Unauthorized Disclosure of CPNI. CPNI CO must notify lawenforcement within seven days of a suspected CPNI breach and then notify the
customer within seven days after notification to law enforcement. However, if law
enforcement requests additional time before notifying the customer the CPNI COmust keep record of such instructions from the law enforcement.
8/20/2019 McClure CPNI Manual.pdf
15/58
Section4.2-CORespons. MS.doc Page 2 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
Review Company Marketing Procedures. CPNI CO must review CPNI
compliance in company marketing procedures by ensuring the appropriate Opt-Out
and Opt-In approval requirements are met. Keep details of all marketing campaignsutilizing CPNI.
Review and Document Company CPNI Use. CPNI CO must review and document
all company use of CPNI ensuring proper utilization.
Train Employees on CPNI Requirements and Procedures. CPNI CO will be
responsible for training all company employees on CPNI requirements mandated by
the FCC and the company procedures.
Ensure Employees are CPNI Certified. CPNI CO will be responsible for ensuringcompany employees have certified their knowledge of the company’s CPNI
requirements.
Ensure Customer Notification of Account Changes/Activity. CPNI CO will be
responsible for ensuring customers have been notified of qualifying account changes
and/or account activity with in 48 hours of such change/activity.
Ensure Company Measures of CPNI Protection. CPNI CO will ensure company
has established and utilizes sufficient measures to discover and protect against
pretexting and unauthorized disclosure of CPNI. CPNI CO will also establish andimplement additional steps beyond the FCC rules to protect the privacy of CPNI to
the extent such measures are feasible.
Designate Assistant CPNI CO. The CPNI CO will designate an assistant CPNI CO
to help with the overseeing of CPNI compliance and will step in for the absence of
the CPNI CO.
8/20/2019 McClure CPNI Manual.pdf
16/58
Section4.3-EmployeeRespons. MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Employee Responsibilities Regarding CPNI
MCCLURE SERVICES LLC Employee CPNI responsibilities include:
Assist CPNI Compliance Officer (CPNI CO) in ensuring maintenance and security of
the Company’s CPNI files.
Notify CPNI CO of any CPNI-related complaints from customers.
Notify CPNI CO of any breaches of CPNI rules.
Review and follow CPNI requirements and procedures and sign Employee
Acknowledgement of CPNI Compliance Certification.
Assist in ensuring that customers are notified immediately of any account changes or
activity.
Notify CPNI CO of any CPNI violations.
Assist in ensuring that sufficient measures are used to discover and protect against pretexting and unauthorized disclosures of CPNI.
Must authenticate customers before discussing non-call detail CPNI with a customer.
Must require the associated account password be supplied by the authorized account
customer before providing call detail to the customer. Or the other three means of
call detail release approved by the FCC may be utilized: Call back customer attelephone of record, mail to address of record, or have customer come in with valid
government-issued photo ID.
8/20/2019 McClure CPNI Manual.pdf
17/58
Section5-DisciplinaryProc. MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solution – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Disciplinary Procedures Relating to
Violations of CPNI Protection
MCCLURE SERVICES LLC (MCCLURE) has established the
following disciplinary procedures for CPNI violations and CPNI
breaches, whether intentional or unintentional. All employees of our
company are subject to the following disciplinary actions for CPNI
violations and CPNI breaches:
CPNI Violations include but are not limit to discussing products or services with a
customer outside the existing service relationship without the customer’s permissionand/or engaging in marketing efforts without observing the opt-out and opt-in approval
requirements.
Disciplinary Action for CPNI Violations: A first-time violation requires the employeeto re-read the CPNI manual and be re-trained on CPNI rules and procedures. Additional
violations may result in reassignment, suspension, and/or termination, based on the
seriousness and frequency of the CPNI violation(s).
CPNI Breaches occur when an employee acts without customer authority to intentionally
use, share, or disclose CPNI. Examples include distributing or selling CPNI to third
parties, or any action that harms the customer or the Company with the release of CPNI.
Disciplinary Action for CPNI Breaches: Depending on the occurrence and severity ofthe breach, the disciplinary action for a CPNI breach may result in retraining,
reassignment, suspension, and termination.
Note: MCCLURE SERVICES LLC has the right to handle the disciplinary actions
regarding CPNI violations and CPNI breaches as the Company sees fit for the type of
violation or breach in regards to frequency and severity of the violation or breach
occurrence. CPNI is a confidential matter in our office and we expect employees to
take all necessary steps in order to protect our customer’s privacy.
8/20/2019 McClure CPNI Manual.pdf
18/58
Section6-AACs MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Authorized Account Contacts
Authorized Account Contact
Employees may only discuss and/or provide CPNI information to an AuthorizedAccount Contact (AAC) for that particular account being discussed. If someone is
not listed on the account as an AAC (such as a spouse or child of an elderly customer),
the employee may use the “Authorized Account Contacts” form to add this person to the
account as an AAC only with the approval of the current AAC.
Note: Payments may be received from non-AACs, as long as the employee does not
provide CPNI information to them. (For example, the employee may not providespecifics about the call detail records or dollar amounts of an invoice, however if the
person knows the dollar amount or wants to make the payment by placing so much
money on the account then that is acceptable). Also, if the customer can provide detailsof a call, those provided details can be discussed but additional information can not be
provided.
