Customer Proprietary Network Information, 31948-31963 [E7-10732]

Download as PDF 31948 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations Federal Communications Commission. Marlene H. Dortch, Secretary. [FR Doc. E7–10722 Filed 6–7–07; 8:45 am] FEDERAL COMMUNICATIONS COMMISSION 47 CFR Part 64 BILLING CODE 6712–01–P [CC Docket Nos. 96–115, 96–149; FCC 02– 214] FEDERAL COMMUNICATIONS COMMISSION Customer Proprietary Network Information 47 CFR Part 64 Federal Communications Commission. [CC Docket No. 96–115, WC Docket No. 04– 36; FCC 07–22] Final rule; announcement of effective date. Customer Proprietary Network Information AGENCY: ACTION: SUMMARY: The Commission adopted rules to implement section 222 of the Communications Act of 1934, as amended, which governs carriers’ use and disclosure of customer proprietary network information. The rules in §§ 64.2007, 64.2008, and 64.2009 required Office of Management and Budget approval and the Commission stated previously in its Federal Register publication that it would announce the effective date of these rules when approved. This document announces the effective date of these rules. The revisions to 47 CFR 64.2007, addition of 47 CFR 64.2008, and revision and amendments to 47 CFR 64.2009, published at 67 FR 59205, became effective on February 24, 2003. DATES: FOR FURTHER INFORMATION CONTACT: William Dever, (202) 418–1578, Wireline Competition Bureau. The FCC published a document in the Federal Register, 67 FR 59205, September 20, 2002, that sets forth an effective date of October 21, 2002, except for amendments to § 64.2007, addition of § 64.2008, and amendments and revisions to § 64.2009, which contained information collection requirements that had not been approved by the Office of Management and Budget. The document stated that the Commission will publish a document in the Federal Register announcing the effective date of these rules. On February 24, 2003, the Office of Management and Budget (OMB) approved the information collection requirements contained in 47 CFR 64.2007, 64.2008, and 64.2009 pursuant to OMB Control No. 3060–0715. Accordingly, the information collection requirement contained in these rules became effective on February 24, 2003. The expiration date for the information collection was February 28, 2006. The expiration date was extended to May 31, 2008 in 70 FR 30112. pwalker on PROD1PC71 with RULES3 SUPPLEMENTARY INFORMATION: VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 Federal Communications Commission. ACTION: Final rule. AGENCY: SUMMARY: The Commission adopted rules to implement section 222 of the Communications Act of 1934, as amended, which governs carriers’ use and disclosure of customer proprietary network information. In this document, the Commission responds to the practice of ‘‘pretexting’’ by strengthening its rules to protect the privacy of customer proprietary network information (CPNI) that is collected and held by providers of communications services. Revised paragraph (o) of § 64.2003, new paragraphs (a), (b), (d), (m), (q), and (r) of § 64.2003, revised paragraph (c)(3) of § 64.2005, revised paragraph (b) of § 64.2007, revised paragraph (e) of 64.2009, and new §§ 64.2010 and 64.2011 contain information collection requirements that have not been approved by the Office of Management and Budget (OMB). The Commission will publish a document in the Federal Register announcing the effective date. Written comment by the public on the modified information collection requirements are due August 7, 2007. Paragraphs (c), (e) through (l), (n), and (p) of § 64.2003 do not contain information collection requirements that have not been approved by OMB and therefore are effective on June 8, 2007. FOR FURTHER INFORMATION CONTACT: Adam Kirschenbaum, (202) 418–7280, Wireline Competition Bureau. For additional information concerning the Paperwork Reduction Act information collection requirements contained in this document, contact Judith B. Herman at (202) 418–0214, or via e-mail at Judith-B.Herman@fcc.gov. SUPPLEMENTARY INFORMATION: This is a summary of the Commission’s Report and Order (Order) in CC Docket No. 96– 115 and WC Docket No. 04–36, FCC 07– 22, adopted March 13, 2007, and DATES: PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 released April 2, 2007. The complete text of this document is available for inspection and copying during normal business hours in the FCC Reference Information Center, Portals II, 445 12th Street, SW., Room CY–A257, Washington, DC 20554. This document may also be purchased from the Commission’s duplicating contractor, Best Copy and Printing, Inc., 445 12th Street, SW., Room CY–B402, Washington, DC 20554, telephone (800) 378–3160 or (202) 863–2893, facsimile (202) 863–2898, or via e-mail at https://www.bcpiweb.com. It is also available on the Commission’s Web site at https://www.fcc.gov. In addition to filing comments with the Office of the Secretary, a copy of any comments on the Paperwork Reduction Act information collection requirements contained herein should be submitted to Judith B. Herman, Federal Communications Commission, Room 1– C804, 445 12th Street, SW., Washington, DC 20554, or via the Internet to JudithB.Herman@fcc.gov. Synopsis of the Report and Order 1. On August 30, 2005, the Electronic Privacy Information Center (EPIC) filed a petition with the Commission asking the Commission to investigate telecommunications carriers’ current security practices and to initiate a rulemaking proceeding to consider establishing more stringent security standards for telecommunications carriers to govern the disclosure of CPNI. In particular, EPIC proposed that the Commission consider requiring the use of consumer-set passwords, creating audit trails, employing encryption, limiting data retention, and improving notice procedures. On February 14, 2006, the Commission released the EPIC CPNI Notice, 71 FR 13317 (March 15, 2006), in which it sought comment on (a) the nature and scope of the problem identified by EPIC, including pretexting, and (b) what additional steps, if any, the Commission should take to protect further the privacy of CPNI. Specifically, the Commission sought comment on the five EPIC proposals listed above. In addition, the Commission tentatively concluded that it should amend its rules to require carriers annually to file their section 64.2009(e) certifications with the Commission. It also sought comment on whether it should require carriers to obtain a customer’s opt-in consent before the carrier shares CPNI with its joint venture partners and independent contractors; whether to impose rules relating to how carriers verify customers’ identities; whether to adopt a set of security requirements that could E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations be used as the basis for liability if a carrier failed to implement such requirements, or adopt a set of security requirements that a carrier could implement to exempt itself from liability; whether VoIP service providers or other IP-enabled service providers should be covered by any new rules the Commission adopts in the present rulemaking; and other specific proposals that might increase the protection of CPNI. 2. In this Order, the Commission responds to the practice of ‘‘pretexting’’ by strengthening its rules to protect the privacy of customer proprietary network information (CPNI) that is collected and held by providers of communications services (hereinafter, communications carriers or carriers). Section 222 of the Communications Act requires telecommunications carriers to take specific steps to ensure that CPNI is adequately protected from unauthorized disclosure. In the Order, the Commission strengthens its privacy rules by adopting additional safeguards to protect customers’ CPNI against unauthorized access and disclosure. 3. The Order is directly responsive to the actions of data brokers, or pretexters, to obtain unauthorized access to CPNI. As EPIC pointed out in its petition that led to this rulemaking proceeding, numerous Web sites advertise the sale of personal telephone records for a price. These data brokers have been able to obtain private and personal information, including what calls were made to and/ or from a particular telephone number and the duration of such calls. In many cases, the data brokers claim to be able to provide this information within fairly quick time frames, ranging from a few hours to a few days. The additional privacy safeguards the Commission adopts in the Order will sharply limit pretexters’ ability to obtain unauthorized access to this type of personal customer information from carriers the Commission regulates. 4. The Commission finds that the release of call detail over the telephone presents an immediate risk to privacy and therefore it prohibits carriers from releasing call detail information based on customer-initiated telephone contact except under three circumstances. First, a carrier can release call detail information if the customer provides the carrier with a pre-established password. Second, a carrier may, at the customer’s request, send call detail information to the customer’s address of record. Third, a carrier may call the telephone number of record and disclose call detail information. A carrier may disclose noncall detail CPNI to a customer after the carrier authenticates the customer. VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 5. The Commission does not intend for the prohibition on the release of call detail over the telephone for customerinitiated telephone contact to hinder routine carrier-customer relations regarding service/billing disputes and questions. If a customer is able to provide to the carrier, during a customer-initiated telephone call, all of the call detail information necessary to address a customer service issue (i.e., the telephone number called, when it was called, and, if applicable, the amount charged for the call), then the carrier is permitted to proceed with its routine customer care procedures. The Commission believes that if a customer is able to provide this information to the carrier, without carrier assistance, then the carrier does not violate the Commission’s rules if the carrier takes routine customer service actions related to such information. The Commission additionally clarifies that, under these circumstances, carriers may not disclose to the customer any call detail information about the customer account other than the call detail information that the customer provides without the customer first providing a password. The Commission’s rule is intended to prevent pretexter phishing and other pretexter methods for gaining unauthorized access to customer account information. 6. The Commission also requires carriers to password protect online access to CPNI. Although section 222 of the Act imposes a duty on carriers to protect the privacy of CPNI, data brokers and others have been able to access CPNI online without the account holder’s knowledge or consent. The Commission agrees with EPIC that the apparent ease with which data brokers have been able to access CPNI online demonstrates the insufficiency of carriers’ customer authentication procedures. In particular, the record evidence demonstrates that some carriers permit customers to establish online accounts by providing readily available biographical information. Thus, a data broker may obtain online account access easily without the customer’s knowledge. Therefore, the Commission agrees with EPIC and others that use of such identifiers is an insufficient mechanism for preventing data brokers from obtaining unauthorized online access to CPNI. 7. The Commission continues to allow carriers to provide customers with access to CPNI at a carrier’s retail location if the customer presents a valid photo ID and the valid photo ID matches the name on the account. The Commission agrees with the Attorneys General and finds that this is a secure PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 31949 authentication practice because it enables the carrier to make a reasonable judgment about the customer’s identity. 8. The Commission requires carriers to notify customers immediately of certain account changes, including whenever a password, customer response to a carrier-designed back-up means of authentication, online account, or address of record is created or changed. The Commission agrees with the New Jersey Ratepayer Advocate that this notification is an important tool for customers to monitor their account’s security. This notification may be through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record, as to reasonably ensure that the customer receives this notification. The Commission believes this measure is appropriate to protect customers from data brokers that might otherwise manage to circumvent the authentication protections the Commission adopts in this Order, and to take appropriate action in the event of pretexter activity. Further, the Commission finds that this notification requirement will also empower customers to provide carriers with timely information about pretexting activity, which the carriers may not be able to identify easily. 9. The Commission does make an exception to the rules that it adopts for certain business customers. The Commission agrees with commenters who argue that privacy concerns of telecommunications consumers are greatest when using personal telecommunications services. Indeed, the fraudulent practices described by EPIC have mainly targeted individual consumers, and the record indicates that the proprietary information of wireline and wireless business account customers already is subject to stringent safeguards, which are privately negotiated by contract. Therefore, if the carrier’s contract with a business customer is serviced by a dedicated account representative as the primary contact, and specifically addresses the carrier’s protection of CPNI, the Commission does not extend its carrier authentication rules to cover these business customers, because businesses are typically able to negotiate the appropriate protection of CPNI in their service agreements. However, nothing in the Order exempts carriers serving wireline enterprise and wireless business account customers from section 222 or the remainder of the Commission’s CPNI rules. 10. The Commission agrees with EPIC that carriers should be required to notify a customer whenever a security breach E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 31950 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations results in that customer’s CPNI being disclosed to a third party without that customer’s authorization. However, the Commission also appreciates law enforcement’s concern about delaying customer notification in order to allow law enforcement to investigate crimes. Therefore, the Commission adopts a rule that it believes balances a customer’s need to know with law enforcement’s ability to undertake an investigation of suspected criminal activity, which itself might advance the goal of consumer protection. 11. The Commission declines to specify the precise content of the notice that must be provided to customers in the event of a security breach of CPNI. The notice requirement the Commission adopts in this proceeding is general, and the Commission recognizes that numerous types of circumstances— including situations other than pretexting—could result in the unauthorized disclosure of a customer’s CPNI to a third party. Thus, the Commission leaves carriers the discretion to tailor the language and method of notification to the circumstances. Finally, the Commission expects carriers to cooperate fully in any law enforcement investigation of such unauthorized release of CPNI or attempted unauthorized access to an account consistent with statutory and Commission requirements. 12. The Commission agrees with commenters that techniques for fraud vary and tend to become more sophisticated over time, and that carriers need leeway to engage emerging threats. The Commission therefore clarifies that carriers are free to bolster their security measures through additional measures to meet their section 222 obligations to protect the privacy of CPNI. The Commission also codifies the existing statutory requirement contained in section 222 of the Act that carriers take reasonable measures to discover and protect against activity that is indicative of pretexting. Adoption of the rules in this Order does not relieve carriers of their fundamental duty to remain vigilant in their protection of CPNI, nor does it necessarily insulate them from enforcement action for unauthorized disclosure of CPNI. 13. The Commission modifies its rules to require telecommunications carriers to obtain opt-in consent from a customer before disclosing that customer’s CPNI to a carrier’s joint venture partner or independent contractor for the purpose of marketing communications-related services to that customer. While the Commission realizes that this is a change in Commission policy, it finds VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 that new circumstances force it to reassess its existing regulations. As the Commission has found previously, the Commission has a substantial interest in protecting customer privacy. Based on this and in light of new privacy concerns, the Commission now finds that an opt-in framework for the sharing of CPNI with joint venture partners and independent contractors for the purposes of marketing communicationsrelated services to a customer both directly advances its interest in protecting customer privacy and is narrowly tailored to achieve its goal of privacy protection. Specifically, an optin regime will more effectively limit the circulation of a customer’s CPNI by maintaining it in a carrier’s possession unless a customer provides informed consent for its release. Moreover, the Commission finds that an opt-in regime will provide necessary informed customer choice concerning these information sharing relationships with other companies. 14. To the extent that carriers voluntarily obtained opt-in approval from their customers for the disclosure of customers’ CPNI to a joint venture partner or independent contractor for the purposes of marketing communications-related services to a customer prior to the adoption of this Order, those carriers can continue to use those approvals. 15. The Commission adopts the Commission’s tentative conclusion and amends its rules to require carriers to file their annual CPNI certification with the Commission, including an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. The Commission finds that this amendment to the Commission’s rules is an appropriate measure and will ensure that carriers regularly focus their attention on their duty to safeguard CPNI. Additionally, the Commission finds that this modification to its rules will remind carriers of the Commission’s oversight and high priority regarding carrier performance in this area. Further, with this filing, the Commission will be better able to monitor the industry’s response to CPNI privacy issues and to take any necessary steps to ensure that carriers are managing customer CPNI securely. 16. The Commission extends the application of the Commission’s CPNI rules to providers of interconnected VoIP service. In the IP-Enabled Services Notice and the EPIC CPNI Notice, the Commission sought comment on whether to extend the CPNI PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 requirements to VoIP service providers. Since the Commission has not decided whether interconnected VoIP services are telecommunications services or information services as those terms are defined in the Act, nor does it do so in this Order, the Commission analyzes the issues addressed in this Order under its Title I ancillary jurisdiction to encompass both types of service. If the Commission later classifies interconnected VoIP service as a telecommunications service, the providers of interconnected VoIP services would be subject to the requirements of section 222 and the Commission’s CPNI rules as telecommunications carriers under Title II. 17. The Commission concludes that it has authority under Title I of the Act to impose CPNI requirements on providers of interconnected VoIP service. Ancillary jurisdiction may be employed, in the Commission’s discretion, when Title I of the Act gives the Commission subject matter jurisdiction over the service to be regulated and the assertion of jurisdiction is ‘‘reasonably ancillary to the effective performance of [its] various responsibilities.’’ Both predicates for ancillary jurisdiction are satisfied here. First, as the Commission concluded in the Interim USF Order and VoIP 911 Order, interconnected VoIP services fall within the subject matter jurisdiction granted to it in the Act. Second, the Commission analysis requires it to evaluate whether imposing CPNI obligations is reasonably ancillary to the effective performance of the Commission’s various responsibilities. Based on the record in this matter, the Commission finds that sections 222 and 1 of the Act provide the requisite nexus, with additional support from section 706. 18. The Commission takes seriously the protection of customers’ private information and commit to remaining vigilant to ensure compliance with applicable privacy laws within its jurisdiction. One way in which the Commission will help protect consumer privacy is through strong enforcement measures. When investigating compliance with the rules and statutory obligations, the Commission will consider whether the carrier has taken reasonable precautions to prevent the unauthorized disclosure of a customer’s CPNI. Specifically, the Commission hereby puts carriers on notice that the Commission henceforth will infer from evidence that a pretexter has obtained unauthorized access to a customer’s CPNI that the carrier did not sufficiently protect that customer’s CPNI. A carrier then must demonstrate that the steps it E:\FR\FM\08JNR3.SGM 08JNR3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations has taken to protect CPNI from unauthorized disclosure, including the carrier’s policies and procedures, are reasonable in light of the threat posed by pretexting and the sensitivity of the customer information at issue. If the Commission finds at the conclusion of its investigation that the carrier indeed has not taken sufficient steps adequately to protect the privacy of CPNI, the Commission may sanction it for this oversight, including through forfeiture. 19. The Commission offers additional guidance regarding the Commission’s expectations that will inform its investigations. The Commission fully expects carriers to take every reasonable precaution to protect the confidentiality of proprietary or personal customer information. Of course, the Commission requires carriers to implement the specific minimum requirements set forth in the Commission’s rules. The Commission further expects carriers to take additional steps to protect the privacy of CPNI to the extent such additional measures are feasible for a particular carrier. For instance, although the Commission declines to impose audit trail obligations on carriers at this time, the Commission expects carriers through audits or other measures to take reasonable measures to discover and protect against activity that is indicative of pretexting. Similarly, although the Commission does not specifically require carriers to encrypt their customers’ CPNI, the Commission expects a carrier to encrypt its CPNI databases if doing so would provide significant additional protection against the unauthorized access to CPNI at a cost that is reasonable given the technology a carrier already has implemented. pwalker on PROD1PC71 with RULES3 Final Paperwork Reduction Act Analysis 20. This Order contains modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104–13. It will be submitted to the Office of Management and Budget (OMB) for review under section 3507(d) of the PRA. OMB, the general public, and other Federal agencies are invited to comment on the new information collection requirements contained in this proceeding. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107–198, see 44 U.S.C. 3506(c)(4), the Commission previously sought specific comment on how it might ‘‘further reduce the information collection burden for small business concerns with fewer than 25 employees.’’ VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 21. In the Order, the Commission assessed the burdens placed on small businesses to notify customers of account changes, to notify law enforcement and customers of unauthorized CPNI disclosure; to obtain opt-in consent prior to sharing CPNI with joint venture partners and independent contractors; to file annually a CPNI certification with the Commission, including an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI, and to extend the CPNI rules to providers of interconnected VoIP services, and found that these requirements do not place a significant burden on small businesses. Final Regulatory Flexibility Analysis 22. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was incorporated in the EPIC CPNI Notice in CC Docket No. 96– 115 and the IP-Enabled Services Notice in WC Docket 04–36. The Commission sought written public comment on the proposals in both notices, including comment on the IRFA. The Commission received comments specifically directed toward the IRFA from three commenters in CC Docket No. 96–115 and from three commenters in WC Docket No. 04–36. These comments are discussed below. This Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA. A. Need for, and Objectives of, the Rules 23. The Order strengthens the Commission’s rules to protect the privacy of CPNI that is collected and held by providers of communications services. Section 222 of the Communications Act requires telecommunications carriers to take specific steps to ensure that CPNI is adequately protected from unauthorized disclosure. The Order adopts additional safeguards to protect customers’ CPNI against unauthorized access and disclosure. B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA 24. Comments Received in Response to the EPIC CPNI Notice. In this section, the Commission responds to comments filed in response to the IRFA. To the extent the Commission received comments raising general small business concerns during the proceeding, those comments are discussed throughout the Order. 25. The Commission disagrees with Alexicon that small carriers are less PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 31951 vulnerable to unauthorized attempts to access CPNI. In fact, Alexicon itself points out that one of its client companies actually experienced an unauthorized access attempt, and thus the Commission finds the steps it takes in the Order are applicable to all carriers. The Commission does, however, agree with commenters that argue the Commission should not adopt many of EPIC’s suggested requirements. The Commission also agrees with commenters that argue for flexible rules to allow carriers to determine proper authentication methods for its customers. Therefore, the Commission does not adopt specific authentication methods, or back-up authentication methods for lost or forgotten passwords and instead adopts rules that provide limits on the types of authentication methods that meet section 222’s mandate to protect CPNI. Further, the Commission agrees with commenters that small carriers should be provided additional time to implement the requirements that the Commission does adopt in the Order. Thus, the Commission provides small carriers with an additional six month implementation period for the online carrier authentication requirements adopted in the Order. 