Congress moves to protect phone records

You may call your mother asking for an apple pie recipe. Within days you begin to receive calls from telemarketers who try to sell you cooking equipment or want you ti sign up for a pie home delivery service. What happened? You private phone record ended up in the hands of data brokers, that’s what happened. Phone companies currently face few consequences for not protecting the information, and members of Congress want to raise the bar by passing the Prevention of Fraudulent Access to Phone Records Act (H.R. 936). Trouble is, complying with the proposed security requirements may well add $12 to $64 to the cost of a telephone line, according to Walter McCormick, president and CEO of the United States Telecom Association, who spoke at a hearing on the bill.

The bill’s purpose is to add teeth to the legal sanctions against pretexting, a practice in which the perpetrator uses a false motive, or a pretext, to obtain access to personal information, such as phone records. Professional pretexters sell the information they gather to people or companies without asking too many questions about how they will use it; sometimes the buyers are criminals — ID thieves — who use the information to steal a person’s assets or establish credit in his or her name.

H.R. 936, introduced earlier this year by Representative John Dingell (D-Michigan), bans obtaining or attempting to obtain another person’s records through pretexting, causing disclosure or attempting to disclose records, or directly selling or disclosing that data. An exemption applies to situations where law enforcement requests records. The bill also triples the fines the Federal Communications Commission (FCC) could levy on companies that violate the implementing regulations, imposing a maximum of $3 million for multiple violations.

The proposal also instructs the FCC to “prescribe regulations adopting more stringent security standards for customer proprietary network information.”

Those regulations would require telecommunications carriers to notify the commission should a breach occur, undergo periodic audits by the commission to determine compliance, and establish “administrative, technical, and physical safeguards.”

Industry opposes the bill. Representatives from the United States Telecom Association and the CTIA, an association for the wireless industry, warned that the additional security required in the legislation would be costly to providers while doing little to put pretexters out of business. It would limit the ability of telecommunications carriers to market new and bundled services to target audiences, for example, or to employ third parties to assist with billing and customer-care functions.

Mary Alice Davidson writes in Security Management that the current legislation is but one in a series of efforts to deal with the problem. The 1999 Gramm-Leach-Bliley Act (GLBA) outlawed the use of pretexting to obtain financial data from customers or institutions. Additional legislation, which became law in December 2006 and January 2007, adds further clout for enforcement agencies going after pretexters. The U.S. SAFE WEB Act allows greater cooperation and information sharing between law enforcers in the United States and their counterparts in other countries as they pursue data brokers (who are often trafficking in data obtained through pretexting). Additionally, the Telephone Records and Privacy Protection Act makes the gathering of confidential records by making false statements to a telephone service provider a crime.

Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), argued that while noteworthy, “Nothing in the [existing laws] puts a duty on the telephone companies that are the actual source of this data to increase their security measures.” He applauded the specific H.R. 936 language that gives enforcement powers to the FTC and industry oversight to the FCC.