Important Note: Any time that a customer requests access to information contained in
call detail records (such as the called number, length of call, etc.), a password is
required (or if a password is not supplied the other three methods discussed previously
that are approved by the FCC of calling back the number of record, mailing to the
address of record, or customer providing valid photo ID may be utilized). Employees are forbidden from supplying call detail record information to anyone without the
account password, even if Caller ID indicates that the customer is calling from the
telephone number of record. However, other information, such as discussing calling
feature purchases, etc., may be disclosed without a password, but only after the
customer has been authenticated.
8/20/2019 McClure CPNI Manual.pdf
19/58
Section7-Authentication MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Customer Authentication Procedures
Customer Authentication
For employees to authenticate an authorized account contact (AAC), the employee should politely explain that the Federal Communications Commission (FCC) now requires
authentication in order to protect their privacy before discussing account information.
Then, explain that you could do this by asking a few questions to verify the customer’s
identity. Example questions to authenticate a customer include:
How long have you had your account with us?
What are the features and services you receive from us? Are there any other names listed on the account?
What is your average month bill amount?
Note: The employee could also call back the telephone number of record; however
they must still verify this is the AAC they are talking with. For example if only the
husband is the AAC, and a woman answers or is the one calling for authentication the
employee should not discuss the CPNI with her but offer to establish the spouse as an
AAC once approved by the current AAC.
8/20/2019 McClure CPNI Manual.pdf
20/58
Section8-Passwords MS.doc Page 1 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Password Protection Procedures
Establishing a Password
New Customers
MCCLURE SERVICES LLC (Company) requires new customers to establish a password at the time of service initiation because the customer can be easily
authenticated at that time by showing government issued identification.
Existing Customers
Company will initially send a mass mailing to its authorized account customers(AAC) in order to inform the AAC of the new password requirement for therelease of CPNI information and to allow the customers to fill out the “PasswordSet Up” form and return it to the Company.
If existing AACs do not set up a password at the time of the initial mailing, but
later decide to establish one by either calling into the Company or stopping intothe Company office, employees must first authenticate the customer without
the use of readily available biographical information or account information. (See
authentication procedures in previous Section 7.)
Password Set Up
Customers must provide responses to the “Password Set Up” form, which
includes the actual password as well a couple security question answers in casethe password is forgotten.
Use of Password
When a customer calls or stops in and requests call detail information, employees should politely explain to the customer that the FCC requires the customer to provide the
account password before this information may be disclosed. If the customer is unable to
provide the password, the employee should ask the account security questions to the
customer and if answered correctly, may then provide the requested call detail recordinformation and establish a new password.
If the customer is unable to provide the password and does not answer the two selectedsecurity questions correctly, or if the customer refuses to set up a password, the employee
8/20/2019 McClure CPNI Manual.pdf
21/58
Section8-Passwords MS.doc Page 2 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
should explain the following options and may share the call detail records by only the
three following methods:
1. calling the customer back at the telephone number of record;
2. mailing or emailing the information to the address of record (address must be
on company file for at least 30 days); or3. authenticating the customer’s identity in person with a valid government-
issued photo identification.
8/20/2019 McClure CPNI Manual.pdf
22/58
Section9-OnlineAccess MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
On-line Account Access Requirements
On-line Account Access
Because the Company is responsible to ensure the security and privacy of online account
access, the Company must appropriately authenticate both new and existing customersseeking access to account information online. Therefore, the FCC requires the use of
passwords for on-line account review and billing access.
If a password is already in place, it is not required to establish a new password at this
time, unless it is based solely on readily available biographical information oraccount information. For new customers, a carrier should request that a customerestablish an on-line password at the time of service initiation, which again can not be based on readily available biographical information or account information.
Note: The FCC expects carriers to block access to the customer’s account if repeatedunsuccessful attempts are made when trying to log in.
8/20/2019 McClure CPNI Manual.pdf
23/58
Section10-Notifications MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Account Change/Activity Notification Procedures
The FCC requires the Company to notify customers immediately of certain account
changes, including:
Password created
Password changed
Customer response to security questions were utilized
Online account password created
Online account password changed
Online account authentication response
Physical address of record changed
Email address of record changed
Authorized customer was added to the account
Company is also required to notify customer of a security breach within seven days after
the law enforcement has been notified (or longer only if law enforcement requests
additional time) as described in Section 12, Reporting Procedures.
8/20/2019 McClure CPNI Manual.pdf
24/58
Section11-BusinessExempt MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Business Customer Exemption
Some business customer accounts contain privately negotiated proprietary information
safeguards, as established in an account contract. Therefore, if our contract with a business customer is serviced by a dedicated account representative as the primary
contact, and specifically addresses MCCLURE SERVICES LLC’s protection of the
business customer’s CPNI, the authentication rules do not have to be followed for that particular business customer. However, the remainder of the CPNI rules still needs to be
followed.
8/20/2019 McClure CPNI Manual.pdf
25/58
Section12-Reporting MS.doc Page 1 of 1 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
CPNI Violation and Breach Reporting Procedures
Law Enforcement Notification
MCCLURE SERVICES LLC (MCCLURE) must notify law enforcement of a breach ofits customers’ CPNI no later than seven business days after a reasonable determination
of a breach, by sending electronic notification through a central reporting facility to the
United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI). TheFCC Enforcement Bureau will maintain a link to the reporting facility at
www.fcc.gov/eb/CPNI.