26. Comments Received in Response to the IP-Enabled Services Notice. In this section, the Commission responds to comments filed in response to the IRFA. To the extent the Commission received comments raising general small business concerns during the proceeding, those comments are discussed throughout the Order. 27. The Commission disagrees with the SBA and Francois D. Menard (Menard) that the Commission should postpone acting in this proceeding— thereby postponing extending the application of the CPNI rules to interconnected VoIP service providers— and instead should reevaluate the economic impact and the compliance burdens on small entities and issue a further notice of proposed rulemaking in conjunction with a supplemental IRFA identifying and analyzing the economic impacts on small entities and less burdensome alternatives. The Commission believes the additional steps suggested by SBA and Menard are unnecessary because small entities already have received sufficient notice of the issues addressed in the Order and because the Commission has considered the economic impact on small entities and what ways are feasible to minimize the burdens imposed on those entities, and, to the extent feasible, has implemented those less burdensome alternatives. E:\FR\FM\08JNR3.SGM 08JNR3 31952 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations C. Description and Estimate of the Number of Small Entities to Which Rules Will Apply 28. The RFA directs agencies to provide a description of and, where feasible, an estimate of the number of small entities that may be affected by the rules adopted herein. The RFA generally defines the term ‘‘small entity’’ as having the same meaning as the terms ‘‘small business,’’ ‘‘small organization,’’ and ‘‘small governmental jurisdiction.’’ In addition, the term ‘‘small business’’ has the same meaning as the term ‘‘small business concern’’ under the Small Business Act. A small business concern is one which: (1) Is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA). 29. Small Businesses. Nationwide, there are a total of approximately 22.4 million small businesses, according to SBA data. 30. Small Organizations. Nationwide, there are approximately 1.6 million small organizations. 31. Small Governmental Jurisdictions. The term ‘‘small governmental jurisdiction’’ is defined generally as ‘‘governments of cities, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.’’ Census Bureau data for 2002 indicate that there were 87,525 local governmental jurisdictions in the United States. The Commission estimates that, of this total, 84,377 entities were ‘‘small governmental jurisdictions.’’ Thus, the Commission estimates that most governmental jurisdictions are small. pwalker on PROD1PC71 with RULES3 1. Telecommunications Service Entities a. Wireline Carriers and Service Providers 32. The Commission has included small incumbent local exchange carriers in the present RFA analysis. As noted above, a ‘‘small business’’ under the RFA is one that, inter alia, meets the pertinent small business size standard (e.g., a telephone communications business having 1,500 or fewer employees), and ‘‘is not dominant in its field of operation.’’ The SBA’s Office of Advocacy contends that, for RFA purposes, small incumbent local exchange carriers are not dominant in their field of operation because any such dominance is not ‘‘national’’ in scope. The Commission has therefore included small incumbent local exchange carriers in this RFA analysis, although the Commission emphasizes that this RFA action has no effect on Commission VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 analyses and determinations in other, non-RFA contexts. 33. Incumbent Local Exchange Carriers (LECs). Neither the Commission nor the SBA has developed a small business size standard specifically for incumbent local exchange services. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 1,303 carriers have reported that they are engaged in the provision of incumbent local exchange services. Of these 1,303 carriers, an estimated 1,020 have 1,500 or fewer employees and 283 have more than 1,500 employees. Consequently, the Commission estimates that most providers of incumbent local exchange service are small businesses that may be affected by its action. 34. Competitive Local Exchange Carriers, Competitive Access Providers (CAPs), ‘‘Shared-Tenant Service Providers,’’ and ‘‘Other Local Service Providers.’’ Neither the Commission nor the SBA has developed a small business size standard specifically for these service providers. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 769 carriers have reported that they are engaged in the provision of either competitive access provider services or competitive local exchange carrier services. Of these 769 carriers, an estimated 676 have 1,500 or fewer employees and 93 have more than 1,500 employees. In addition, 12 carriers have reported that they are ‘‘Shared-Tenant Service Providers,’’ and all 12 are estimated to have 1,500 or fewer employees. In addition, 39 carriers have reported that they are ‘‘Other Local Service Providers.’’ Of the 39, an estimated 38 have 1,500 or fewer employees and one has more than 1,500 employees. Consequently, the Commission estimates that most providers of competitive local exchange service, competitive access providers, ‘‘Shared-Tenant Service Providers,’’ and ‘‘Other Local Service Providers’’ are small entities that may be affected by its action. 35. Local Resellers. The SBA has developed a small business size standard for the category of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 143 carriers have reported that they are engaged in the provision of local resale PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 services. Of these, an estimated 141 have 1,500 or fewer employees and two have more than 1,500 employees. Consequently, the Commission estimates that the majority of local resellers are small entities that may be affected by its action. 36. Toll Resellers. The SBA has developed a small business size standard for the category of Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 770 carriers have reported that they are engaged in the provision of toll resale services. Of these, an estimated 747 have 1,500 or fewer employees and 23 have more than 1,500 employees. Consequently, the Commission estimates that the majority of toll resellers are small entities that may be affected by its action. 37. Payphone Service Providers (PSPs). Neither the Commission nor the SBA has developed a small business size standard specifically for payphone services providers. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 613 carriers have reported that they are engaged in the provision of payphone services. Of these, an estimated 609 have 1,500 or fewer employees and four have more than 1,500 employees. Consequently, the Commission estimates that the majority of payphone service providers are small entities that may be affected by its action. 38. Interexchange Carriers (IXCs). Neither the Commission nor the SBA has developed a small business size standard specifically for providers of interexchange services. The appropriate size standard under SBA rules is for the category Wired Telecommunications Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 316 carriers have reported that they are engaged in the provision of interexchange service. Of these, an estimated 292 have 1,500 or fewer employees and 24 have more than 1,500 employees. Consequently, the Commission estimates that the majority of IXCs are small entities that may be affected by its action. 39. Operator Service Providers (OSPs). Neither the Commission nor the SBA has developed a small business size standard specifically for operator service providers. The appropriate size standard under SBA rules is for the category Wired Telecommunications E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations Carriers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 23 carriers have reported that they are engaged in the provision of operator services. Of these, an estimated 20 have 1,500 or fewer employees and three have more than 1,500 employees. Consequently, the Commission estimates that the majority of OSPs are small entities that may be affected by its action. 40. Prepaid Calling Card Providers. Neither the Commission nor the SBA has developed a small business size standard specifically for prepaid calling card providers. The appropriate size standard under SBA rules is for the category Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. According to Commission data, 89 carriers have reported that they are engaged in the provision of prepaid calling cards. Of these, 88 are estimated to have 1,500 or fewer employees and one has more than 1,500 employees. Consequently, the Commission estimates that all or the majority of prepaid calling card providers are small entities that may be affected by its action. 41. 800 and 800–Like Service Subscribers. Neither the Commission nor the SBA has developed a small business size standard specifically for 800 and 800-like service (‘‘toll free’’) subscribers. The appropriate size standard under SBA rules is for the category Telecommunications Resellers. Under that size standard, such a business is small if it has 1,500 or fewer employees. The most reliable source of information regarding the number of these service subscribers appears to be data the Commission collects on the 800, 888, and 877 numbers in use. According to the Commission’s data, at the end of January, 1999, the number of 800 numbers assigned was 7,692,955; the number of 888 numbers assigned was 7,706,393; and the number of 877 numbers assigned was 1,946,538. The Commission does not have data specifying the number of these subscribers that are not independently owned and operated or have more than 1,500 employees, and thus is unable at this time to estimate with greater precision the number of toll free subscribers that would qualify as small businesses under the SBA size standard. Consequently, the Commission estimates that there are 7,692,955 or fewer small entity 800 subscribers; 7,706,393 or fewer small entity 888 subscribers; and 1,946,538 or fewer small entity 877 subscribers. VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 b. International Service Providers 42. The Commission has not developed a small business size standard specifically for providers of international service. The appropriate size standards under SBA rules are for the two broad census categories of ‘‘Satellite Telecommunications’’ and ‘‘Other Telecommunications.’’ Under both categories, such a business is small if it has $12.5 million or less in average annual receipts. 43. The first category of Satellite Telecommunications ‘‘comprises establishments primarily engaged in providing point-to-point telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.’’ For this category, Census Bureau data for 2002 show that there were a total of 371 firms that operated for the entire year. Of this total, 307 firms had annual receipts of under $10 million, and 26 firms had receipts of $10 million to $24,999,999. Consequently, the Commission estimates that the majority of Satellite Telecommunications firms are small entities that might be affected by its action. 44. The second category of Other Telecommunications ‘‘comprises establishments primarily engaged in (1) providing specialized telecommunications applications, such as satellite tracking, communications telemetry, and radar station operations; or (2) providing satellite terminal stations and associated facilities operationally connected with one or more terrestrial communications systems and capable of transmitting telecommunications to or receiving telecommunications from satellite systems.’’ For this category, Census Bureau data for 2002 show that there were a total of 332 firms that operated for the entire year. Of this total, 259 firms had annual receipts of under $10 million and 15 firms had annual receipts of $10 million to $24,999,999. Consequently, the Commission estimates that the majority of Other Telecommunications firms are small entities that might be affected by its action. c. Wireless Telecommunications Service Providers 45. Below, for those services subject to auctions, the Commission notes that, as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 31953 does not necessarily represent the number of small businesses currently in service. Also, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. 46. Wireless Service Providers. The SBA has developed a small business size standard for wireless firms within the two broad economic census categories of ‘‘Paging’’ and ‘‘Cellular and Other Wireless Telecommunications.’’ Under both SBA categories, a wireless business is small if it has 1,500 or fewer employees. For the census category of Paging, Census Bureau data for 2002 show that there were 807 firms in this category that operated for the entire year. Of this total, 804 firms had employment of 999 or fewer employees, and three firms had employment of 1,000 employees or more. Thus, under this category and associated small business size standard, the majority of firms can be considered small. For the census category of Cellular and Other Wireless Telecommunications, Census Bureau data for 2002 show that there were 1,397 firms in this category that operated for the entire year. Of this total, 1,378 firms had employment of 999 or fewer employees, and 19 firms had employment of 1,000 employees or more. Thus, under this second category and size standard, the majority of firms can, again, be considered small. 47. Cellular Licensees. The SBA has developed a small business size standard for wireless firms within the broad economic census category ‘‘Cellular and Other Wireless Telecommunications.’’ Under this SBA category, a wireless business is small if it has 1,500 or fewer employees. For the census category of Cellular and Other Wireless Telecommunications, Census Bureau data for 2002 show that there were 1,397 firms in this category that operated for the entire year. Of this total, 1,378 firms had employment of 999 or fewer employees, and 19 firms had employment of 1,000 employees or more. Thus, under this category and size standard, the great majority of firms can be considered small. Also, according to Commission data, 437 carriers reported that they were engaged in the provision of cellular service, Personal Communications Service (PCS), or Specialized Mobile Radio (SMR) Telephony services, which are placed together in the data. The Commission has estimated that 260 of these are small, under the SBA small business size standard. 48. Common Carrier Paging. The SBA has developed a small business size standard for wireless firms within the E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 31954 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations broad economic census category, ‘‘Cellular and Other Wireless Telecommunications.’’ Under this SBA category, a wireless business is small if it has 1,500 or fewer employees. For the census category of Paging, Census Bureau data for 2002 show that there were 807 firms in this category that operated for the entire year. Of this total, 804 firms had employment of 999 or fewer employees, and three firms had employment of 1,000 employees or more. Thus, under this category and associated small business size standard, the majority of firms can be considered small. In the Paging Third Report and Order, the Commission developed a small business size standard for ‘‘small businesses’’ and ‘‘very small businesses’’ for purposes of determining their eligibility for special provisions such as bidding credits and installment payments. A ‘‘small business’’ is an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $15 million for the preceding three years. Additionally, a ‘‘very small business’’ is an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $3 million for the preceding three years. The SBA has approved these small business size standards. An auction of Metropolitan Economic Area licenses commenced on February 24, 2000, and closed on March 2, 2000. Of the 985 licenses auctioned, 440 were sold. Fiftyseven companies claiming small business status won. Also, according to Commission data, 375 carriers reported that they were engaged in the provision of paging and messaging services. Of those, the Commission estimates that 370 are small, under the SBA-approved small business size standard. 49. Wireless Communications Services. This service can be used for fixed, mobile, radiolocation, and digital audio broadcasting satellite uses. The Commission established small business size standards for the wireless communications services (WCS) auction. A ‘‘small business’’ is an entity with average gross revenues of $40 million for each of the three preceding years, and a ‘‘very small business’’ is an entity with average gross revenues of $15 million for each of the three preceding years. The SBA has approved these small business size standards. The Commission auctioned geographic area licenses in the WCS service. In the auction, there were seven winning bidders that qualified as ‘‘very small business’’ entities, and one that qualified as a ‘‘small business’’ entity. 50. Wireless Telephony. Wireless telephony includes cellular, personal VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 communications services (PCS), and specialized mobile radio (SMR) telephony carriers. As noted earlier, the SBA has developed a small business size standard for ‘‘Cellular and Other Wireless Telecommunications’’ services. Under that SBA small business size standard, a business is small if it has 1,500 or fewer employees. According to Commission data, 445 carriers reported that they were engaged in the provision of wireless telephony. The Commission has estimated that 245 of these are small under the SBA small business size standard. 51. Broadband Personal Communications Service. The broadband Personal Communications Service (PCS) spectrum is divided into six frequency blocks designated A through F, and the Commission has held auctions for each block. The Commission defined ‘‘small entity’’ for Blocks C and F as an entity that has average gross revenues of $40 million or less in the three previous calendar years. For Block F, an additional classification for ‘‘very small business’’ was added and is defined as an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years.’’ These standards defining ‘‘small entity’’ in the context of broadband PCS auctions have been approved by the SBA. No small businesses, within the SBA-approved small business size standards bid successfully for licenses in Blocks A and B. There were 90 winning bidders that qualified as small entities in the Block C auctions. A total of 93 small and very small business bidders won approximately 40 percent of the 1,479 licenses for Blocks D, E, and F. On March 23, 1999, the Commission reauctioned 347 C, D, E, and F Block licenses. There were 48 small business winning bidders. On January 26, 2001, the Commission completed the auction of 422 C and F Broadband PCS licenses in Auction No. 35. Of the 35 winning bidders in this auction, 29 qualified as ‘‘small’’ or ‘‘very small’’ businesses. Subsequent events, concerning Auction 35, including judicial and agency determinations, resulted in a total of 163 C and F Block licenses being available for grant. 52. Narrowband Personal Communications Services. To date, two auctions of narrowband personal communications services (PCS) licenses have been conducted. For purposes of the two auctions that have already been held, ‘‘small businesses’’ were entities with average gross revenues for the prior three calendar years of $40 million or less. Through these auctions, the PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 Commission has awarded a total of 41 licenses, out of which 11 were obtained by small businesses. To ensure meaningful participation of small business entities in future auctions, the Commission has adopted a two-tiered small business size standard in the Narrowband PCS Second Report and Order. A ‘‘small business’’ is an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $40 million. A ‘‘very small business’’ is an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $15 million. The SBA has approved these small business size standards. In the future, the Commission will auction 459 licenses to serve Metropolitan Trading Areas (MTAs) and 408 response channel licenses. There is also one megahertz of narrowband PCS spectrum that has been held in reserve and that the Commission has not yet decided to release for licensing. The Commission cannot predict accurately the number of licenses that will be awarded to small entities in future auctions. However, four of the 16 winning bidders in the two previous narrowband PCS auctions were small businesses, as that term was defined. The Commission assumes, for purposes of this analysis that a large portion of the remaining narrowband PCS licenses will be awarded to small entities. The Commission also assumes that at least some small businesses will acquire narrowband PCS licenses by means of the Commission’s partitioning and disaggregation rules. 53. 220 MHz Radio Service—Phase I Licensees. The 220 MHz service has both Phase I and Phase II licenses. Phase I licensing was conducted by lotteries in 1992 and 1993. There are approximately 1,515 such non-nationwide licensees and four nationwide licensees currently authorized to operate in the 220 MHz band. The Commission has not developed a small business size standard for small entities specifically applicable to such incumbent 220 MHz Phase I licensees. To estimate the number of such licensees that are small businesses, the Commission applies the small business size standard under the SBA rules applicable to ‘‘Cellular and Other Wireless Telecommunications’’ companies. This category provides that a small business is a wireless company employing no more than 1,500 persons. For the census category Cellular and Other Wireless Telecommunications, Census Bureau data for 1997 show that there were 977 firms in this category, E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations total, that operated for the entire year. Of this total, 965 firms had employment of 999 or fewer employees, and an additional 12 firms had employment of 1,000 employees or more. Thus, under this second category and size standard, the majority of firms can, again, be considered small. Assuming this general ratio continues in the context of Phase I 220 MHz licensees, the Commission estimates that nearly all such licensees are small businesses under the SBA’s small business size standard. In addition, limited preliminary census data for 2002 indicate that the total number of cellular and other wireless telecommunications carriers increased approximately 321 percent from 1997 to 2002. 54. 220 MHz Radio Service—Phase II Licensees. The 220 MHz service has both Phase I and Phase II licenses. The Phase II 220 MHz service is a new service, and is subject to spectrum auctions. In the 220 MHz Third Report and Order, the Commission adopted a small business size standard for ‘‘small’’ and ‘‘very small’’ businesses for purposes of determining their eligibility for special provisions such as bidding credits and installment payments. This small business size standard indicates that a ‘‘small business’’ is an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $15 million for the preceding three years. A ‘‘very small business’’ is an entity that, together with its affiliates and controlling principals, has average gross revenues that do not exceed $3 million for the preceding three years. The SBA has approved these small business size standards. Auctions of Phase II licenses commenced on September 15, 1998, and closed on October 22, 1998. In the first auction, 908 licenses were auctioned in three different-sized geographic areas: three nationwide licenses, 30 Regional Economic Area Group (EAG) Licenses, and 875 Economic Area (EA) Licenses. Of the 908 licenses auctioned, 693 were sold. Thirty-nine small businesses won licenses in the first 220 MHz auction. The second auction included 225 licenses: 216 EA licenses and 9 EAG licenses. Fourteen companies claiming small business status won 158 licenses. 55. 800 MHz and 900 MHz Specialized Mobile Radio Licenses. The Commission awards ‘‘small entity’’ and ‘‘very small entity’’ bidding credits in auctions for Specialized Mobile Radio (SMR) geographic area licenses in the 800 MHz and 900 MHz bands to firms that had revenues of no more than $15 million in each of the three previous calendar years, or that had revenues of no more than $3 million in each of the VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 previous calendar years, respectively. These bidding credits apply to SMR providers in the 800 MHz and 900 MHz bands that either hold geographic area licenses or have obtained extended implementation authorizations. The Commission does not know how many firms provide 800 MHz or 900 MHz geographic area SMR service pursuant to extended implementation authorizations, nor how many of these providers have annual revenues of no more than $15 million. One firm has over $15 million in revenues. The Commission assumes, for purposes here, that all of the remaining existing extended implementation authorizations are held by small entities, as that term is defined by the SBA. The Commission has held auctions for geographic area licenses in the 800 MHz and 900 MHz SMR bands. There were 60 winning bidders that qualified as small or very small entities in the 900 MHz SMR auctions. Of the 1,020 licenses won in the 900 MHz auction, bidders qualifying as small or very small entities won 263 licenses. In the 800 MHz auction, 38 of the 524 licenses won were won by small and very small entities. 56. 700 MHz Guard Band Licensees. In the 700 MHz Guard Band Order, the Commission adopted a small business size standard for ‘‘small businesses’’ and ‘‘very small businesses’’ for purposes of determining their eligibility for special provisions such as bidding credits and installment payments. A ‘‘small business’’ as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $15 million for the preceding three years. Additionally, a ‘‘very small business’’ is an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $3 million for the preceding three years. An auction of 52 Major Economic Area (MEA) licenses commenced on September 6, 2000, and closed on September 21, 2000. Of the 104 licenses auctioned, 96 licenses were sold to nine bidders. Five of these bidders were small businesses that won a total of 26 licenses. A second auction of 700 MHz Guard Band licenses commenced on February 13, 2001 and closed on February 21, 2001. All eight of the licenses auctioned were sold to three bidders. One of these bidders was a small business that won a total of two licenses. 