On July 28, 2023, the FCC issued a Notice of Apparent Liability (“NAL”) proposing a $20 million forfeiture against Q Link Wireless, LLC and Hello Mobile Telecom, LLC (collectively, “The Companies”) for violations of the FCC’s Customer Proprietary Network Information (“CPNI”) rules.
The NAL finds that the Companies violated the CPNI rules by utilizing “readily available biographic information or account information” as default authentication and back up authentication methods to access CPNI. The Commission’s rules prohibit carriers from authenticating a customer’s online access to CPNI by using readily available biographical information (such as a social security number, the last four of a social, a maiden name, or their address) or account information in order to protect CPNI from unauthorized third parties who could “pretext” or impersonate a customer.
Nevertheless, both Companies utilized biographic or account information to authenticate customers’ new online accounts by setting the information as the default password and Q Link utilized this information as a backup method of authentication in the event that the customer forgot their password. The NAL finds this practice to be a violation of the CPNI rules by:
- Failing to take reasonable measures to discover and protect against attempts to gain access to CPNI, as bad actors could easily discover the biographical information relied upon to access customer’s online accounts, which constitutes a violation of section 64.2010(a) of the FCC’s CPNI rules.
- Relying on readily available biographical information and account information as a default method to authenticate users, a direct violation of the requirements in section 64.2010(c) of the FCC’s CPNI rules, which prohibits carriers from utilizing such information as a default authentication method.
- Relying on readily available biographical information and account information as a backup method of authentication, a direct violation of the requirements in section 64.2010(e) of the FCC’s CPNI rules, which prohibits carriers from utilizing such information as a back-up authentication method.
The FCC’s rules do not establish a base forfeiture for CPNI violations, however, FCC precedent has established a base forfeiture of $40,000 per act for such violations. The FCC’s investigation did not specifically determine how many customers were affected by the Companies’ practices. Nevertheless, the NAL “conservatively” estimates that there were at least 500 customers affected, and therefore 500 apparent violations. Applying the base forfeiture of $40,000 to each violation, the NAL proposes a $20,000,000 penalty.
Please Contact Us if you have any questions.