Customer Notification
Then, MCCLURE must notify the customer and/or disclose the breach publicly afterseven business days following notification to the USSS and the FBI, if the USSS and the
FBI have not requested that MCCLURE continue to postpone disclosure. However,
MCCLURE may notify the customer immediately or publicly disclose the breachimmediately after consultation with the relevant investigative agency, if MCCLURE
believes that there is an extraordinarily urgent need to notify a customer or class of
customers in order to avoid immediate and irreparable harm.
Maintenance of Records
Additionally, MCCLURE must maintain a record of any discovered breaches,
notifications to the USSS and the FBI regarding those breaches, and the USSS and FBIresponses to the notifications for a period of at least two years. This record must include,
if available, the date the breach was discovered, the date that MCCLURE notified the
USSS and the FBI, the date that MCCLURE notified the customer, a detailed descriptionof the CPNI that was breached, and the circumstances of the breach (including steps
taken by MCCLURE to prevent the breach, how the breach occurred, and the impact of
the breach).
Cooperation with Law Enforcement
MCCLURE employees must fully cooperate in any law enforcement investigation of
such unauthorized release of CPNI or attempted unauthorized access to an account,
consistent with statutory and FCC requirements.
Note: For carriers with breaches, the FCC can still issue forfeitures against them even if
all the CPNI rules are proven to have been met. It is important for our company to go
above and beyond all FCC CPNI protection rules, displaying our commitment to
protecting our customers CPNI.
8/20/2019 McClure CPNI Manual.pdf
26/58
Section13-Opt-In Opt-Out MS.doc Page 1 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Opt-In and Opt-Out Requirements
Opting Background
A significant change was made by the FCC in its First Report & Order dated April 2, 2007, to the prior CPNI opt-out rule. Previously, carriers were to send an opt-out form to the customersinforming them that their CPNI would be shared with joint venture or independent contractors formarketing communications-related services. If they signed an “opt-out” form, the carrier couldnot share that particular customer’s information with any other parties. With the new rules, the
old “opt-out” rule has been eliminated for sharing CPNI with a joint venture or third party. Now,the customer must specifically “opt-in” or consent to sharing their CPNI with a third party formarketing use.
Under the new rules, carriers can market enhancements to services the customer already has based on CPNI without customer consent. For example, if a customer subscribes to local service,the carrier does not need customer approval to use the CPNI to sell calling features for that local
service such as call waiting. However, for services outside the existing scope of business thecarrier must have customer permission to market the additional services and products based upon
CPNI whether in-house (subject to opt-out approval requirements) or to a third party (subject toopt-in approval requirements). For example, if the customer has only local service with thecarrier and no long distance, the long distance service promotions can not be shared with that
customer without the customer’s permission. If the customer chooses to sign and return an “opt-out” form, the carrier will not be able to use the customer’s CPNI to market any services outside
the existing scope of service with the carrier, unless the customer initiates a request to discuss a particular service. The carrier also may not share the customer’s CPNI with any affiliates tomarket services outside their existing services with the customer if an opt-out form as been
returned to the carrier, unless one-time approval has been given. Customers must be notified oftheir right to “opt-out” of marketing endeavors for services and products outside the existingrelationship.
Opting Methods
There are two methods of opting approval:
1) Opt-Out – Notice stating the carrier considers the customer to have given approval of CPNIuse for marketing unless the customer informs the company otherwise
2) Opt-In – Notice requesting that the customer give permission to the company to use CPNIfor marketing
These approval methods must be utilized and followed before CPNI is shared either internally or
externally for marketing purposes. Company must track the opting notices, keep the signednotices on file, and notate status in the company billing records. The company should not sendexcessive notices to their customers in any fashion that could be considered badgering or
harassment.
Reminder: Names, addresses, and phone numbers are not considered CPNI. Companies maymarket to all customers based on non-CPNI. Be sure the non-CPNI marketing campaign is
8/20/2019 McClure CPNI Manual.pdf
27/58
Section13-Opt-In Opt-Out MS.doc Page 2 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
approved by the CPNI Compliance Officer, as all marketing should be, and goes to eachcustomer selected by the chosen criteria.
Note: Company should give at least 30 days notice of opt-out opportunity to the customer before
utilizing the CPNI for marketing.
8/20/2019 McClure CPNI Manual.pdf
28/58
Section14-FAQs-Revised 09 03 15 MS.docPage 1 of 6 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
CPNI Frequently Asked Questions
What is Customer Proprietary Network Information?
In general terms, CPNI is personal information contained in customer records. From atelecommunication carrier’s standpoint, CPNI is most of the information collected by the
carrier for service provisioning and billing purposes. CPNI includes call detail
information, including calling numbers, called numbers, length of call, etc. Because ofthe public nature of customer names, addresses, and phone numbers, these items are not
considered to be CPNI.
When are the New CPNI Rules Effective?