57. Rural Radiotelephone Service. The Commission has not adopted a size standard for small businesses specific to the Rural Radiotelephone Service. A significant subset of the Rural PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 31955 Radiotelephone Service is the Basic Exchange Telephone Radio System (BETRS). The Commission uses the SBA’s small business size standard applicable to ‘‘Cellular and Other Wireless Telecommunications,’’ i.e., an entity employing no more than 1,500 persons. There are approximately 1,000 licensees in the Rural Radiotelephone Service, and the Commission estimates that there are 1,000 or fewer small entity licensees in the Rural Radiotelephone Service that may be affected by the rules and policies adopted herein. 58. Air-Ground Radiotelephone Service. The Commission has not adopted a small business size standard specific to the Air-Ground Radiotelephone Service. The Commission will use SBA’s small business size standard applicable to ‘‘Cellular and Other Wireless Telecommunications,’’ i.e., an entity employing no more than 1,500 persons. There are approximately 100 licensees in the Air-Ground Radiotelephone Service, and the Commission estimates that almost all of them qualify as small under the SBA small business size standard. 59. Aviation and Marine Radio Services. Small businesses in the aviation and marine radio services use a very high frequency (VHF) marine or aircraft radio and, as appropriate, an emergency position-indicating radio beacon (and/or radar) or an emergency locator transmitter. The Commission has not developed a small business size standard specifically applicable to these small businesses. For purposes of this analysis, the Commission uses the SBA small business size standard for the category ‘‘Cellular and Other Telecommunications,’’ which is 1,500 or fewer employees. Most applicants for recreational licenses are individuals. Approximately 581,000 ship station licensees and 131,000 aircraft station licensees operate domestically and are not subject to the radio carriage requirements of any statute or treaty. For purposes of the Commission’s evaluations in this analysis, the Commission estimates that there are up to approximately 712,000 licensees that are small businesses (or individuals) under the SBA standard. In addition, between December 3, 1998 and December 14, 1998, the Commission held an auction of 42 VHF Public Coast licenses in the 157.1875–157.4500 MHz (ship transmit) and 161.775–162.0125 MHz (coast transmit) bands. For purposes of the auction, the Commission defined a ‘‘small’’ business as an entity that, together with controlling interests and affiliates, has average gross revenues for the preceding E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 31956 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations three years not to exceed $15 million dollars. In addition, a ‘‘very small’’ business is one that, together with controlling interests and affiliates, has average gross revenues for the preceding three years not to exceed $3 million dollars. There are approximately 10,672 licensees in the Marine Coast Service, and the Commission estimates that almost all of them qualify as ‘‘small’’ businesses under the above special small business size standards. 60. Offshore Radiotelephone Service. This service operates on several UHF television broadcast channels that are not used for television broadcasting in the coastal areas of states bordering the Gulf of Mexico. There are presently approximately 55 licensees in this service. The Commission is unable to estimate at this time the number of licensees that would qualify as small under the SBA’s small business size standard for ‘‘Cellular and Other Wireless Telecommunications’’ services. Under that SBA small business size standard, a business is small if it has 1,500 or fewer employees. 61. 39 GHz Service. The Commission created a special small business size standard for 39 GHz licenses—an entity that has average gross revenues of $40 million or less in the three previous calendar years. An additional size standard for ‘‘very small business’’ is: an entity that, together with affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years. The SBA has approved these small business size standards. The auction of the 2,173 39 GHz licenses began on April 12, 2000 and closed on May 8, 2000. The 18 bidders who claimed small business status won 849 licenses. Consequently, the Commission estimates that 18 or fewer 39 GHz licensees are small entities that may be affected by the rules and polices adopted herein. 62. Multipoint Distribution Service, Multichannel Multipoint Distribution Service, and ITFS. Multichannel Multipoint Distribution Service (MMDS) systems, often referred to as ‘‘wireless cable,’’ transmit video programming to subscribers using the microwave frequencies of the Multipoint Distribution Service (MDS) and Instructional Television Fixed Service (ITFS). In connection with the 1996 MDS auction, the Commission established a small business size standard as an entity that had annual average gross revenues of less than $40 million in the previous three calendar years. The MDS auctions resulted in 67 successful bidders obtaining licensing opportunities for 493 Basic Trading Areas (BTAs). Of the 67 auction VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 winners, 61 met the definition of a small business. MDS also includes licensees of stations authorized prior to the auction. In addition, the SBA has developed a small business size standard for Cable and Other Program Distribution, which includes all such companies generating $12.5 million or less in annual receipts. According to Census Bureau data for 1997, there were a total of 1,311 firms in this category, total, that had operated for the entire year. Of this total, 1,180 firms had annual receipts of under $10 million and an additional 52 firms had receipts of $10 million or more but less than $25 million. Consequently, the Commission estimates that the majority of providers in this service category are small businesses that may be affected by the rules and policies adopted herein. This SBA small business size standard also appears applicable to ITFS. There are presently 2,032 ITFS licensees. All but 100 of these licenses are held by educational institutions. Educational institutions are included in this analysis as small entities. Thus, the Commission tentatively conclude that at least 1,932 licensees are small businesses. 63. Local Multipoint Distribution Service. Local Multipoint Distribution Service (LMDS) is a fixed broadband point-to-multipoint microwave service that provides for two-way video telecommunications. The auction of the 1,030 Local Multipoint Distribution Service (LMDS) licenses began on February 18, 1998 and closed on March 25, 1998. The Commission established a small business size standard for LMDS licenses as an entity that has average gross revenues of less than $40 million in the three previous calendar years. An additional small business size standard for ‘‘very small business’’ was added as an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years. The SBA has approved these small business size standards in the context of LMDS auctions. There were 93 winning bidders that qualified as small entities in the LMDS auctions. A total of 93 small and very small business bidders won approximately 277 A Block licenses and 387 B Block licenses. On March 27, 1999, the Commission re-auctioned 161 licenses; there were 40 winning bidders. Based on this information, the Commission concludes that the number of small LMDS licenses consists of the 93 winning bidders in the first auction and the 40 winning bidders in the reauction, for a total of 133 small entity LMDS providers. 64. 218–219 MHz Service. The first auction of 218–219 MHz spectrum PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 resulted in 170 entities winning licenses for 594 Metropolitan Statistical Area (MSA) licenses. Of the 594 licenses, 557 were won by entities qualifying as a small business. For that auction, the small business size standard was an entity that, together with its affiliates, has no more than a $6 million net worth and, after federal income taxes (excluding any carry over losses), has no more than $2 million in annual profits each year for the previous two years. In the 218–219 MHz Report and Order and Memorandum Opinion and Order, the Commission established a small business size standard for a ‘‘small business’’ as an entity that, together with its affiliates and persons or entities that hold interests in such an entity and their affiliates, has average annual gross revenues not to exceed $15 million for the preceding three years. A ‘‘very small business’’ is defined as an entity that, together with its affiliates and persons or entities that hold interests in such an entity and its affiliates, has average annual gross revenues not to exceed $3 million for the preceding three years. The Commission cannot estimate, however, the number of licenses that will be won by entities qualifying as small or very small businesses under its rules in future auctions of 218–219 MHz spectrum. 65. 24 GHz—Incumbent Licensees. This analysis may affect incumbent licensees who were relocated to the 24 GHz band from the 18 GHz band, and applicants who wish to provide services in the 24 GHz band. The applicable SBA small business size standard is that of ‘‘Cellular and Other Wireless Telecommunications’’ companies. This category provides that such a company is small if it employs no more than 1,500 persons. According to Census Bureau data for 1997, there were 977 firms in this category, total, that operated for the entire year. Of this total, 965 firms had employment of 999 or fewer employees, and an additional 12 firms had employment of 1,000 employees or more. Thus, under this size standard, the great majority of firms can be considered small. These broader census data notwithstanding, the Commission believes that there are only two licensees in the 24 GHz band that were relocated from the 18 GHz band, Teligent and TRW, Inc. It is the Commisson’s understanding that Teligent and its related companies have less than 1,500 employees, though this may change in the future. TRW is not a small entity. Thus, only one incumbent licensee in the 24 GHz band is a small business entity. 66. 24 GHz—Future Licensees. With respect to new applicants in the 24 GHz E:\FR\FM\08JNR3.SGM 08JNR3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations pwalker on PROD1PC71 with RULES3 band, the small business size standard for ‘‘small business’’ is an entity that, together with controlling interests and affiliates, has average annual gross revenues for the three preceding years not in excess of $15 million. ‘‘Very small business’’ in the 24 GHz band is an entity that, together with controlling interests and affiliates, has average gross revenues not exceeding $3 million for the preceding three years. The SBA has approved these small business size standards. These size standards will apply to the future auction, if held. 2. Cable and OVS Operators 67. Cable and Other Program Distribution. This category includes cable systems operators, closed circuit television services, direct broadcast satellite services, multipoint distribution systems, satellite master antenna systems, and subscription television services. The SBA has developed small business size standard for this census category, which includes all such companies generating $12.5 million or less in revenue annually. According to Census Bureau data for 2002, there were a total of 1,191 firms in this category that operated for the entire year. Of this total, 1,087 firms had annual receipts of under $10 million, and 43 firms had receipts of $10 million or more but less than $25 million. Consequently, the Commission estimates that the majority of providers in this service category are small businesses that may be affected by the rules and policies adopted herein. 68. Cable System Operators. The Commission has developed its own small business size standards for cable system operators, for purposes of rate regulation. Under the Commission’s rules, a ‘‘small cable company’’ is one serving fewer than 400,000 subscribers nationwide. In addition, a ‘‘small system’’ is a system serving 15,000 or fewer subscribers. 69. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, also contains a size standard for small cable system operators, which is ‘‘a cable operator that, directly or through an affiliate, serves in the aggregate fewer than 1 percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.’’ The Commission has determined that there are approximately 67,700,000 subscribers in the United States. Therefore, an operator serving fewer than 677,000 subscribers shall be deemed a small operator, if its annual revenues, when combined with the total annual revenues of all its affiliates, do VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 not exceed $250 million in the aggregate. Based on available data, the Commission estimates that the number of cable operators serving 677,000 subscribers or fewer, totals 1,450. The Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million, and therefore is unable, at this time, to estimate more accurately the number of cable system operators that would qualify as small cable operators under the size standard contained in the Communications Act of 1934. 70. Open Video Services. Open Video Service (OVS) systems provide subscription services. The SBA has created a small business size standard for Cable and Other Program Distribution. This standard provides that a small entity is one with $12.5 million or less in annual receipts. The Commission has certified approximately 25 OVS operators to serve 75 areas, and some of these are currently providing service. Affiliates of Residential Communications Network, Inc. (RCN) received approval to operate OVS systems in New York City, Boston, Washington, DC, and other areas. RCN has sufficient revenues to assure that they do not qualify as a small business entity. Little financial information is available for the other entities that are authorized to provide OVS and are not yet operational. Given that some entities authorized to provide OVS service have not yet begun to generate revenues, the Commission concludes that up to 24 OVS operators (those remaining) might qualify as small businesses that may be affected by the rules and policies adopted herein. 3. Internet Service Providers 71. Internet Service Providers. The SBA has developed a small business size standard for Internet Service Providers (ISPs). ISPs ‘‘provide clients access to the Internet and generally provide related services such as Web hosting, Web page designing, and hardware or software consulting related to Internet connectivity.’’ Under the SBA size standard, such a business is small if it has average annual receipts of $21 million or less. According to Census Bureau data for 2002, there were 2,529 firms in this category that operated for the entire year. Of these, 2,437 firms had annual receipts of under $10 million, and 47 firms had receipts of $10 million or more but less then $25 million. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action. PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 31957 4. Other Internet-Related Entities 72. Web Search Portals. The Commission’s action pertains to interconnected VoIP services, which could be provided by entities that provide other services such as e-mail, online gaming, Web browsing, video conferencing, instant messaging, and other, similar IP-enabled services. The Commission has not adopted a size standard for entities that create or provide these types of services or applications. However, the census bureau has identified firms that ‘‘operate Web sites that use a search engine to generate and maintain extensive databases of Internet addresses and content in an easily searchable format. Web search portals often provide additional Internet services, such as e-mail, connections to other Web sites, auctions, news, and other limited content, and serve as a home base for Internet users.’’ The SBA has developed a small business size standard for this category; that size standard is $6 million or less in average annual receipts. According to Census Bureau data for 1997, there were 195 firms in this category that operated for the entire year. Of these, 172 had annual receipts of under $5 million, and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action. 73. Data Processing, Hosting, and Related Services. Entities in this category ‘‘primarily * * * provid[e] infrastructure for hosting or data processing services.’’ The SBA has developed a small business size standard for this category; that size standard is $21 million or less in average annual receipts. According to Census Bureau data for 1997, there were 3,700 firms in this category that operated for the entire year. Of these, 3,477 had annual receipts of under $10 million, and an additional 108 firms had receipts of between $10 million and $24,999,999. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action. 74. All Other Information Services. ‘‘This industry comprises establishments primarily engaged in providing other information services (except new syndicates and libraries and archives).’’ The Commission’s action pertains to interconnected VoIP services, which could be provided by entities that provide other services such as email, online gaming, web browsing, video conferencing, instant messaging, E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 31958 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations and other, similar IP-enabled services. The SBA has developed a small business size standard for this category; that size standard is $6 million or less in average annual receipts. According to Census Bureau data for 1997, there were 195 firms in this category that operated for the entire year. Of these, 172 had annual receipts of under $5 million, and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, the Commission estimates that the majority of these firms are small entities that may be affected by its action. 75. Internet Publishing and Broadcasting. ‘‘This industry comprises establishments engaged in publishing and/or broadcasting content on the Internet exclusively. These establishments do not provide traditional (non-Internet) versions of the content that they publish or broadcast.’’ The SBA has developed a small business size standard for this new (2002) census category; that size standard is 500 or fewer employees. To assess the prevalence of small entities in this category, the Commission will use 1997 Census Bureau data for a relevant, now-superseded census category, ‘‘All Other Information Services.’’ The SBA small business size standard for that prior category was $6 million or less in average annual receipts. According to Census Bureau data for 1997, there were 195 firms in the prior category that operated for the entire year. Of these, 172 had annual receipts of under $5 million, and an additional nine firms had receipts of between $5 million and $9,999,999. Consequently, the Commission estimates that the majority of the firms in this current category are small entities that may be affected by its action. 76. Software Publishers. These companies may design, develop or publish software and may provide other support services to software purchasers, such as providing documentation or assisting in installation. The companies may also design software to meet the needs of specific users. The SBA has developed a small business size standard of $21 million or less in average annual receipts for all of the following pertinent categories: Software Publishers, Custom Computer Programming Services, and Other Computer Related Services. For Software Publishers, Census Bureau data for 1997 indicate that there were 8,188 firms in the category that operated for the entire year. Of these, 7,633 had annual receipts under $10 million, and an additional 289 firms had receipts of between $10 million and $24, 999,999. For providers of Custom Computer VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 Programming Services, the Census Bureau data indicate that there were 19,334 firms that operated for the entire year. Of these, 18,786 had annual receipts of under $10 million, and an additional 352 firms had receipts of between $10 million and $24,999,999. For providers of Other Computer Related Services, the Census Bureau data indicate that there were 5,524 firms that operated for the entire year. Of these, 5,484 had annual receipts of under $10 million, and an additional 28 firms had receipts of between $10 million and $24,999,999. Consequently, the Commission estimates that the majority of the firms in each of these three categories are small entities that may be affected by its action. 5. Equipment Manufacturers 77. The equipment manufacturers described in this section are merely indirectly affected by the Commission’s current action, and therefore are not formally a part of this RFA analysis. The Commission has included them, however, to broaden the record in this proceeding and to alert them to its decisions. 78. Wireless Communications Equipment Manufacturers. The SBA has established a small business size standard for Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing. Examples of products in this category include ‘‘transmitting and receiving antennas, cable television equipment, GPS equipment, pagers, cellular phones, mobile communications equipment, and radio and television studio and broadcasting equipment’’ and may include other devices that transmit and receive IPenabled services, such as personal digital assistants (PDAs). Under the SBA size standard, firms are considered small if they have 750 or fewer employees. According to Census Bureau data for 1997, there were 1,215 establishments in this category that operated for the entire year. Of those, there were 1,150 that had employment of under 500, and an additional 37 that had employment of 500 to 999. The percentage of wireless equipment manufacturers in this category was approximately 61.35%, so the Commission estimates that the number of wireless equipment manufacturers with employment of under 500 was actually closer to 706, with an additional 23 establishments having employment of between 500 and 999. Consequently, the Commission estimates that the majority of wireless communications equipment PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 manufacturers are small entities that may be affected by its action. 79. Telephone Apparatus Manufacturing. This category ‘‘comprises establishments primarily engaged primarily in manufacturing wire telephone and data communications equipment.’’ Examples of pertinent products are ‘‘central office switching equipment, cordless telephones (except cellular), PBX equipment, telephones, telephone answering machines, and data communications equipment, such as bridges, routers, and gateways.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 598 establishments in this category that operated for the entire year. Of these, 574 had employment of under 1,000, and an additional 17 establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action. 80. Electronic Computer Manufacturing. This category ‘‘comprises establishments primarily engaged in manufacturing and/or assembling electronic computers, such as mainframes, personal computers, workstations, laptops, and computer servers.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 563 establishments in this category that operated for the entire year. Of these, 544 had employment of under 1,000, and an additional 11 establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action. 81. Computer Terminal Manufacturing. ‘‘Computer terminals are input/output devices that connect with a central computer for processing.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 142 establishments in this category that operated for the entire year, and all of the establishments had employment of under 1,000. Consequently, the Commission estimates that the majority or all of these establishments are small entities that may be affected by it action. 82. Other Computer Peripheral Equipment Manufacturing. Examples of E:\FR\FM\08JNR3.SGM 08JNR3 pwalker on PROD1PC71 with RULES3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations peripheral equipment in this category include keyboards, mouse devices, monitors, and scanners. The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 1061 establishments in this category that operated for the entire year. Of these, 1,046 had employment of under 1,000, and an additional six establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action. 83. Fiber Optic Cable Manufacturing. These establishments manufacture ‘‘insulated fiber-optic cable from purchased fiber-optic strand.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 38 establishments in this category that operated for the entire year. Of these, 37 had employment of under 1,000, and one establishment had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action. 84. Other Communication and Energy Wire Manufacturing. These establishments manufacture ‘‘insulated wire and cable of nonferrous metals from purchased wire.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 275 establishments in this category that operated for the entire year. Of these, 271 had employment of under 1,000, and four establishments had employment of 1,000 to 2,499. Consequently, the Commission estimates that the majority or all of these establishments are small entities that may be affected by its action. 85. Audio and Video Equipment Manufacturing. These establishments manufacture ‘‘electronic audio and video equipment for home entertainment, motor vehicle, public address and musical instrument amplifications.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 750 or fewer employees. According to Census Bureau data for 1997, there were 554 establishments in this category that operated for the entire year. Of these, VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 542 had employment of under 500, and nine establishments had employment of 500 to 999. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action. 86. Electron Tube Manufacturing. These establishments are ‘‘primarily engaged in manufacturing electron tubes and parts (except glass blanks).’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 750 or fewer employees. According to Census Bureau data for 1997, there were 158 establishments in this category that operated for the entire year. Of these, 148 had employment of under 500, and three establishments had employment of 500 to 999. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action. 87. Bare Printed Circuit Board Manufacturing. These establishments are ‘‘primarily engaged in manufacturing bare (i.e., rigid or flexible) printed circuit boards without mounted electronic components.