§  64.5109   Safeguards required for use of customer proprietary network
information.

   (a) TRS providers shall implement a system by which the status of a
   customer's CPNI approval can be clearly established prior to the use of
   CPNI. Except as provided for in § § 64.5105 and 64.5108(f) of this
   subpart, TRS providers shall provide access to and shall require all
   personnel, including any agents, contractors, and subcontractors, who
   have contact with customers to verify the status of a customer's CPNI
   approval before using, disclosing, or permitting access to the
   customer's CPNI.

   (b) TRS providers shall train their personnel, including any agents,
   contractors, and subcontractors, as to when they are and are not
   authorized to use CPNI, including procedures for verification of the
   status of a customer's CPNI approval. TRS providers shall have an
   express disciplinary process in place, including in the case of agents,
   contractors, and subcontractors, a right to cancel the applicable
   contract(s) or otherwise take disciplinary action.

   (c) TRS providers shall maintain a record, electronically or in some
   other manner, of their own and their affiliates' sales and marketing
   campaigns that use their customers' CPNI. All TRS providers shall
   maintain a record of all instances where CPNI was disclosed or provided
   to third parties, or where third parties were allowed access to CPNI.
   The record shall include a description of each campaign, the specific
   CPNI that was used in the campaign, including the customer's name, and
   what products and services were offered as a part of the campaign. TRS
   providers shall retain the record for a minimum of three years.

   (d) TRS providers shall establish a supervisory review process
   regarding TRS provider compliance with the rules in this subpart for
   outbound marketing situations and maintain records of TRS provider
   compliance for a minimum period of three years. Sales personnel must
   obtain supervisory approval of any proposed outbound marketing request
   for customer approval.

   (e) A TRS provider shall have an officer, as an agent of the TRS
   provider, sign and file with the Commission a compliance certification
   on an annual basis. The officer shall state in the certification that
   he or she has personal knowledge that the company has established
   operating procedures that are adequate to ensure compliance with the
   rules in this subpart. The TRS provider must provide a statement
   accompanying the certification explaining how its operating procedures
   ensure that it is or is not in compliance with the rules in this
   subpart. In addition, the TRS provider must include an explanation of
   any actions taken against data brokers, a summary of all customer
   complaints received in the past year concerning the unauthorized
   release of CPNI, and a report detailing all instances where the TRS
   provider, or its agents, contractors, or subcontractors, used,
   disclosed, or permitted access to CPNI without complying with the
   procedures specified in this subpart. In the case of iTRS providers,
   this filing shall be included in the annual report filed with the
   Commission pursuant to § 64.606(g) of this part for data pertaining to
   the previous year. In the case of all other TRS providers, this filing
   shall be made annually with the Disability Rights Office of the
   Consumer and Governmental Affairs Bureau on or before March 1 in CG
   Docket No. 03-123 for data pertaining to the previous calendar year.

   (f) TRS providers shall provide written notice within five business
   days to the Disability Rights Office of the Consumer and Governmental
   Affairs Bureau of the Commission of any instance where the opt-out
   mechanisms do not work properly, to such a degree that consumers'
   inability to opt-out is more than an anomaly.

   (1) The notice shall be in the form of a letter, and shall include the
   TRS provider's name, a description of the opt-out mechanism(s) used,
   the problem(s) experienced, the remedy proposed and when it will be/was
   implemented, whether the relevant state commission(s) has been
   notified, if applicable, and whether the state commission(s) has taken
   any action, a copy of the notice provided to customers, and contact
   information.

   (2) Such notice shall be submitted even if the TRS provider offers
   other methods by which consumers may opt-out.

   [ 79 FR 40613 , July 5, 2013]