CPNI rules are already in effect and have been around for many years. However,
compliance with the updated FCC rules (from the Federal Communications Commission
Report and Order and Further Notice of Proposed Rulemaking issued on April 2, 2007)
was required six months after the “effective date” of the Order or upon approval by theOffice of Management and Budget (OMB), whichever was later. The Report & Order
was published in the Federal Register on June 8, 2007, so the updated CPNI rules became
effective on December 8, 2007 (six months from this date). However, small carriers(defined as a “small entity” as discussed below) had an additional six months to comply
with the online password protection requirements.
Regarding the new online access CPNI rules, our company meets the definition of “small
entity” or a “small business concern” under the Regulatory Flexibility Act for Small
Business and therefore was eligible for an additional six month extension on these
particular rules. Therefore, the effective date was June 8, 2008.
Who Needs to Comply with CPNI Rules?
The CPNI rules apply to Telecommunications Carriers (all voice service entities), as
defined by the Communications Act of 1934, as amended, and including interconnectedVoice Over Internet Protocol (VoIP) providers. Therefore, the definition of
telecommunications carriers would include local exchange carriers (incumbent and
competitive), long distance carriers (or interexchange carriers), mobile (or cellular)
carriers, and VoIP providers.
Are passwords required for the use or release of all types of CPNI? No, passwords are only required by the FCC for call detail CPNI; however, companies
may implement password protection on all CPNI in order to keep consistency for the
employees and customers. To release non call detail information, carriers are still subjectto Section 222 of the Telecom Act and therefore, must authenticate the customer prior to
8/20/2019 McClure CPNI Manual.pdf
29/58
Section14-FAQs-Revised 09 03 15 MS.docPage 2 of 6 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
disclosing non call detail CPNI. (The FCC is still reviewing comments regarding
whether passwords should also be required for certain non-call detail CPNI.)
What is “readily available biographical information”?
Readily available biographical information includes such things as the customer’s social
security number, or the last four digits of that number, the customer’s mother’s maiden
name; a home address, or a date of birth.
Per the FCC, when are passwords required?
A password is required in order to release call detail CPNI information. However the
company can choose whether to tighten this requirement to non-call detail CPNI as well.The FCC is still reviewing comments on whether to require a password on certain non
call detail CPNI as well, but to date passwords are required by the FCC only for call
detail information that is not provided by the customer.
What is “call detail”?
Call detail includes any information that pertains to the transmission of specific telephonecalls including, for outbound calls, the number called and the time, location, or duration
of any call. For inbound calls, call detail includes the number from which the call was placed, as well as the time, location, or duration of any call.
Are there any other ways to release call detail CPNI if a customer does not
remember his/her password or does not desire to set one up?
Yes. An employee may release call detail CPNI without a password by only one of the
following three methods:
1.
Call the customer back at the telephone number of record;2. Mail or email the CPNI information to the address of record; or
3. Confirm the customer’s identity in person with a valid photo ID.
What is a “valid photo ID”?
A valid photo ID is a government-issued personal identification with a photograph, such
as a current driver’s license, passport, or comparable identification.
What is meant by “telephone number of record”?
The telephone number of record is the telephone number associated with the underlying
service, rather than some other telephone number supplied as a customer’s “contactinformation”.
8/20/2019 McClure CPNI Manual.pdf
30/58
Section14-FAQs-Revised 09 03 15 MS.docPage 3 of 6 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
What is meant by “address of record”?
The address of record is the address, whether postal or electronic, that the carrier hasassociated with the customer’s account for at least 30 days. Requiring that the address be
on file for 30 days will foreclose a pretexter’s ability to change an address of record for
the purpose of being sent call detail information immediately.
What are examples of CPNI that is non call detail information?
Some examples of CPNI that is non call detail would be remaining minutes of use on a
calling plan, account features, or dollar amounts billed.
May an employee rely on Caller ID as an authentication method?
No. Pretexters could easily replicate Caller ID numbers. The caller ID information is not
an authorized method of authentication.
What is “account information”?
Account information is the information related to a customer’s account, which includessuch things as account number or any component thereof, including the telephone
number associated with the account or the amount of the last bill.
How long do I have to report a CPNI breach to law enforcement?
The Company must report a CPNI breach within seven days to law enforcement.
How shall law enforcement be notified of a breach of CPNI?
The FCC Enforcement Bureau will maintain a link to the reporting facility at
www.fcc.gov/eb/CPNI.
How long do I have to report a CPNI breach to our customer?
The Company must report a CPNI breach to the customer seven days after it was
reported to law enforcement for investigation. If law enforcement requests a longer time
period before notifying a customer, the Company must abide but keep notes of suchrequest.
May I share CPNI with a spouse, child, or parent of the authorized account
customer?
Not unless that person is already listed as an Authorized Account Contact for that
particular account. CPNI may only be shared with the Authorized Account Contact.
May I share CPNI information with a person who provides the correct account
password, but is clearly not an Authorized Account Contact?
No. CPNI may only be shared with the Authorized Account Contact.
8/20/2019 McClure CPNI Manual.pdf
31/58
Section14-FAQs-Revised 09 03 15 MS.docPage 4 of 6 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
If a security question is utilized for a forgotten password, what must be done?
The FCC requires that the Company send notification to the address of record (bestchoice) or leave a voice message or send a text message to the phone number of record
notifying the customer that security questions were utilized to gain account access. A
new account password will also need to be set-up.