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 1,389 establishments in this category that operated for the entire year. Of these, 1,369 had employment of under 500, and 16 establishments had employment of 500 to 999. Consequently, the Commission estimates that the majority of these establishments are small entities that may be affected by its action. 88. Semiconductor and Related Device Manufacturing. These establishments manufacture ‘‘computer storage devices that allow the storage and retrieval of data from a phase change, magnetic, optical, or magnetic/ optical media.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 1,082 establishments in this category that operated for the entire year. Of these, 987 had employment of under 500, and 52 establishments had employment of 500 to 999. 89. Electronic Capacitor Manufacturing. These establishments manufacture ‘‘electronic fixed and variable capacitors and condensers.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 31959 500 or fewer employees. According to Census Bureau data for 1997, there were 128 establishments in this category that operated for the entire year. Of these, 121 had employment of under 500, and four establishments had employment of 500 to 999. 90. Electronic Resistor Manufacturing. These establishments manufacture ‘‘electronic resistors, such as fixed and variable resistors, resistor networks, thermistors, and varistors.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 118 establishments in this category that operated for the entire year. Of these, 113 had employment of under 500, and 5 establishments had employment of 500 to 999. 91. Electronic Coil, Transformer, and Other Inductor Manufacturing. These establishments manufacture ‘‘electronic inductors, such as coils and transformers.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 448 establishments in this category that operated for the entire year. Of these, 446 had employment of under 500, and two establishments had employment of 500 to 999. 92. Electronic Connector Manufacturing. These establishments manufacture ‘‘electronic connectors, such as coaxial, cylindrical, rack and panel, pin and sleeve, printed circuit and fiber optic.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 347 establishments in this category that operated for the entire year. Of these, 332 had employment of under 500, and 12 establishments had employment of 500 to 999. 93. Printed Circuit Assembly (Electronic Assembly) Manufacturing. These are establishments ‘‘primarily engaged in loading components onto printed circuit boards or who manufacture and ship loaded printed circuit boards.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 714 establishments in this category that operated for the entire year. Of these, 673 had employment of under 500, and 24 establishments had employment of 500 to 999. E:\FR\FM\08JNR3.SGM 08JNR3 31960 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations pwalker on PROD1PC71 with RULES3 94. Other Electronic Component Manufacturing. These are establishments ‘‘primarily engaged in loading components onto printed circuit boards or who manufacture and ship loaded printed circuit boards.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 500 or fewer employees. According to Census Bureau data for 1997, there were 1,835 establishments in this category that operated for the entire year. Of these, 1,814 had employment of under 500, and 18 establishments had employment of 500 to 999. 95. Computer Storage Device Manufacturing. These establishments manufacture ‘‘computer storage devices that allow the storage and retrieval of data from a phase change, magnetic, optical, or magnetic/optical media.’’ The SBA has developed a small business size standard for this category of manufacturing; that size standard is 1,000 or fewer employees. According to Census Bureau data for 1997, there were 209 establishments in this category that operated for the entire year. Of these, 197 had employment of under 500, and eight establishments had employment of 500 to 999. D. Description of Projected Reporting, Recordkeeping and Other Compliance Requirements 96. The Commission is requiring telecommunications carriers and providers of interconnected VoIP service to collect certain information and take other actions to comply with its rules regarding the use of CPNI. For example, carriers must have an officer, as an agent of the carrier, sign and file with the Commission a compliance certificate on an annual basis stating that the officer has personal knowledge that the carrier has established procedures that are adequate to ensure compliance with the CPNI rules. The carrier must also provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the CPNI rules. Further, the carrier must include an explanation of any actions taken against data brokers and a summary of all consumer complaints received in the past year concerning the unauthorized release of CPNI. Additionally, carriers must obtain opt-in approval before sharing CPNI with their joint venture partners or independent contractors for the purposes of marketing communications-related services to customers. Also, carriers are required to maintain a record of any discovered breaches, notifications to the United States Secret Service (USSS) and VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 the Federal Bureau of Investigation (FBI) regarding those breaches, as well as the USSS and FBI response to those notifications for a period of at least two years. 97. The Commission also imposes other requirements on telecommunications carriers and providers of interconnected VoIP service. Specifically, the Order prohibits carriers from releasing call detail information over the phone during customer-initiated telephone calls except by those methods provided for in the Order. The Order also requires that a carrier not permit customers to gain access to an online account without first properly authenticating the customer and, for subsequent access, without a customer password or response to a back-up authentication method for lost or forgotten passwords, neither of which may be based on a carrier prompt for readily available biographical information, or account information. For the rules pertaining to online carrier authentication, the Commission provides carriers that satisfy the definition of a ‘‘small entity’’ or a ‘‘small business concern’’ under the RFA or SBA an additional six months to implement these rules. 98. The Order also requires that carriers notify customers through a carrier-originated voicemail or text message to the telephone number of record, or by mail or email to the address of record whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. Further, the Order requires that carriers notify the USSS and the FBI no later than seven days after a reasonable determination of a CPNI breach. E. Steps Taken to Minimize Significant Economic Impact on Small Entities, and Significant Alternatives Considered 99. The RFA requires an agency to describe any significant alternatives that it has considered in reaching its proposed approach, which may include (among others) the following four alternatives: (1) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance or reporting requirements under the rule for small entities; (3) the use of performance, rather than design, standards; and (4) an exemption from coverage of the rule, or any part thereof, for small entities. 100. The notices invited comment on a number of issues related to small PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 entities. For example, the Commission sought comment on the effect the various proposals described in the EPIC CPNI Notice will have on small entities, and on what effect alternative rules would have on those entities. Additionally, the Commission invited comment on ways in which the Commission can achieve its goal of protecting consumers while at the same time imposing minimal burdens on small telecommunications service providers. With respect to any of the Commission consumer protection regulations already in place, the Commission sought comment on whether it has adopted any provisions for small entities that the Commission should similarly consider in this proceeding? The Commission also invited comment on whether the problems identified by EPIC were better or worse at smaller carriers. The Commission invited comment on whether small carriers should be exempt from password-related security procedures to protect CPNI. The Commission invited comment on the benefits and burdens of recording audit trails for the disclosure of CPNI on small carriers. The Commission invited comment on whether requiring a small carrier to encrypt its stored data would be unduly burdensome. The Commission solicited comment on the cost to a small carrier of notifying a customer upon release of CPNI. The Commission sought comment on whether the Commission should amend its rules to require carriers to file annual certifications concerning CPNI and whether this requirement should extend to only telecommunications carriers that are not small telephone companies as defined by the Small Business Administration, and whether small carriers should be subject to different CPNI-related obligations. 101. The Commission has considered each of the alternatives described above, and in this Order, imposes minimal regulation on small entities to the extent consistent with its goal of ensuring that carriers and providers of interconnected VoIP service protect against the unauthorized release of CPNI. Specifically, the Commission extended the implementation date for the rules pertaining to online authentication by six months so that small businesses will have additional time to come into compliance with the Order’s rules. 102. As stated above, the Commission must assess the interests of small businesses in light of the overriding public interest of protecting against the unlawful release of CPNI. The Order discusses that CPNI is made up of very personal data. Therefore, the E:\FR\FM\08JNR3.SGM 08JNR3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations pwalker on PROD1PC71 with RULES3 Commission concluded that it was important for all telecommunications carriers and providers of interconnected VoIP service, including small businesses, to comply with the rules the Commission adopts in this Order six months after the Order’s effective date or on receipt of OMB approval, as required by the Paperwork Reduction Act, whichever is later. For example, the Commission concluded that carriers and providers of interconnected VoIP service must stop releasing call detail information based on customer-initiated telephone calls except by those methods provided for in the Order. Additionally, the Commission concluded that it was important for all telecommunications carriers and providers of interconnected VoIP service to report breaches of CPNI data to law enforcement. The Commission therefore rejected solutions that would exempt small businesses. The record indicated that exempting small carriers from these regulations would compromise the Commission’s goal of protecting all Americans from the unauthorized release of CPNI. 103. Report to Congress: The Commission will send a copy of the Order, including this FRFA, in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act. In addition, the Commission will send a copy of the Order, including this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Order and FRFA (or summaries thereof) will also be published in the Federal Register. Ordering Clauses 104. Accordingly, It is ordered that pursuant to sections 1, 4(i), 4(j), 222, and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. 151, 154(i)–(j), 222, 303(r), this Report and Order and Further Notice of Proposed Rulemaking in CC Docket No. 96–115 and WC Docket No. 04–36 is adopted, and that Part 64 of the Commission’s rules, 47 CFR Part 64, is amended as set forth in Appendix B. The Order shall become effective upon publication in the Federal Register subject to OMB approval for new information collection requirements or six months after the Order’s effective date, whichever is later. 105. It Is Further Ordered that the Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, shall send a copy of this Report and Order and Further Notice of Proposed Rulemaking, including the Final Regulatory Flexibility Analysis and the Initial Regulatory Flexibility Analysis, to the VerDate Aug<31>2005 20:09 Jun 07, 2007 Jkt 211001 Chief Counsel for Advocacy of the Small Business Administration. List of Subjects in 47 CFR Part 64 Customer proprietary network information, Reporting and recordkeeping requirements, Telecommunications. Federal Communications Commission. Marlene H. Dortch, Secretary. Final Rules For the reasons discussed in the preamble, the FCC amends 47 CFR part 64 as follows: I PART 64—MISCELLANEOUS RULES RELATING TO COMMON CARRIERS 1. The authority citation for part 64 continues to read as follows: I Authority: 47 U.S.C. 154, 254(k); secs. 403(b)(2)(B),(c), Pub. L. 104–104, 110 Stat. 56. Interpret or apply 47 U.S.C. 201, 218, 222, 225, 226, 228, and 254(k) unless otherwise noted. I 2. Revise § 64.2003 to read as follows: § 64.2003 Definitions. (a) Account information. ‘‘Account information’’ is information that is specifically connected to the customer’s service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill’s amount. (b) Address of record. An ‘‘address of record,’’ whether postal or electronic, is an address that the carrier has associated with the customer’s account for at least 30 days. (c) Affiliate. The term ‘‘affiliate’’ has the same meaning given such term in section 3(1) of the Communications Act of 1934, as amended, 47 U.S.C. 153(1). (d) Call detail information. Any information that pertains to the transmission of specific telephone calls, including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call. (e) Communications-related services. The term ‘‘communications-related services’’ means telecommunications services, information services typically provided by telecommunications carriers, and services related to the provision or maintenance of customer premises equipment. (f) Customer. A customer of a telecommunications carrier is a person or entity to which the telecommunications carrier is currently providing service. PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 31961 (g) Customer proprietary network information (CPNI). The term ‘‘customer proprietary network information (CPNI)’’ has the same meaning given to such term in section 222(h)(1) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(1). (h) Customer premises equipment (CPE). The term ‘‘customer premises equipment (CPE)’’ has the same meaning given to such term in section 3(14) of the Communications Act of 1934, as amended, 47 U.S.C. 153(14). (i) Information services typically provided by telecommunications carriers. The phrase ‘‘information services typically provided by telecommunications carriers’’ means only those information services (as defined in section 3(20) of the Communication Act of 1934, as amended, 47 U.S.C. 153(20)) that are typically provided by telecommunications carriers, such as Internet access or voice mail services. Such phrase ‘‘information services typically provided by telecommunications carriers,’’ as used in this subpart, shall not include retail consumer services provided using Internet Web sites (such as travel reservation services or mortgage lending services), whether or not such services may otherwise be considered to be information services. (j) Local exchange carrier (LEC). The term ‘‘local exchange carrier (LEC)’’ has the same meaning given to such term in section 3(26) of the Communications Act of 1934, as amended, 47 U.S.C. 153(26). (k) Opt-in approval. The term ‘‘opt-in approval’’ refers to a method for obtaining customer consent to use, disclose, or permit access to the customer’s CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier’s request consistent with the requirements set forth in this subpart. (l) Opt-out approval. The term ‘‘optout approval’’ refers to a method for obtaining customer consent to use, disclose, or permit access to the customer’s CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer’s CPNI if the customer has failed to object thereto within the waiting period described in § 64.2008(d)(1) after the customer is provided appropriate notification of the carrier’s request for consent consistent with the rules in this subpart. (m) Readily available biographical information. ‘‘Readily available E:\FR\FM\08JNR3.SGM 08JNR3 31962 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations biographical information’’ is information drawn from the customer’s life history and includes such things as the customer’s social security number, or the last four digits of that number; mother’s maiden name; home address; or date of birth. (n) Subscriber list information (SLI). The term ‘‘subscriber list information (SLI)’’ has the same meaning given to such term in section 222(h)(3) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(3). (o) Telecommunications carrier or carrier. The terms ‘‘telecommunications carrier’’ or ‘‘carrier’’ shall have the same meaning as set forth in section 3(44) of the Communications Act of 1934, as amended, 47 U.S.C. 153(44). For the purposes of this subpart, the term ‘‘telecommunications carrier’’ or ‘‘carrier’’ shall include an entity that provides interconnected VoIP service, as that term is defined in section 9.3 of these rules. (p) Telecommunications service. The term ‘‘telecommunications service’’ has the same meaning given to such term in section 3(46) of the Communications Act of 1934, as amended, 47 U.S.C. 153(46). (q) Telephone number of record. The telephone number associated with the underlying service, not the telephone number supplied as a customer’s ‘‘contact information.’’ (r) Valid photo ID. A ‘‘valid photo ID’’ is a government-issued means of personal identification with a photograph such as a driver’s license, passport, or comparable ID that is not expired. I 3. Section 64.2005 is amended by revising paragraph (c)(3) to read as follows: § 64.2005 Use of customer proprietary network information without customer approval. pwalker on PROD1PC71 with RULES3 * * * * * (c) * * * (3) LECs, CMRS providers, and entities that provide interconnected VoIP service as that term is defined in § 9.3 of this chapter, may use CPNI, without customer approval, to market services formerly known as adjunct-tobasic services, such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex features. * * * * * I 4. Section 64.2007 is amended by revising paragraph (b) to read as follows: VerDate Aug<31>2005 19:54 Jun 07, 2007 Jkt 211001 § 64.2007 Approval required for use of customer proprietary network information. § 64.2010 Safeguards on the disclosure of customer proprietary network information. * (a) Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customerinitiated telephone contact, online account access, or an in-store visit. (b) Telephone access to CPNI. Telecommunications carriers may only disclose call detail information over the telephone, based on customer-initiated telephone contact, if the customer first provides the carrier with a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information. If the customer does not provide a password, the telecommunications carrier may only disclose call detail information by sending it to the customer’s address of record, or by calling the customer at the telephone number of record. If the customer is able to provide call detail information to the telecommunications carrier during a customer-initiated call without the telecommunications carrier’s assistance, then the telecommunications carrier is permitted to discuss the call detail information provided by the customer. (c) Online access to CPNI. A telecommunications carrier must authenticate a customer without the use of readily available biographical information, or account information, prior to allowing the customer online access to CPNI related to a telecommunications service account. Once authenticated, the customer may only obtain online access to CPNI related to a telecommunications service account through a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information. (d) In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier’s retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer’s account information. (e) Establishment of a Password and Back-up Authentication Methods for Lost or Forgotten Passwords. To establish a password, a telecommunications carrier must authenticate the customer without the use of readily available biographical information, or account information. * * * * (b) Use of Opt-Out and Opt-In Approval Processes. A telecommunications carrier may, subject to opt-out approval or opt-in approval, use its customer’s individually identifiable CPNI for the purpose of marketing communications-related services to that customer. A telecommunications carrier may, subject to opt-out approval or opt-in approval, disclose its customer’s individually identifiable CPNI, for the purpose of marketing communications-related services to that customer, to its agents and its affiliates that provide communications-related services. A telecommunications carrier may also permit such persons or entities to obtain access to such CPNI for such purposes. Except for use and disclosure of CPNI that is permitted without customer approval under section § 64.2005, or that is described in this paragraph, or as otherwise provided in section 222 of the Communications Act of 1934, as amended, a telecommunications carrier may only use, disclose, or permit access to its customer’s individually identifiable CPNI subject to opt-in approval. 5. Section 64.2009 is amended by revising paragraph (e) to read as follows: I § 64.2009 Safeguards required for use of customer proprietary network information. * * * * * (e) A telecommunications carrier must have an officer, as an agent of the carrier, sign and file with the Commission a compliance certificate on an annual basis. The officer must state in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. In addition, the carrier must include an explanation of any actions taken against data brokers and a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI. This filing must be made annually with the Enforcement Bureau on or before March 1 in EB Docket No. 06–36, for data pertaining to the previous calendar year. * * * * * 6. Section 64.2010 is added to subpart U to read as follows: I PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 E:\FR\FM\08JNR3.SGM 08JNR3 Federal Register / Vol. 72, No. 110 / Friday, June 8, 2007 / Rules and Regulations Telecommunications carriers may create a back-up customer authentication method in the event of a lost or forgotten password, but such back-up customer authentication method may not prompt the customer for readily available biographical information, or account information. If a customer cannot provide the correct password or the correct response for the back-up customer authentication method, the customer must establish a new password as described in this paragraph. (f) Notification of account changes. Telecommunications carriers must notify customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a carrieroriginated voicemail or text message to the telephone number of record, or by mail to the address of record, and must not reveal the changed information or be sent to the new account information. (g) Business customer exemption. Telecommunications carriers may bind themselves contractually to authentication regimes other than those described in this section for services they provide to their business customers that have both a dedicated account representative and a contract that specifically addresses the carriers’ protection of CPNI. I 7. Section 64.2011 is added to subpart U to read as follows: § 64.2011 Notification of customer proprietary network information security breaches. pwalker on PROD1PC71 with RULES3 (a) A telecommunications carrier shall notify law enforcement of a breach of its customers’ CPNI as provided in this section. The carrier shall not notify its customers or disclose the breach VerDate Aug<31>2005 19:21 Jun 07, 2007 Jkt 211001 publicly, whether voluntarily or under state or local law or these rules, until it has completed the process of notifying law enforcement pursuant to paragraph (b) of this section. (b) As soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach, the telecommunications carrier shall electronically notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility at https://www.fcc.gov/ eb/cpni. (1) Notwithstanding any state law to the contrary, the carrier shall not notify customers or disclose the breach to the public until 7 full business days have passed after notification to the USSS and the FBI except as provided in paragraphs (b)(2) and (b)(3) of this section. (2) If the carrier believes that there is an extraordinarily urgent need to notify any class of affected customers sooner than otherwise allowed under paragraph (b)(1) of this section, in order to avoid immediate and irreparable harm, it shall so indicate in its notification and may proceed to immediately notify its affected customers only after consultation with the relevant investigating agency. The carrier shall cooperate with the relevant investigating agency’s request to minimize any adverse effects of such customer notification. (3) If the relevant investigating agency determines that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, such agency may direct the carrier not to so disclose or notify for an initial period of up to 30 days. Such period may be extended by the agency as reasonably necessary in the judgment of the agency. If such direction is given, the agency shall notify the carrier when PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 31963 it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. The agency shall provide in writing its initial direction to the carrier, any subsequent extension, and any notification that notice will no longer impede or compromise a criminal investigation or national security and such writings shall be contemporaneously logged on the same reporting facility that contains records of notifications filed by carriers. (c) Customer notification. After a telecommunications carrier has completed the process of notifying law enforcement pursuant to paragraph (b) of this section, it shall notify its customers of a breach of those customers’ CPNI. (d) Recordkeeping. All carriers shall maintain a record, electronically or in some other manner, of any breaches discovered, notifications made to the USSS and the FBI pursuant to paragraph (b) of this section, and notifications made to customers. The record must include, if available, dates of discovery and notification, a detailed description of the CPNI that was the subject of the breach, and the circumstances of the breach. Carriers shall retain the record for a minimum of 2 years. (e) Definitions. As used in this section, a ‘‘breach’’ has occurred when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI. (f) This section does not supersede any statute, regulation, order, or interpretation in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only to the extent of the inconsistency. [FR Doc. E7–10732 Filed 6–7–07; 8:45 am] BILLING CODE 6712–01–P E:\FR\FM\08JNR3.SGM 08JNR3

Agencies

[Federal Register Volume 72, Number 110 (Friday, June 8, 2007)]
[Rules and Regulations]
[Pages 31948-31963]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-10732]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 64

[CC Docket No. 96-115, WC Docket No. 04-36; FCC 07-22]


Customer Proprietary Network Information

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Commission adopted rules to implement section 222 of the 
Communications Act of 1934, as amended, which governs carriers' use and 
disclosure of customer proprietary network information. In this 
document, the Commission responds to the practice of ``pretexting'' by 
strengthening its rules to protect the privacy of customer proprietary 
network information (CPNI) that is collected and held by providers of 
communications services.

DATES: Revised paragraph (o) of Sec.  64.2003, new paragraphs (a), (b), 
(d), (m), (q), and (r) of Sec.  64.2003, revised paragraph (c)(3) of 
Sec.  64.2005, revised paragraph (b) of Sec.  64.2007, revised 
paragraph (e) of 64.2009, and new Sec. Sec.  64.2010 and 64.2011 
contain information collection requirements that have not been approved 
by the Office of Management and Budget (OMB). The Commission will 
publish a document in the Federal Register announcing the effective 
date. Written comment by the public on the modified information 
collection requirements are due August 7, 2007. Paragraphs (c), (e) 
through (l), (n), and (p) of Sec.  64.2003 do not contain information 
collection requirements that have not been approved by OMB and 
therefore are effective on June 8, 2007.

FOR FURTHER INFORMATION CONTACT: Adam Kirschenbaum, (202) 418-7280, 
Wireline Competition Bureau.
    For additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, contact 
Judith B. Herman at (202) 418-0214, or via e-mail at Judith-
B.Herman@fcc.gov.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report 
and Order (Order) in CC Docket No. 96-115 and WC Docket No. 04-36, FCC 
07-22, adopted March 13, 2007, and released April 2, 2007. The complete 
text of this document is available for inspection and copying during 
normal business hours in the FCC Reference Information Center, Portals 
II, 445 12th Street, SW., Room CY-A257, Washington, DC 20554. This 
document may also be purchased from the Commission's duplicating 
contractor, Best Copy and Printing, Inc., 445 12th Street, SW., Room 
CY-B402, Washington, DC 20554, telephone (800) 378-3160 or (202) 863-
2893, facsimile (202) 863-2898, or via e-mail at https://
www.bcpiweb.com. It is also available on the Commission's Web site at 
https://www.fcc.gov.
    In addition to filing comments with the Office of the Secretary, a 
copy of any comments on the Paperwork Reduction Act information 
collection requirements contained herein should be submitted to Judith 
B. Herman, Federal Communications Commission, Room 1-C804, 445 12th 
Street, SW., Washington, DC 20554, or via the Internet to Judith-
B.Herman@fcc.gov.