What is meant by a customer response to a carrier-designed security means of
authentication”?
A customer response to a carrier-designed security means of authentication is the
customer’s pre-selected answer to the carrier’s security authentication method in theevent that the customer lost or forgot his/her password.
If a customer calls with a question about a long distance call and wants to discuss
call detail information relating to that call, how should the employee handle the
call?
The employee should politely explain that the FCC requires our company to use a password to access the customer’s call records in order to protect the customer’s privacyand to prevent others from accessing the customer’s private account information. If the
customer then provides the password, the employee may begin discussion regarding the
call detail information. If the customer cannot provide the password, the employee maythen ask the customer to answer a security question. If the customer provides the correct
answer to the security question, the employee may then begin discussion regarding the
call detail information. (The employee may try another security question if the first
security question is not answered correctly.) If the customer has not previously set up a password and security questions, then the employee should offer to assist the customer in
setting up a password by authenticating the customer (i.e., calling the customer back at
the telephone number of record, asking for answers to non-biographical or non-accountinformation questions, etc.) and then assisting them in setting up the password and
security questions. (Please see Sections 7-8 of the CPNI manual.) Note: If the customer
supplies the details of the call, those particular details may be discussed without a password.
If the customer refuses to establish a password in the above scenario, what should
be done?
The employee should politely explain that the customer has the following three
alternatives in order to access the call detail information:
1. Company will call the customer back at the telephone number of record;
2.
Company will mail the information to the address of record (postal orelectronic, but the address must be in the Company files for at least 30 days);
or
3. Customer may stop into the office and show a valid government-issued photoID.
8/20/2019 McClure CPNI Manual.pdf
32/58
Section14-FAQs-Revised 09 03 15 MS.docPage 5 of 6 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
What if a customer calls asking about calling features on the monthly bill?
Because this request is not for call detail information, which would require a password,
the employee should politely authenticate the customer by confirming that the person isan Authorized Account Contact, by asking a few of the following suggested questions:
How long have you had your account with us?
What are the features you receive from us? What are the services you receive from us?
Are there any other names listed on the account?
What is your average monthly bill amount?
How may our company use CPNI without prior customer approval?
A carrier may use CPNI without prior customer permission to market services within an
existing customer relationship, to perform mass marketing (such as bill inserts, directmail, newsletters), to provision products and services, for installation and repair services,
to comply with law enforcement, and to establish directory listings.
May our company distribute CPNI to a third party, joint-venture partner, or
independent contractor without the customer’s express permission?
No. This type of CPNI use would be subject to Opt-In Approval by the customer. All
customers must give permission before their CPNI can be released to a third party, joint-venture partner or independent contractor.
What does “Opt-In” approval” mean?
Opt-in approval means that the customer must give notice to the Company that they give permission for their CPNI to be shared with joint-venture partners, independent
contractors, and/or third parties.
A customer has left our company and has gone to the competition for certain
services. May we use this customer’s CPNI to promote a “win-back” campaign for
these particular services?
No, the customer’s CPNI can not be used in this way, unless your company has sent an
Opt-Out Notification to the customer and the customer did not return a signed Opt-Outform. However, mass marketing may be used to entice this type of customer back.
Some of our local exchange service customers do not currently have our affiliate’s
long distance service, may we share these customers’ CPNI with our long distance
affiliate to promote a targeted marketing campaign for the long distance serviceand/or bundling of services?
Yes, except to any customers that have returned signed Opt-Out forms.
8/20/2019 McClure CPNI Manual.pdf
33/58
Section14-FAQs-Revised 09 03 15 MS.docPage 6 of 6 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
A customer called in with a question regarding his local service, may we promote
our affiliate’s DSL service without asking his permission?
Yes, except to any customers that have returned signed Opt-Out forms.
If a customer signs an “opt-out”, what does this mean?
This means that employees may not discuss any service with that customer, except the
particular ones requested by the customer, or within the customer’s existing scope ofservices with the carrier.
How can my company market services or products without utilizing the Opt-Out
and Opt-In Forms?
Mass marketing (based on addresses and/or phone numbers of all customers, or based on
phone numbers and/or addresses contained in public sources for a specific exchange or
zip code) may be used to promote services or products as you would not be using CPNI
for this type of marketing. Also, employees asking permission of the customer to discuss products and services would be another way.
Our affiliate just rolled out DSL service in one of our exchanges. May we share
CPNI with the affiliate to market this service to those customers without marketing
to our remaining customers?
Yes, to the customers that have not returned a signed Opt-Out form or if you base the
marketing on public information such as, name, address, and phone number (which arenot considered to be CPNI) for a particular zip code or phone exchange.
What is an existing customer relationship?
An existing customer relationship is based on the following categories of service:
Local voice and all related services
Long distance and all related services
Internet and all related services
Wireless phone and all related services
Bundles and all related services
See Up-Selling Opportunities in section 15 to help assist in determining the related
services.
.
Note: CATV CPNI is protected under a separate set of rules, US Code Title 47,Chapter 5, Subchapter V-A, Part IV, Section 551.