Synopsis of the Report and Order

    1. On August 30, 2005, the Electronic Privacy Information Center 
(EPIC) filed a petition with the Commission asking the Commission to 
investigate telecommunications carriers' current security practices and 
to initiate a rulemaking proceeding to consider establishing more 
stringent security standards for telecommunications carriers to govern 
the disclosure of CPNI. In particular, EPIC proposed that the 
Commission consider requiring the use of consumer-set passwords, 
creating audit trails, employing encryption, limiting data retention, 
and improving notice procedures. On February 14, 2006, the Commission 
released the EPIC CPNI Notice, 71 FR 13317 (March 15, 2006), in which 
it sought comment on (a) the nature and scope of the problem identified 
by EPIC, including pretexting, and (b) what additional steps, if any, 
the Commission should take to protect further the privacy of CPNI. 
Specifically, the Commission sought comment on the five EPIC proposals 
listed above. In addition, the Commission tentatively concluded that it 
should amend its rules to require carriers annually to file their 
section 64.2009(e) certifications with the Commission. It also sought 
comment on whether it should require carriers to obtain a customer's 
opt-in consent before the carrier shares CPNI with its joint venture 
partners and independent contractors; whether to impose rules relating 
to how carriers verify customers' identities; whether to adopt a set of 
security requirements that could

[[Page 31949]]

be used as the basis for liability if a carrier failed to implement 
such requirements, or adopt a set of security requirements that a 
carrier could implement to exempt itself from liability; whether VoIP 
service providers or other IP-enabled service providers should be 
covered by any new rules the Commission adopts in the present 
rulemaking; and other specific proposals that might increase the 
protection of CPNI.
    2. In this Order, the Commission responds to the practice of 
``pretexting'' by strengthening its rules to protect the privacy of 
customer proprietary network information (CPNI) that is collected and 
held by providers of communications services (hereinafter, 
communications carriers or carriers). Section 222 of the Communications 
Act requires telecommunications carriers to take specific steps to 
ensure that CPNI is adequately protected from unauthorized disclosure. 
In the Order, the Commission strengthens its privacy rules by adopting 
additional safeguards to protect customers' CPNI against unauthorized 
access and disclosure.
    3. The Order is directly responsive to the actions of data brokers, 
or pretexters, to obtain unauthorized access to CPNI. As EPIC pointed 
out in its petition that led to this rulemaking proceeding, numerous 
Web sites advertise the sale of personal telephone records for a price. 
These data brokers have been able to obtain private and personal 
information, including what calls were made to and/or from a particular 
telephone number and the duration of such calls. In many cases, the 
data brokers claim to be able to provide this information within fairly 
quick time frames, ranging from a few hours to a few days. The 
additional privacy safeguards the Commission adopts in the Order will 
sharply limit pretexters' ability to obtain unauthorized access to this 
type of personal customer information from carriers the Commission 
regulates.
    4. The Commission finds that the release of call detail over the 
telephone presents an immediate risk to privacy and therefore it 
prohibits carriers from releasing call detail information based on 
customer-initiated telephone contact except under three circumstances. 
First, a carrier can release call detail information if the customer 
provides the carrier with a pre-established password. Second, a carrier 
may, at the customer's request, send call detail information to the 
customer's address of record. Third, a carrier may call the telephone 
number of record and disclose call detail information. A carrier may 
disclose non-call detail CPNI to a customer after the carrier 
authenticates the customer.
    5. The Commission does not intend for the prohibition on the 
release of call detail over the telephone for customer-initiated 
telephone contact to hinder routine carrier-customer relations 
regarding service/billing disputes and questions. If a customer is able 
to provide to the carrier, during a customer-initiated telephone call, 
all of the call detail information necessary to address a customer 
service issue (i.e., the telephone number called, when it was called, 
and, if applicable, the amount charged for the call), then the carrier 
is permitted to proceed with its routine customer care procedures. The 
Commission believes that if a customer is able to provide this 
information to the carrier, without carrier assistance, then the 
carrier does not violate the Commission's rules if the carrier takes 
routine customer service actions related to such information. The 
Commission additionally clarifies that, under these circumstances, 
carriers may not disclose to the customer any call detail information 
about the customer account other than the call detail information that 
the customer provides without the customer first providing a password. 
The Commission's rule is intended to prevent pretexter phishing and 
other pretexter methods for gaining unauthorized access to customer 
account information.
    6. The Commission also requires carriers to password protect online 
access to CPNI. Although section 222 of the Act imposes a duty on 
carriers to protect the privacy of CPNI, data brokers and others have 
been able to access CPNI online without the account holder's knowledge 
or consent. The Commission agrees with EPIC that the apparent ease with 
which data brokers have been able to access CPNI online demonstrates 
the insufficiency of carriers' customer authentication procedures. In 
particular, the record evidence demonstrates that some carriers permit 
customers to establish online accounts by providing readily available 
biographical information. Thus, a data broker may obtain online account 
access easily without the customer's knowledge. Therefore, the 
Commission agrees with EPIC and others that use of such identifiers is 
an insufficient mechanism for preventing data brokers from obtaining 
unauthorized online access to CPNI.
    7. The Commission continues to allow carriers to provide customers 
with access to CPNI at a carrier's retail location if the customer 
presents a valid photo ID and the valid photo ID matches the name on 
the account. The Commission agrees with the Attorneys General and finds 
that this is a secure authentication practice because it enables the 
carrier to make a reasonable judgment about the customer's identity.
    8. The Commission requires carriers to notify customers immediately 
of certain account changes, including whenever a password, customer 
response to a carrier-designed back-up means of authentication, online 
account, or address of record is created or changed. The Commission 
agrees with the New Jersey Ratepayer Advocate that this notification is 
an important tool for customers to monitor their account's security. 
This notification may be through a carrier-originated voicemail or text 
message to the telephone number of record, or by mail to the address of 
record, as to reasonably ensure that the customer receives this 
notification. The Commission believes this measure is appropriate to 
protect customers from data brokers that might otherwise manage to 
circumvent the authentication protections the Commission adopts in this 
Order, and to take appropriate action in the event of pretexter 
activity. Further, the Commission finds that this notification 
requirement will also empower customers to provide carriers with timely 
information about pretexting activity, which the carriers may not be 
able to identify easily.
    9. The Commission does make an exception to the rules that it 
adopts for certain business customers. The Commission agrees with 
commenters who argue that privacy concerns of telecommunications 
consumers are greatest when using personal telecommunications services. 
Indeed, the fraudulent practices described by EPIC have mainly targeted 
individual consumers, and the record indicates that the proprietary 
information of wireline and wireless business account customers already 
is subject to stringent safeguards, which are privately negotiated by 
contract. Therefore, if the carrier's contract with a business customer 
is serviced by a dedicated account representative as the primary 
contact, and specifically addresses the carrier's protection of CPNI, 
the Commission does not extend its carrier authentication rules to 
cover these business customers, because businesses are typically able 
to negotiate the appropriate protection of CPNI in their service 
agreements. However, nothing in the Order exempts carriers serving 
wireline enterprise and wireless business account customers from 
section 222 or the remainder of the Commission's CPNI rules.
    10. The Commission agrees with EPIC that carriers should be 
required to notify a customer whenever a security breach

[[Page 31950]]

results in that customer's CPNI being disclosed to a third party 
without that customer's authorization. However, the Commission also 
appreciates law enforcement's concern about delaying customer 
notification in order to allow law enforcement to investigate crimes. 
Therefore, the Commission adopts a rule that it believes balances a 
customer's need to know with law enforcement's ability to undertake an 
investigation of suspected criminal activity, which itself might 
advance the goal of consumer protection.
    11. The Commission declines to specify the precise content of the 
notice that must be provided to customers in the event of a security 
breach of CPNI. The notice requirement the Commission adopts in this 
proceeding is general, and the Commission recognizes that numerous 
types of circumstances--including situations other than pretexting--
could result in the unauthorized disclosure of a customer's CPNI to a 
third party. Thus, the Commission leaves carriers the discretion to 
tailor the language and method of notification to the circumstances. 
Finally, the Commission expects carriers to cooperate fully in any law 
enforcement investigation of such unauthorized release of CPNI or 
attempted unauthorized access to an account consistent with statutory 
and Commission requirements.
    12. The Commission agrees with commenters that techniques for fraud 
vary and tend to become more sophisticated over time, and that carriers 
need leeway to engage emerging threats. The Commission therefore 
clarifies that carriers are free to bolster their security measures 
through additional measures to meet their section 222 obligations to 
protect the privacy of CPNI. The Commission also codifies the existing 
statutory requirement contained in section 222 of the Act that carriers 
take reasonable measures to discover and protect against activity that 
is indicative of pretexting. Adoption of the rules in this Order does 
not relieve carriers of their fundamental duty to remain vigilant in 
their protection of CPNI, nor does it necessarily insulate them from 
enforcement action for unauthorized disclosure of CPNI.
    13. The Commission modifies its rules to require telecommunications 
carriers to obtain opt-in consent from a customer before disclosing 
that customer's CPNI to a carrier's joint venture partner or 
independent contractor for the purpose of marketing communications-
related services to that customer. While the Commission realizes that 
this is a change in Commission policy, it finds that new circumstances 
force it to reassess its existing regulations. As the Commission has 
found previously, the Commission has a substantial interest in 
protecting customer privacy. Based on this and in light of new privacy 
concerns, the Commission now finds that an opt-in framework for the 
sharing of CPNI with joint venture partners and independent contractors 
for the purposes of marketing communications-related services to a 
customer both directly advances its interest in protecting customer 
privacy and is narrowly tailored to achieve its goal of privacy 
protection. Specifically, an opt-in regime will more effectively limit 
the circulation of a customer's CPNI by maintaining it in a carrier's 
possession unless a customer provides informed consent for its release. 
Moreover, the Commission finds that an opt-in regime will provide 
necessary informed customer choice concerning these information sharing 
relationships with other companies.
    14. To the extent that carriers voluntarily obtained opt-in 
approval from their customers for the disclosure of customers' CPNI to 
a joint venture partner or independent contractor for the purposes of 
marketing communications-related services to a customer prior to the 
adoption of this Order, those carriers can continue to use those 
approvals.
    15. The Commission adopts the Commission's tentative conclusion and 
amends its rules to require carriers to file their annual CPNI 
certification with the Commission, including an explanation of any 
actions taken against data brokers and a summary of all customer 
complaints received in the past year concerning the unauthorized 
release of CPNI. The Commission finds that this amendment to the 
Commission's rules is an appropriate measure and will ensure that 
carriers regularly focus their attention on their duty to safeguard 
CPNI. Additionally, the Commission finds that this modification to its 
rules will remind carriers of the Commission's oversight and high 
priority regarding carrier performance in this area. Further, with this 
filing, the Commission will be better able to monitor the industry's 
response to CPNI privacy issues and to take any necessary steps to 
ensure that carriers are managing customer CPNI securely.
    16. The Commission extends the application of the Commission's CPNI 
rules to providers of interconnected VoIP service. In the IP-Enabled 
Services Notice and the EPIC CPNI Notice, the Commission sought comment 
on whether to extend the CPNI requirements to VoIP service providers. 
Since the Commission has not decided whether interconnected VoIP 
services are telecommunications services or information services as 
those terms are defined in the Act, nor does it do so in this Order, 
the Commission analyzes the issues addressed in this Order under its 
Title I ancillary jurisdiction to encompass both types of service. If 
the Commission later classifies interconnected VoIP service as a 
telecommunications service, the providers of interconnected VoIP 
services would be subject to the requirements of section 222 and the 
Commission's CPNI rules as telecommunications carriers under Title II.
    17. The Commission concludes that it has authority under Title I of 
the Act to impose CPNI requirements on providers of interconnected VoIP 
service. Ancillary jurisdiction may be employed, in the Commission's 
discretion, when Title I of the Act gives the Commission subject matter 
jurisdiction over the service to be regulated and the assertion of 
jurisdiction is ``reasonably ancillary to the effective performance of 
[its] various responsibilities.'' Both predicates for ancillary 
jurisdiction are satisfied here. First, as the Commission concluded in 
the Interim USF Order and VoIP 911 Order, interconnected VoIP services 
fall within the subject matter jurisdiction granted to it in the Act. 
Second, the Commission analysis requires it to evaluate whether 
imposing CPNI obligations is reasonably ancillary to the effective 
performance of the Commission's various responsibilities. Based on the 
record in this matter, the Commission finds that sections 222 and 1 of 
the Act provide the requisite nexus, with additional support from 
section 706.
    18. The Commission takes seriously the protection of customers' 
private information and commit to remaining vigilant to ensure 
compliance with applicable privacy laws within its jurisdiction. One 
way in which the Commission will help protect consumer privacy is 
through strong enforcement measures. When investigating compliance with 
the rules and statutory obligations, the Commission will consider 
whether the carrier has taken reasonable precautions to prevent the 
unauthorized disclosure of a customer's CPNI. Specifically, the 
Commission hereby puts carriers on notice that the Commission 
henceforth will infer from evidence that a pretexter has obtained 
unauthorized access to a customer's CPNI that the carrier did not 
sufficiently protect that customer's CPNI. A carrier then must 
demonstrate that the steps it

[[Page 31951]]

has taken to protect CPNI from unauthorized disclosure, including the 
carrier's policies and procedures, are reasonable in light of the 
threat posed by pretexting and the sensitivity of the customer 
information at issue. If the Commission finds at the conclusion of its 
investigation that the carrier indeed has not taken sufficient steps 
adequately to protect the privacy of CPNI, the Commission may sanction 
it for this oversight, including through forfeiture.
    19. The Commission offers additional guidance regarding the 
Commission's expectations that will inform its investigations. The 
Commission fully expects carriers to take every reasonable precaution 
to protect the confidentiality of proprietary or personal customer 
information. Of course, the Commission requires carriers to implement 
the specific minimum requirements set forth in the Commission's rules. 
The Commission further expects carriers to take additional steps to 
protect the privacy of CPNI to the extent such additional measures are 
feasible for a particular carrier. For instance, although the 
Commission declines to impose audit trail obligations on carriers at 
this time, the Commission expects carriers through audits or other 
measures to take reasonable measures to discover and protect against 
activity that is indicative of pretexting. Similarly, although the 
Commission does not specifically require carriers to encrypt their 
customers' CPNI, the Commission expects a carrier to encrypt its CPNI 
databases if doing so would provide significant additional protection 
against the unauthorized access to CPNI at a cost that is reasonable 
given the technology a carrier already has implemented.

Final Paperwork Reduction Act Analysis

    20. This Order contains modified information collection 
requirements subject to the Paperwork Reduction Act of 1995 (PRA), 
Public Law 104-13. It will be submitted to the Office of Management and 
Budget (OMB) for review under section 3507(d) of the PRA. OMB, the 
general public, and other Federal agencies are invited to comment on 
the new information collection requirements contained in this 
proceeding. In addition, pursuant to the Small Business Paperwork 
Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), the 
Commission previously sought specific comment on how it might ``further 
reduce the information collection burden for small business concerns 
with fewer than 25 employees.''
    21. In the Order, the Commission assessed the burdens placed on 
small businesses to notify customers of account changes, to notify law 
enforcement and customers of unauthorized CPNI disclosure; to obtain 
opt-in consent prior to sharing CPNI with joint venture partners and 
independent contractors; to file annually a CPNI certification with the 
Commission, including an explanation of any actions taken against data 
brokers and a summary of all consumer complaints received in the past 
year concerning the unauthorized release of CPNI, and to extend the 
CPNI rules to providers of interconnected VoIP services, and found that 
these requirements do not place a significant burden on small 
businesses.

Final Regulatory Flexibility Analysis

    22. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was 
incorporated in the EPIC CPNI Notice in CC Docket No. 96-115 and the 
IP-Enabled Services Notice in WC Docket 04-36. The Commission sought 
written public comment on the proposals in both notices, including 
comment on the IRFA. The Commission received comments specifically 
directed toward the IRFA from three commenters in CC Docket No. 96-115 
and from three commenters in WC Docket No. 04-36. These comments are 
discussed below. This Final Regulatory Flexibility Analysis (FRFA) 
conforms to the RFA.

A. Need for, and Objectives of, the Rules

    23. The Order strengthens the Commission's rules to protect the 
privacy of CPNI that is collected and held by providers of 
communications services. Section 222 of the Communications Act requires 
telecommunications carriers to take specific steps to ensure that CPNI 
is adequately protected from unauthorized disclosure. The Order adopts 
additional safeguards to protect customers' CPNI against unauthorized 
access and disclosure.

B. Summary of Significant Issues Raised by Public Comments in Response 
to the IRFA

    24. Comments Received in Response to the EPIC CPNI Notice. In this 
section, the Commission responds to comments filed in response to the 
IRFA. To the extent the Commission received comments raising general 
small business concerns during the proceeding, those comments are 
discussed throughout the Order.
    25. The Commission disagrees with Alexicon that small carriers are 
less vulnerable to unauthorized attempts to access CPNI. In fact, 
Alexicon itself points out that one of its client companies actually 
experienced an unauthorized access attempt, and thus the Commission 
finds the steps it takes in the Order are applicable to all carriers. 
The Commission does, however, agree with commenters that argue the 
Commission should not adopt many of EPIC's suggested requirements. The 
Commission also agrees with commenters that argue for flexible rules to 
allow carriers to determine proper authentication methods for its 
customers. Therefore, the Commission does not adopt specific 
authentication methods, or back-up authentication methods for lost or 
forgotten passwords and instead adopts rules that provide limits on the 
types of authentication methods that meet section 222's mandate to 
protect CPNI. Further, the Commission agrees with commenters that small 
carriers should be provided additional time to implement the 
requirements that the Commission does adopt in the Order. Thus, the 
Commission provides small carriers with an additional six month 
implementation period for the online carrier authentication 
requirements adopted in the Order.
    26. Comments Received in Response to the IP-Enabled Services 
Notice. In this section, the Commission responds to comments filed in 
response to the IRFA. To the extent the Commission received comments 
raising general small business concerns during the proceeding, those 
comments are discussed throughout the Order.
    27. The Commission disagrees with the SBA and Francois D. Menard 
(Menard) that the Commission should postpone acting in this 
proceeding--thereby postponing extending the application of the CPNI 
rules to interconnected VoIP service providers--and instead should 
reevaluate the economic impact and the compliance burdens on small 
entities and issue a further notice of proposed rulemaking in 
conjunction with a supplemental IRFA identifying and analyzing the 
economic impacts on small entities and less burdensome alternatives. 
The Commission believes the additional steps suggested by SBA and 
Menard are unnecessary because small entities already have received 
sufficient notice of the issues addressed in the Order and because the 
Commission has considered the economic impact on small entities and 
what ways are feasible to minimize the burdens imposed on those 
entities, and, to the extent feasible, has implemented those less 
burdensome alternatives.

[[Page 31952]]

C. Description and Estimate of the Number of Small Entities to Which 
Rules Will Apply

    28. The RFA directs agencies to provide a description of and, where 
feasible, an estimate of the number of small entities that may be 
affected by the rules adopted herein. The RFA generally defines the 
term ``small entity'' as having the same meaning as the terms ``small 
business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small business concern'' under the Small Business 
Act. A small business concern is one which: (1) Is independently owned 
and operated; (2) is not dominant in its field of operation; and (3) 
satisfies any additional criteria established by the Small Business 
Administration (SBA).
    29. Small Businesses. Nationwide, there are a total of 
approximately 22.4 million small businesses, according to SBA data.
    30. Small Organizations. Nationwide, there are approximately 1.6 
million small organizations.
    31. Small Governmental Jurisdictions. The term ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, towns, 
townships, villages, school districts, or special districts, with a 
population of less than fifty thousand.'' Census Bureau data for 2002 
indicate that there were 87,525 local governmental jurisdictions in the 
United States. The Commission estimates that, of this total, 84,377 
entities were ``small governmental jurisdictions.'' Thus, the 
Commission estimates that most governmental jurisdictions are small.
1. Telecommunications Service Entities
a. Wireline Carriers and Service Providers
    32. The Commission has included small incumbent local exchange 
carriers in the present RFA analysis. As noted above, a ``small 
business'' under the RFA is one that, inter alia, meets the pertinent 
small business size standard (e.g., a telephone communications business 
having 1,500 or fewer employees), and ``is not dominant in its field of 
operation.'' The SBA's Office of Advocacy contends that, for RFA 
purposes, small incumbent local exchange carriers are not dominant in 
their field of operation because any such dominance is not ``national'' 
in scope. The Commission has therefore included small incumbent local 
exchange carriers in this RFA analysis, although the Commission 
emphasizes that this RFA action has no effect on Commission analyses 
and determinations in other, non-RFA contexts.
    33. Incumbent Local Exchange Carriers (LECs). Neither the 
Commission nor the SBA has developed a small business size standard 
specifically for incumbent local exchange services. The appropriate 
size standard under SBA rules is for the category Wired 
Telecommunications Carriers. Under that size standard, such a business 
is small if it has 1,500 or fewer employees. According to Commission 
data, 1,303 carriers have reported that they are engaged in the 
provision of incumbent local exchange services. Of these 1,303 
carriers, an estimated 1,020 have 1,500 or fewer employees and 283 have 
more than 1,500 employees. Consequently, the Commission estimates that 
most providers of incumbent local exchange service are small businesses 
that may be affected by its action.
    34. Competitive Local Exchange Carriers, Competitive Access 
Providers (CAPs), ``Shared-Tenant Service Providers,'' and ``Other 
Local Service Providers.'' Neither the Commission nor the SBA has 
developed a small business size standard specifically for these service 
providers. The appropriate size standard under SBA rules is for the 
category Wired Telecommunications Carriers. Under that size standard, 
such a business is small if it has 1,500 or fewer employees. According 
to Commission data, 769 carriers have reported that they are engaged in 
the provision of either competitive access provider services or 
competitive local exchange carrier services. Of these 769 carriers, an 
estimated 676 have 1,500 or fewer employees and 93 have more than 1,500 
employees. In addition, 12 carriers have reported that they are 
``Shared-Tenant Service Providers,'' and all 12 are estimated to have 
1,500 or fewer employees. In addition, 39 carriers have reported that 
they are ``Other Local Service Providers.'' Of the 39, an estimated 38 
have 1,500 or fewer employees and one has more than 1,500 employees. 
Consequently, the Commission estimates that most providers of 
competitive local exchange service, competitive access providers, 
``Shared-Tenant Service Providers,'' and ``Other Local Service 
Providers'' are small entities that may be affected by its action.
    35. Local Resellers. The SBA has developed a small business size 
standard for the category of Telecommunications Resellers. Under that 
size standard, such a business is small if it has 1,500 or fewer 
employees. According to Commission data, 143 carriers have reported 
that they are engaged in the provision of local resale services. Of 
these, an estimated 141 have 1,500 or fewer employees and two have more 
than 1,500 employees. Consequently, the Commission estimates that the 
majority of local resellers are small entities that may be affected by 
its action.
    36. Toll Resellers. The SBA has developed a small business size 
standard for the category of Telecommunications Resellers. Under that 
size standard, such a business is small if it has 1,500 or fewer 
employees. According to Commission data, 770 carriers have reported 
that they are engaged in the provision of toll resale services. Of 
these, an estimated 747 have 1,500 or fewer employees and 23 have more 
than 1,500 employees. Consequently, the Commission estimates that the 
majority of toll resellers are small entities that may be affected by 
its action.
    37. Payphone Service Providers (PSPs). Neither the Commission nor 
the SBA has developed a small business size standard specifically for 
payphone services providers. The appropriate size standard under SBA 
rules is for the category Wired Telecommunications Carriers. Under that 
size standard, such a business is small if it has 1,500 or fewer 
employees. According to Commission data, 613 carriers have reported 
that they are engaged in the provision of payphone services. Of these, 
an estimated 609 have 1,500 or fewer employees and four have more than 
1,500 employees. Consequently, the Commission estimates that the 
majority of payphone service providers are small entities that may be 
affected by its action.
    38. Interexchange Carriers (IXCs). Neither the Commission nor the 
SBA has developed a small business size standard specifically for 
providers of interexchange services. The appropriate size standard 
under SBA rules is for the category Wired Telecommunications Carriers. 
Under that size standard, such a business is small if it has 1,500 or 
fewer employees. According to Commission data, 316 carriers have 
reported that they are engaged in the provision of interexchange 
service. Of these, an estimated 292 have 1,500 or fewer employees and 
24 have more than 1,500 employees. Consequently, the Commission 
estimates that the majority of IXCs are small entities that may be 
affected by its action.
    39. Operator Service Providers (OSPs). Neither the Commission nor 
the SBA has developed a small business size standard specifically for 
operator service providers. The appropriate size standard under SBA 
rules is for the category Wired Telecommunications

[[Page 31953]]

Carriers. Under that size standard, such a business is small if it has 
1,500 or fewer employees. According to Commission data, 23 carriers 
have reported that they are engaged in the provision of operator 
services. Of these, an estimated 20 have 1,500 or fewer employees and 
three have more than 1,500 employees. Consequently, the Commission 
estimates that the majority of OSPs are small entities that may be 
affected by its action.
    40. Prepaid Calling Card Providers. Neither the Commission nor the 
SBA has developed a small business size standard specifically for 
prepaid calling card providers. The appropriate size standard under SBA 
rules is for the category Telecommunications Resellers. Under that size 
standard, such a business is small if it has 1,500 or fewer employees. 
According to Commission data, 89 carriers have reported that they are 
engaged in the provision of prepaid calling cards. Of these, 88 are 
estimated to have 1,500 or fewer employees and one has more than 1,500 
employees. Consequently, the Commission estimates that all or the 
majority of prepaid calling card providers are small entities that may 
be affected by its action.
    41. 800 and 800-Like Service Subscribers. Neither the Commission 
nor the SBA has developed a small business size standard specifically 
for 800 and 800-like service (``toll free'') subscribers. The 
appropriate size standard under SBA rules is for the category 
Telecommunications Resellers. Under that size standard, such a business 
is small if it has 1,500 or fewer employees. The most reliable source 
of information regarding the number of these service subscribers 
appears to be data the Commission collects on the 800, 888, and 877 
numbers in use. According to the Commission's data, at the end of 
January, 1999, the number of 800 numbers assigned was 7,692,955; the 
number of 888 numbers assigned was 7,706,393; and the number of 877 
numbers assigned was 1,946,538. The Commission does not have data 
specifying the number of these subscribers that are not independently 
owned and operated or have more than 1,500 employees, and thus is 
unable at this time to estimate with greater precision the number of 
toll free subscribers that would qualify as small businesses under the 
SBA size standard. Consequently, the Commission estimates that there 
are 7,692,955 or fewer small entity 800 subscribers; 7,706,393 or fewer 
small entity 888 subscribers; and 1,946,538 or fewer small entity 877 
subscribers.
b. International Service Providers
    42. The Commission has not developed a small business size standard 
specifically for providers of international service. The appropriate 
size standards under SBA rules are for the two broad census categories 
of ``Satellite Telecommunications'' and ``Other Telecommunications.'' 
Under both categories, such a business is small if it has $12.5 million 
or less in average annual receipts.
    43. The first category of Satellite Telecommunications ``comprises 
establishments primarily engaged in providing point-to-point 
telecommunications services to other establishments in the 
telecommunications and broadcasting industries by forwarding and 
receiving communications signals via a system of satellites or 
reselling satellite telecommunications.'' For this category, Census 
Bureau data for 2002 show that there were a total of 371 firms that 
operated for the entire year. Of this total, 307 firms had annual 
receipts of under $10 million, and 26 firms had receipts of $10 million 
to $24,999,999. Consequently, the Commission estimates that the 
majority of Satellite Telecommunications firms are small entities that 
might be affected by its action.
    44. The second category of Other Telecommunications ``comprises 
establishments primarily engaged in (1) providing specialized 
telecommunications applications, such as satellite tracking, 
communications telemetry, and radar station operations; or (2) 
providing satellite terminal stations and associated facilities 
operationally connected with one or more terrestrial communications 
systems and capable of transmitting telecommunications to or receiving 
telecommunications from satellite systems.'' For this category, Census 
Bureau data for 2002 show that there were a total of 332 firms that 
operated for the entire year. Of this total, 259 firms had annual 
receipts of under $10 million and 15 firms had annual receipts of $10 
million to $24,999,999. Consequently, the Commission estimates that the 
majority of Other Telecommunications firms are small entities that 
might be affected by its action.
c. Wireless Telecommunications Service Providers
    45. Below, for those services subject to auctions, the Commission 
notes that, as a general matter, the number of winning bidders that 
qualify as small businesses at the close of an auction does not 
necessarily represent the number of small businesses currently in 
service. Also, the Commission does not generally track subsequent 
business size unless, in the context of assignments or transfers, 
unjust enrichment issues are implicated.
    46. Wireless Service Providers. The SBA has developed a small 
business size standard for wireless firms within the two broad economic 
census categories of ``Paging'' and ``Cellular and Other Wireless 
Telecommunications.'' Under both SBA categories, a wireless business is 
small if it has 1,500 or fewer employees. For the census category of 
Paging, Census Bureau data for 2002 show that there were 807 firms in 
this category that operated for the entire year. Of this total, 804 
firms had employment of 999 or fewer employees, and three firms had 
employment of 1,000 employees or more. Thus, under this category and 
associated small business size standard, the majority of firms can be 
considered small. For the census category of Cellular and Other 
Wireless Telecommunications, Census Bureau data for 2002 show that 
there were 1,397 firms in this category that operated for the entire 
year. Of this total, 1,378 firms had employment of 999 or fewer 
employees, and 19 firms had employment of 1,000 employees or more. 
Thus, under this second category and size standard, the majority of 
firms can, again, be considered small.
    47. Cellular Licensees. The SBA has developed a small business size 
standard for wireless firms within the broad economic census category 
``Cellular and Other Wireless Telecommunications.'' Under this SBA 
category, a wireless business is small if it has 1,500 or fewer 
employees. For the census category of Cellular and Other Wireless 
Telecommunications, Census Bureau data for 2002 show that there were 
1,397 firms in this category that operated for the entire year. Of this 
total, 1,378 firms had employment of 999 or fewer employees, and 19 
firms had employment of 1,000 employees or more. Thus, under this 
category and size standard, the great majority of firms can be 
considered small. Also, according to Commission data, 437 carriers 
reported that they were engaged in the provision of cellular service, 
Personal Communications Service (PCS), or Specialized Mobile Radio 
(SMR) Telephony services, which are placed together in the data. The 
Commission has estimated that 260 of these are small, under the SBA 
small business size standard.
    48. Common Carrier Paging. The SBA has developed a small business 
size standard for wireless firms within the