8/20/2019 McClure CPNI Manual.pdf
34/58
Section15-MarketingOpportunities MS.docPage 1 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
MCCLURE SERVICES LLC
CPNI MANUAL
Marketing Opportunities Within Service Categories
In Order to Comply With CPNI Rules
(If Your Company Does Not Utilize the Opt-Out / Opt-In
Methods of Gaining Customer Approval to Use CPNI)
Marketing without prior customer approval may only be done when there is an existingcustomer relationship. An existing customer relationship means that the customer
already has ordered a particular service or has initiated contact with the company to
discuss a particular service. Note: All employees, especially Customer Service
Representatives, installation and repair technicians, receptionists and any otherfront desk and phone employees, need to be aware of the rules regarding what they
may discuss with a customer in order to market more services.
An existing customer relationship may include the following categories of service:
Local voice and all related services
o Customer Premises Equipment, such as telephones, fax machine,
head phones, etc.
o Second phone line
o Calling Features, such as Caller ID and Voicemail, etc.
o Key Systems
Long distance and all related services
o Alternative long distance plans
o Bundles of long distance minutes, including increase in minutes
plan or unlimited plan
Internet and all related services
o Customer Premises Equipment, such as modems and routers
o Mailboxes
o Virus Protection
o Static IP Addresses
o
Spam Filtering
o Web Storage
o Upgrade from dial-up Internet to high-speed DSL
o Upgrade from lower bandwidth DSL to higher bandwidth DSL
o Wireless broadband
8/20/2019 McClure CPNI Manual.pdf
35/58
Section15-MarketingOpportunities MS.docPage 2 of 2 Released: September 4, 2015
Prepared by Vantage Point Solutions – For Internal Company Use Only
Bundles and all related services
o If customer currently has a voice and long distance bundle , those
are the only services (along with all the related services, such as
upgrades within that bundle) that can be discussed without the
employee’s approval to discuss other services.
o If customer currently has a voice and data bundle , those are the
only services (along with all the related services, such as upgrades
within that bundle) that can be discussed without the employee’s
approval to discuss other services.
o If customer currently has a voice and video bundle , those are the
only services (along with all the related services, such as upgrades
within that bundle) that can be discussed without the employee’sapproval to discuss other services.
o If customer currently has a voice, data, and video bundle , those
are the only services (along with all the related services, such as
upgrades within that bundle) that can be discussed without the
employee’s approval to discuss other services.
o
If customer currently has a voice, data, and wireless bundle , those
are the only services (along with all the related services, such as
upgrades within that bundle) that can be discussed without the
employee’s approval to discuss other services.
Note: CATV CPNI is protected under a separate set of rules, US Code Title 47,
Chapter 5, Subchapter V-A, Part IV, Section 551.
8/20/2019 McClure CPNI Manual.pdf
36/58
Section16.1-SampleCustomerMemo MS.doc Page 1 of 2 Released: September 4, 2015
TO: MCCLURE SERVICES LLC Customer
FROM: Mary Claire CartwrightCPNI Compliance Officer, MCCLURE SERVICES LLC (MCCLURE)
DATE: September 4, 2015
RE: Customer Notice Regarding CPNI Compliance
In order to help protect your privacy regarding customer proprietary network information (CPNI), the
Federal Communications Commission (FCC) has taken measures to strengthen the rules ofproviding CPNI to customers, when requested. MCCLURE is in the process of implementing thesenew FCC rules. In order for our company to be in compliance with the new FCC rules for CPNI, wewant to inform you, our valued customer, of the changes that pertain to you. CPNI includes the calldetail information such as the called number, time of call, length of call, etc.
With the new FCC rule revisions, CPNI will only be able to discuss account information with theperson(s) listed on the account or proven power of attorney. If call detail is requested by a customerover the phone and the call is initiated by the customer, that customer will need to provide apreviously set password in order for our customer service representative (CSR) to supply therequested information on the phone call. The password can not be historical background informationthat would be available to someone else, such as the last four digits of your social security number,
mother’s maiden name, your address, etc. If this password is not supplied and back-up questionscan not be answered, there are only three ways for the customer to obtain this requested detail:
1. Hang up and have the CSR call back the telephone number of record2. Have the CSR mail the requested information to the address of record3. The authorized customer on the account must come to the telephone office and show a valid
government issued photo ID
With these rules, if you would like to add someone to the account that can be authorized to makesuch requests please let us know. Otherwise, only the person(s) listed on the account will be able toobtain such call detail information in the manner addressed above and be able to discuss changes tothe account or certain account details. If a customer initiates a call to MCCLURE for account
changes that are non-call detail CPNI such as questions on your bill, the customer will be asked toauthenticate their self or possibly need to supply the password, depending on the FCC final ruling. Inorder to assist in adding an authorized person(s) to your account such as a spouse or dependent,please complete the attached form and return to the telephone office.
We apologize in advance for any inconvenience this may cause, however the new rules are for theprotection of your privacy in order to ensure that no one other than the authorized person is receivingthe requested detail and making account changes. Our service to you is not changing as yourprivacy has always been important to us; we are only tightening our security of protecting yourprivate information, as mandated by the FCC.
MEMO
Print on
Company
Letterhead
8/20/2019 McClure CPNI Manual.pdf
37/58
Section16.1-SampleCustomerMemo MS.doc Page 2 of 2 Released: September 4, 2015
Along with the authorized person form, we have included a section to complete in order to begin theprocess of setting up your password and back-up questions. Please complete this form andreturn to our telephone office at your earliest convenience.