[[Page 31954]]

broad economic census category, ``Cellular and Other Wireless 
Telecommunications.'' Under this SBA category, a wireless business is 
small if it has 1,500 or fewer employees. For the census category of 
Paging, Census Bureau data for 2002 show that there were 807 firms in 
this category that operated for the entire year. Of this total, 804 
firms had employment of 999 or fewer employees, and three firms had 
employment of 1,000 employees or more. Thus, under this category and 
associated small business size standard, the majority of firms can be 
considered small. In the Paging Third Report and Order, the Commission 
developed a small business size standard for ``small businesses'' and 
``very small businesses'' for purposes of determining their eligibility 
for special provisions such as bidding credits and installment 
payments. A ``small business'' is an entity that, together with its 
affiliates and controlling principals, has average gross revenues not 
exceeding $15 million for the preceding three years. Additionally, a 
``very small business'' is an entity that, together with its affiliates 
and controlling principals, has average gross revenues that are not 
more than $3 million for the preceding three years. The SBA has 
approved these small business size standards. An auction of 
Metropolitan Economic Area licenses commenced on February 24, 2000, and 
closed on March 2, 2000. Of the 985 licenses auctioned, 440 were sold. 
Fifty-seven companies claiming small business status won. Also, 
according to Commission data, 375 carriers reported that they were 
engaged in the provision of paging and messaging services. Of those, 
the Commission estimates that 370 are small, under the SBA-approved 
small business size standard.
    49. Wireless Communications Services. This service can be used for 
fixed, mobile, radiolocation, and digital audio broadcasting satellite 
uses. The Commission established small business size standards for the 
wireless communications services (WCS) auction. A ``small business'' is 
an entity with average gross revenues of $40 million for each of the 
three preceding years, and a ``very small business'' is an entity with 
average gross revenues of $15 million for each of the three preceding 
years. The SBA has approved these small business size standards. The 
Commission auctioned geographic area licenses in the WCS service. In 
the auction, there were seven winning bidders that qualified as ``very 
small business'' entities, and one that qualified as a ``small 
business'' entity.
    50. Wireless Telephony. Wireless telephony includes cellular, 
personal communications services (PCS), and specialized mobile radio 
(SMR) telephony carriers. As noted earlier, the SBA has developed a 
small business size standard for ``Cellular and Other Wireless 
Telecommunications'' services. Under that SBA small business size 
standard, a business is small if it has 1,500 or fewer employees. 
According to Commission data, 445 carriers reported that they were 
engaged in the provision of wireless telephony. The Commission has 
estimated that 245 of these are small under the SBA small business size 
standard.
    51. Broadband Personal Communications Service. The broadband 
Personal Communications Service (PCS) spectrum is divided into six 
frequency blocks designated A through F, and the Commission has held 
auctions for each block. The Commission defined ``small entity'' for 
Blocks C and F as an entity that has average gross revenues of $40 
million or less in the three previous calendar years. For Block F, an 
additional classification for ``very small business'' was added and is 
defined as an entity that, together with its affiliates, has average 
gross revenues of not more than $15 million for the preceding three 
calendar years.'' These standards defining ``small entity'' in the 
context of broadband PCS auctions have been approved by the SBA. No 
small businesses, within the SBA-approved small business size standards 
bid successfully for licenses in Blocks A and B. There were 90 winning 
bidders that qualified as small entities in the Block C auctions. A 
total of 93 small and very small business bidders won approximately 40 
percent of the 1,479 licenses for Blocks D, E, and F. On March 23, 
1999, the Commission re-auctioned 347 C, D, E, and F Block licenses. 
There were 48 small business winning bidders. On January 26, 2001, the 
Commission completed the auction of 422 C and F Broadband PCS licenses 
in Auction No. 35. Of the 35 winning bidders in this auction, 29 
qualified as ``small'' or ``very small'' businesses. Subsequent events, 
concerning Auction 35, including judicial and agency determinations, 
resulted in a total of 163 C and F Block licenses being available for 
grant.
    52. Narrowband Personal Communications Services. To date, two 
auctions of narrowband personal communications services (PCS) licenses 
have been conducted. For purposes of the two auctions that have already 
been held, ``small businesses'' were entities with average gross 
revenues for the prior three calendar years of $40 million or less. 
Through these auctions, the Commission has awarded a total of 41 
licenses, out of which 11 were obtained by small businesses. To ensure 
meaningful participation of small business entities in future auctions, 
the Commission has adopted a two-tiered small business size standard in 
the Narrowband PCS Second Report and Order. A ``small business'' is an 
entity that, together with affiliates and controlling interests, has 
average gross revenues for the three preceding years of not more than 
$40 million. A ``very small business'' is an entity that, together with 
affiliates and controlling interests, has average gross revenues for 
the three preceding years of not more than $15 million. The SBA has 
approved these small business size standards. In the future, the 
Commission will auction 459 licenses to serve Metropolitan Trading 
Areas (MTAs) and 408 response channel licenses. There is also one 
megahertz of narrowband PCS spectrum that has been held in reserve and 
that the Commission has not yet decided to release for licensing. The 
Commission cannot predict accurately the number of licenses that will 
be awarded to small entities in future auctions. However, four of the 
16 winning bidders in the two previous narrowband PCS auctions were 
small businesses, as that term was defined. The Commission assumes, for 
purposes of this analysis that a large portion of the remaining 
narrowband PCS licenses will be awarded to small entities. The 
Commission also assumes that at least some small businesses will 
acquire narrowband PCS licenses by means of the Commission's 
partitioning and disaggregation rules.
    53. 220 MHz Radio Service--Phase I Licensees. The 220 MHz service 
has both Phase I and Phase II licenses. Phase I licensing was conducted 
by lotteries in 1992 and 1993. There are approximately 1,515 such non-
nationwide licensees and four nationwide licensees currently authorized 
to operate in the 220 MHz band. The Commission has not developed a 
small business size standard for small entities specifically applicable 
to such incumbent 220 MHz Phase I licensees. To estimate the number of 
such licensees that are small businesses, the Commission applies the 
small business size standard under the SBA rules applicable to 
``Cellular and Other Wireless Telecommunications'' companies. This 
category provides that a small business is a wireless company employing 
no more than 1,500 persons. For the census category Cellular and Other 
Wireless Telecommunications, Census Bureau data for 1997 show that 
there were 977 firms in this category,

[[Page 31955]]

total, that operated for the entire year. Of this total, 965 firms had 
employment of 999 or fewer employees, and an additional 12 firms had 
employment of 1,000 employees or more. Thus, under this second category 
and size standard, the majority of firms can, again, be considered 
small. Assuming this general ratio continues in the context of Phase I 
220 MHz licensees, the Commission estimates that nearly all such 
licensees are small businesses under the SBA's small business size 
standard. In addition, limited preliminary census data for 2002 
indicate that the total number of cellular and other wireless 
telecommunications carriers increased approximately 321 percent from 
1997 to 2002.
    54. 220 MHz Radio Service--Phase II Licensees. The 220 MHz service 
has both Phase I and Phase II licenses. The Phase II 220 MHz service is 
a new service, and is subject to spectrum auctions. In the 220 MHz 
Third Report and Order, the Commission adopted a small business size 
standard for ``small'' and ``very small'' businesses for purposes of 
determining their eligibility for special provisions such as bidding 
credits and installment payments. This small business size standard 
indicates that a ``small business'' is an entity that, together with 
its affiliates and controlling principals, has average gross revenues 
not exceeding $15 million for the preceding three years. A ``very small 
business'' is an entity that, together with its affiliates and 
controlling principals, has average gross revenues that do not exceed 
$3 million for the preceding three years. The SBA has approved these 
small business size standards. Auctions of Phase II licenses commenced 
on September 15, 1998, and closed on October 22, 1998. In the first 
auction, 908 licenses were auctioned in three different-sized 
geographic areas: three nationwide licenses, 30 Regional Economic Area 
Group (EAG) Licenses, and 875 Economic Area (EA) Licenses. Of the 908 
licenses auctioned, 693 were sold. Thirty-nine small businesses won 
licenses in the first 220 MHz auction. The second auction included 225 
licenses: 216 EA licenses and 9 EAG licenses. Fourteen companies 
claiming small business status won 158 licenses.
    55. 800 MHz and 900 MHz Specialized Mobile Radio Licenses. The 
Commission awards ``small entity'' and ``very small entity'' bidding 
credits in auctions for Specialized Mobile Radio (SMR) geographic area 
licenses in the 800 MHz and 900 MHz bands to firms that had revenues of 
no more than $15 million in each of the three previous calendar years, 
or that had revenues of no more than $3 million in each of the previous 
calendar years, respectively. These bidding credits apply to SMR 
providers in the 800 MHz and 900 MHz bands that either hold geographic 
area licenses or have obtained extended implementation authorizations. 
The Commission does not know how many firms provide 800 MHz or 900 MHz 
geographic area SMR service pursuant to extended implementation 
authorizations, nor how many of these providers have annual revenues of 
no more than $15 million. One firm has over $15 million in revenues. 
The Commission assumes, for purposes here, that all of the remaining 
existing extended implementation authorizations are held by small 
entities, as that term is defined by the SBA. The Commission has held 
auctions for geographic area licenses in the 800 MHz and 900 MHz SMR 
bands. There were 60 winning bidders that qualified as small or very 
small entities in the 900 MHz SMR auctions. Of the 1,020 licenses won 
in the 900 MHz auction, bidders qualifying as small or very small 
entities won 263 licenses. In the 800 MHz auction, 38 of the 524 
licenses won were won by small and very small entities.
    56. 700 MHz Guard Band Licensees. In the 700 MHz Guard Band Order, 
the Commission adopted a small business size standard for ``small 
businesses'' and ``very small businesses'' for purposes of determining 
their eligibility for special provisions such as bidding credits and 
installment payments. A ``small business'' as an entity that, together 
with its affiliates and controlling principals, has average gross 
revenues not exceeding $15 million for the preceding three years. 
Additionally, a ``very small business'' is an entity that, together 
with its affiliates and controlling principals, has average gross 
revenues that are not more than $3 million for the preceding three 
years. An auction of 52 Major Economic Area (MEA) licenses commenced on 
September 6, 2000, and closed on September 21, 2000. Of the 104 
licenses auctioned, 96 licenses were sold to nine bidders. Five of 
these bidders were small businesses that won a total of 26 licenses. A 
second auction of 700 MHz Guard Band licenses commenced on February 13, 
2001 and closed on February 21, 2001. All eight of the licenses 
auctioned were sold to three bidders. One of these bidders was a small 
business that won a total of two licenses.
    57. Rural Radiotelephone Service. The Commission has not adopted a 
size standard for small businesses specific to the Rural Radiotelephone 
Service. A significant subset of the Rural Radiotelephone Service is 
the Basic Exchange Telephone Radio System (BETRS). The Commission uses 
the SBA's small business size standard applicable to ``Cellular and 
Other Wireless Telecommunications,'' i.e., an entity employing no more 
than 1,500 persons. There are approximately 1,000 licensees in the 
Rural Radiotelephone Service, and the Commission estimates that there 
are 1,000 or fewer small entity licensees in the Rural Radiotelephone 
Service that may be affected by the rules and policies adopted herein.
    58. Air-Ground Radiotelephone Service. The Commission has not 
adopted a small business size standard specific to the Air-Ground 
Radiotelephone Service. The Commission will use SBA's small business 
size standard applicable to ``Cellular and Other Wireless 
Telecommunications,'' i.e., an entity employing no more than 1,500 
persons. There are approximately 100 licensees in the Air-Ground 
Radiotelephone Service, and the Commission estimates that almost all of 
them qualify as small under the SBA small business size standard.
    59. Aviation and Marine Radio Services. Small businesses in the 
aviation and marine radio services use a very high frequency (VHF) 
marine or aircraft radio and, as appropriate, an emergency position-
indicating radio beacon (and/or radar) or an emergency locator 
transmitter. The Commission has not developed a small business size 
standard specifically applicable to these small businesses. For 
purposes of this analysis, the Commission uses the SBA small business 
size standard for the category ``Cellular and Other 
Telecommunications,'' which is 1,500 or fewer employees. Most 
applicants for recreational licenses are individuals. Approximately 
581,000 ship station licensees and 131,000 aircraft station licensees 
operate domestically and are not subject to the radio carriage 
requirements of any statute or treaty. For purposes of the Commission's 
evaluations in this analysis, the Commission estimates that there are 
up to approximately 712,000 licensees that are small businesses (or 
individuals) under the SBA standard. In addition, between December 3, 
1998 and December 14, 1998, the Commission held an auction of 42 VHF 
Public Coast licenses in the 157.1875-157.4500 MHz (ship transmit) and 
161.775-162.0125 MHz (coast transmit) bands. For purposes of the 
auction, the Commission defined a ``small'' business as an entity that, 
together with controlling interests and affiliates, has average gross 
revenues for the preceding

[[Page 31956]]

three years not to exceed $15 million dollars. In addition, a ``very 
small'' business is one that, together with controlling interests and 
affiliates, has average gross revenues for the preceding three years 
not to exceed $3 million dollars. There are approximately 10,672 
licensees in the Marine Coast Service, and the Commission estimates 
that almost all of them qualify as ``small'' businesses under the above 
special small business size standards.
    60. Offshore Radiotelephone Service. This service operates on 
several UHF television broadcast channels that are not used for 
television broadcasting in the coastal areas of states bordering the 
Gulf of Mexico. There are presently approximately 55 licensees in this 
service. The Commission is unable to estimate at this time the number 
of licensees that would qualify as small under the SBA's small business 
size standard for ``Cellular and Other Wireless Telecommunications'' 
services. Under that SBA small business size standard, a business is 
small if it has 1,500 or fewer employees.
    61. 39 GHz Service. The Commission created a special small business 
size standard for 39 GHz licenses--an entity that has average gross 
revenues of $40 million or less in the three previous calendar years. 
An additional size standard for ``very small business'' is: an entity 
that, together with affiliates, has average gross revenues of not more 
than $15 million for the preceding three calendar years. The SBA has 
approved these small business size standards. The auction of the 2,173 
39 GHz licenses began on April 12, 2000 and closed on May 8, 2000. The 
18 bidders who claimed small business status won 849 licenses. 
Consequently, the Commission estimates that 18 or fewer 39 GHz 
licensees are small entities that may be affected by the rules and 
polices adopted herein.
    62. Multipoint Distribution Service, Multichannel Multipoint 
Distribution Service, and ITFS. Multichannel Multipoint Distribution 
Service (MMDS) systems, often referred to as ``wireless cable,'' 
transmit video programming to subscribers using the microwave 
frequencies of the Multipoint Distribution Service (MDS) and 
Instructional Television Fixed Service (ITFS). In connection with the 
1996 MDS auction, the Commission established a small business size 
standard as an entity that had annual average gross revenues of less 
than $40 million in the previous three calendar years. The MDS auctions 
resulted in 67 successful bidders obtaining licensing opportunities for 
493 Basic Trading Areas (BTAs). Of the 67 auction winners, 61 met the 
definition of a small business. MDS also includes licensees of stations 
authorized prior to the auction. In addition, the SBA has developed a 
small business size standard for Cable and Other Program Distribution, 
which includes all such companies generating $12.5 million or less in 
annual receipts. According to Census Bureau data for 1997, there were a 
total of 1,311 firms in this category, total, that had operated for the 
entire year. Of this total, 1,180 firms had annual receipts of under 
$10 million and an additional 52 firms had receipts of $10 million or 
more but less than $25 million. Consequently, the Commission estimates 
that the majority of providers in this service category are small 
businesses that may be affected by the rules and policies adopted 
herein. This SBA small business size standard also appears applicable 
to ITFS. There are presently 2,032 ITFS licensees. All but 100 of these 
licenses are held by educational institutions. Educational institutions 
are included in this analysis as small entities. Thus, the Commission 
tentatively conclude that at least 1,932 licensees are small 
businesses.
    63. Local Multipoint Distribution Service. Local Multipoint 
Distribution Service (LMDS) is a fixed broadband point-to-multipoint 
microwave service that provides for two-way video telecommunications. 
The auction of the 1,030 Local Multipoint Distribution Service (LMDS) 
licenses began on February 18, 1998 and closed on March 25, 1998. The 
Commission established a small business size standard for LMDS licenses 
as an entity that has average gross revenues of less than $40 million 
in the three previous calendar years. An additional small business size 
standard for ``very small business'' was added as an entity that, 
together with its affiliates, has average gross revenues of not more 
than $15 million for the preceding three calendar years. The SBA has 
approved these small business size standards in the context of LMDS 
auctions. There were 93 winning bidders that qualified as small 
entities in the LMDS auctions. A total of 93 small and very small 
business bidders won approximately 277 A Block licenses and 387 B Block 
licenses. On March 27, 1999, the Commission re-auctioned 161 licenses; 
there were 40 winning bidders. Based on this information, the 
Commission concludes that the number of small LMDS licenses consists of 
the 93 winning bidders in the first auction and the 40 winning bidders 
in the re-auction, for a total of 133 small entity LMDS providers.
    64. 218-219 MHz Service. The first auction of 218-219 MHz spectrum 
resulted in 170 entities winning licenses for 594 Metropolitan 
Statistical Area (MSA) licenses. Of the 594 licenses, 557 were won by 
entities qualifying as a small business. For that auction, the small 
business size standard was an entity that, together with its 
affiliates, has no more than a $6 million net worth and, after federal 
income taxes (excluding any carry over losses), has no more than $2 
million in annual profits each year for the previous two years. In the 
218-219 MHz Report and Order and Memorandum Opinion and Order, the 
Commission established a small business size standard for a ``small 
business'' as an entity that, together with its affiliates and persons 
or entities that hold interests in such an entity and their affiliates, 
has average annual gross revenues not to exceed $15 million for the 
preceding three years. A ``very small business'' is defined as an 
entity that, together with its affiliates and persons or entities that 
hold interests in such an entity and its affiliates, has average annual 
gross revenues not to exceed $3 million for the preceding three years. 
The Commission cannot estimate, however, the number of licenses that 
will be won by entities qualifying as small or very small businesses 
under its rules in future auctions of 218-219 MHz spectrum.
    65. 24 GHz--Incumbent Licensees. This analysis may affect incumbent 
licensees who were relocated to the 24 GHz band from the 18 GHz band, 
and applicants who wish to provide services in the 24 GHz band. The 
applicable SBA small business size standard is that of ``Cellular and 
Other Wireless Telecommunications'' companies. This category provides 
that such a company is small if it employs no more than 1,500 persons. 
According to Census Bureau data for 1997, there were 977 firms in this 
category, total, that operated for the entire year. Of this total, 965 
firms had employment of 999 or fewer employees, and an additional 12 
firms had employment of 1,000 employees or more. Thus, under this size 
standard, the great majority of
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.