Due to the FCC rule revisions, you will also receive a “Notice of Change/Activity” form at the addressof record from our office anytime changes are made to your account such as an address change,password change, back-up question used for lost or forgotten password, etc. The notice will informyou of such change or activity and if this was not made by an authorized person, please contact ouroffice immediately.
Occasionally, MCCLURE would like to make you aware of additional products or services availablefrom us outside our current service relationship. For example, if you have our local exchange voiceservice, you may be interested in our long distance packages. However, per the new FCC rules onCPNI, you have the option of signing the attached “Opt-Out” form in order to exclude yourself fromsuch internal marketing services. We never sell your private information to outside entities; howeverwe would like the opportunity to continue to make you aware of additional products and serviceavailable to you that you currently may not know about. By completing the attached “Opt-Out” form,we will exclude you from such internal marketing opportunities based upon your specific accountinformation. If you wish to be excluded, please complete the attached “Opt-Out” form and return toour office. Otherwise if you would like to continue hearing about our products and service that maybe of interest to you based upon your current account status, please disregard this “Opt-Out” form.
Thank you in advance for your assistance in completing the necessary forms attached and returningto our office in order to help us comply with the new FCC rules for your CPNI protection. The newprocedures will help ensure your private information is protected. If you have any questionsregarding our new procedures for CPNI compliance, please contact me at (765) 588-1388
Enclosures (3)
8/20/2019 McClure CPNI Manual.pdf
38/58
Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Input Released: October 15, 2007
MCCLURE SERVICES LLC
Input Form
Current Authori zed Ac count Contacts for (phone number): (800)
Contact:
Contact:
Phone Company Information: McClure Services LLC
Kurz Purdue Technology Center
1281 Win Hentschel B lvd.
West Lafayette, IN 47906
CPNI Compliance Officer
ABC Telephone Company
(800)
123-4567
Jack Doe
123-4567
Phone Number
John Doe
Jill Doe
8/20/2019 McClure CPNI Manual.pdf
39/58Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Authorized Acct Contacts Released: October 15, 2007
MCCLURE SERVICES LLC
Authorized Account Contacts
Current Authorized Account Contacts for (phone number): (800)
Contact:
Contact:
No, at this time I do not want to add any additional authorized contacts to my account.
Yes, at this time I would like to add the following people as authorized contacts for my account.
Email Address*:
Authorized By:
Date:
Please use the enclosed envelope to return the completed form to our office at:
McClure Services LLCKurz Purdue Technology Center
1281 Win Hentschel Blvd.
West Lafayette, IN 47906
For questions regarding this form or the new CPNI company policies, please contact:
CPNI Compliance Officer
ABC Telephone Company
(800)
123-4567
John Doe
Jill Doe
(Signature of authorized contact currently listed on the account)
123-4567
Phone Number
Jack Doe
*The FCC does allow call detail CPNI to be sent to an email account of record.However, this email address mus t be in the company files for at least 30 days
before CPNI can be sent to it. If you would like our company to have an "email
address of record" in our fi les, please provide the address.
Per the FCC rules regarding Customer Proprietary Network Information (CPNI)as described in the attached notice, this form needs to be completed andreturned to our office.
The current authorized account contacts are l isted below. Please mark whether you wou ld or wou ld not l ike to add another contac t to the account at this t ime. If you do add another contact, please provide their name(s) in the l ines below.
Reminder: Due to the CPNI FCC rules, we can only discuss certain accountinformation and call detail with such authorized contacts.
8/20/2019 McClure CPNI Manual.pdf
40/58Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Password Set Up Released: October 15, 2007
MCCLURE SERVICES LLC
Password Set Up
Current Authorized Account Contacts for (phone number): (800)
Contact:
Contact:
Author ized Cust omer Chosen Password*:
(Between 5-10 characters in length - Alpha, Numeric, or Alpha/Numeric Mixed - no spaces or symbols all
Security Questions & Answers:
1. What was your first childhood pet's name?
2. Where were were born?
3. What is your favorite color?
4. As a child, what was your dream job?
5. What brand of shampoo do you use?
Authorized By:
Date:
Please use the enclosed envelope to return the completed form to our office at:
McClure Services LLC
Kurz Purdue Technology Center
1281 Win Hentschel Blvd .
West Lafayette, IN 47906
For questions regarding this form or the new CPNI company policies, please contact:
CPNI Compliance Officer
ABC Telephone Company
(800)
(Signature of authorized contact currently listed on the account)
(You can use city and state, just state, just city, state abbreviation, zip code, city nick name,
etc. Just remember they way you have chosen to answer this.)
Jack Doe
123-4567
Phone Number
123-4567
John Doe
Jill Doe
*This password can not be historical information such as based on your social security number,
address, etc. The FCC is trying to minimi ze the possib ility of false identification for suppl ying call detail,
therefore do not use anything th at someone else would be able to access.
Per the new FCC rules regarding Customer Proprietary Network Information (CPNI) as described in theattached notice, this form needs to be completed and returned to our off ice.
Reminder : Due to the new CPNI FCC rules, i f you request cal l detai l informat ion you must supply thispassword before the informat ion can be disclosed. If you do not remember the password, the securi tyquestions below wil l be used for ver if icat ion and a new password wi ll be established. If a password cannot be suppl ied for cal l detai l i nformat ion, there are only a few ways mandated by the FCC in order toobtain the information.
(1) Have the telephone representat ive cal l you back, but only at the telephone number of record
(2) Have the telephone representat ive mai l you the requested cal l detai l informat ion, but only to theaddress of record
(3) You, the au thor ized accoun t cus tomer , mus t come to the telephone o ff ice and show your val idgovernment issued photo ID
One Form must be completed per account, therefore if there are more than one authorized customers ontheaccount this password wil l be for all authorized customers.
Chose two security questions and fill in the answer. This will be used to verify you as the authorizedcustomer if the password can not be remember. The telephone representative will ask you the chosenquestions and wait for the proper answer (that you complete below) before the password is re-established.
8/20/2019 McClure CPNI Manual.pdf
41/58Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Opt-In Released: October 15, 2007
MCCLURE SERVICES LLC
Opt-In Notice
Please call our office if you have any questions on this notice:
CPNI Compliance Officer
ABC Telephone Company
(800)
OPT-IN CONSENT
Return this portion if you chose to opt-in of notification of MCCLURE SERVICES LLC
external marketing of services and products.
I have read the above notice and would like to Opt-In by granting permission to MCCLURE SERVICES LLC
for sharing my account information with joint-venture partners, independent contractors, and/or third partiesfor the purpose of marketing.
Author ized Customer :
Street/Billing Address:
City, State, Zip Code:
Account Telephone Number: (800)
Authorized By:
Date:
As in the past and continuing into the future, our company respects your privacy and abides by the privacy rules
mandated by the Federal Communications Commission, state commission, and any other oversight telecom
agencies.
For the purpose of marketing additional products and services to you, we are requesting permission to share your
account and call information with our joint-venture partners, independent contractors, and/or other third parties. This
information will be used for marketing purposes only to better serve you with additional products and services that
may be of interest to you based upon your usage and features.
We would like the opportunity to continue to better serve you by notifying you of our additional products and services,
however you must opt-in in order to receive information regarding our additional products and services. If you agree
to this, please sign and return the portion below.
Jack Doe
123-4567
Phone Number
John Doe
123-4567
(Signature of authorized contact currently listed on the account)
8/20/2019 McClure CPNI Manual.pdf
42/58Section16.2-16.6 CPNI SAMPLE Forms MS.xls, Opt-Out Released: October 15, 2007
MCCLURE SERVICES LLC
Opt-Out Notice
Please call our office if you have any questions on this notice:
CPNI Compliance Officer
ABC Telephone Company
(800) November 1, 2007
OPT-OUT NOTIFICATION
Return this portion if you chose to opt-out of notification of MCCLURE SERVICES LLC
internal targeted marketing of services and products that are outside of your existing service scope.
I have read this notice and would like to Opt-Out of the CPNI based marketing of products and services
that are outside of my existing scope of service offered by MCCLURE SERVICES LLC.
Authorized Customer:
Street/Billing Address:
City, State, Zip Code:
Account Telephone Number: (800)
Authorized By :
Date:
Phone Number
John Doe
As in the past and continuing into the future, our company respects your privacy and abides by the privacy
rules mandated by the Federal Communications Commission, state commission, and any other oversight
telecom agencies. We never sell your private account information or provide call detail information of your
telephone calls to outside entities for marketing purposes. The protection of your information is important
to us and our Company acknowledges that you have a right, and we have a duty, under federal law, to
protect the confidentiality of your CPNI.
Sometimes we would like to make you aware of additional products or services available from us and our
affiliates (Identify by name) outside the existing business relationship. For example, if you have our local
exchange voice service, you may be interest in our long distance packages. However, per the FCC new
rules on Customer Proprietary Network Information (CPNI), you have the option of being excluded from
such targeted marketing services by signing and returning the opt-out notification below. CPNI is
information created by virtue of the relationship between a carrier and a customer, including the quantity,
technical configuration, type, destination, location, and amount of use of a customer's telecommunications
services purchased (including specific calls a customer makes and receives) and related local and toll
billing information. It does not include published information such as one's name, address, or telephone
number.
We would like the opportunity to continue to better serve you by notifying you of our additional products
and services, however you have the right to opt-out of hearing about these products and services. If you
would like to continue being notified about the products and services based upon your current services
with us then please do nothing further. However, if you would like to "opt-out" the signed and returned
signature card will not allow us to inform you of the products and services outside of your existing scope of
service with us based upon the use of your CPNI.
Jack Doe
Unless you provide us with notice that you wish to opt-out within 33 days of the date of this notice, we will
assume that you give our Company the right to utilize your CPNI for internal marketing campaigns. Please
be advised that if you do not opt out, your consent will remain valid until we receive your notice withdrawing
it. If you wish to withdraw your consent at any time, you may do so by calling us at 1-800-XXX-XXXX.
Furthermore, note that opting out will not affect the status of the services you currently have with our
Company. In addition, we can disclose your CPNI to comply with any laws, court order or subpoena or to
provide services to you, pursuant to your C
top related