47 C.F.R. § 64.2010

Current through September 30, 2024
Section 64.2010 - [Effective on an indefinitely defined date ] Safeguards on the disclosure of customer proprietary network information
(a)Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an in-store visit.
(b)Telephone access to CPNI. Telecommunications carriers may only disclose call detail information over the telephone, based on customer-initiated telephone contact, if the customer first provides the carrier with a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information. If the customer does not provide a password, the telecommunications carrier may only disclose call detail information by sending it to the customer's address of record, or by calling the customer at the telephone number of record. If the customer is able to provide call detail information to the telecommunications carrier during a customer-initiated call without the telecommunications carrier's assistance, then the telecommunications carrier is permitted to discuss the call detail information provided by the customer.
(c)Online access to CPNI. A telecommunications carrier must authenticate a customer without the use of readily available biographical information, or account information, prior to allowing the customer online access to CPNI related to a telecommunications service account. Once authenticated, the customer may only obtain online access to CPNI related to a telecommunications service account through a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information.
(d)In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier's retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer's account information.
(e)Establishment of a password and back-up authentication methods for lost or forgotten passwords. To establish a password, a telecommunications carrier must authenticate the customer without the use of readily available biographical information, or account information. Telecommunications carriers may create a back-up customer authentication method in the event of a lost or forgotten password, but such back-up customer authentication method may not prompt the customer for readily available biographical information, or account information. If a customer cannot provide the correct password or the correct response for the back-up customer authentication method, the customer must establish a new password as described in this paragraph.
(f)Notification of account changes.
(1) Telecommunications carriers must notify customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten password, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a carrier-originated voicemail or text message to the telephone number of record, or by mail to the address of record, and must not reveal the changed information or be sent to the new account information.
(2) Beginning on July 15, 2024, paragraph (f)(1) of this section does not apply to a change made in connection with a line separation request under 47 U.S.C. 345 and subpart II of this part.
(g)Business customer exemption. Telecommunications carriers may bind themselves contractually to authentication regimes other than those described in this section for services they provide to their business customers that have both a dedicated account representative and a contract that specifically addresses the carriers' protection of CPNI.
(h)Subscriber Identity Module (SIM) changes. A provider of commercial mobile radio service (CMRS), as defined in 47 CFR 20.3 , including resellers of wireless service, shall only effectuate SIM change requests in accordance with this section. For purposes of this section, SIM means a physical or virtual card associated with a device that stores unique information that can be identified to a specific mobile network.
(1)Customer authentication. A CMRS provider shall use secure methods to authenticate a customer that are reasonably designed to confirm the customer's identity before executing a SIM change request, except to the extent otherwise required by 47 U.S.C. 345 (Safe Connections Act of 2022) or subpart II of this part. Authentication methods shall not rely on readily available biographical information, account information, recent payment information, or call detail information unless otherwise permitted under 47 U.S.C. 345 or subpart II of this part. A CMRS provider shall regularly, but not less than annually, review and, as necessary, update its customer authentication methods to ensure that its authentication methods continue to be secure. A CMRS provider shall establish safeguards and processes so that employees who receive inbound customer communications are unable to access CPNI in the course of that customer interaction until after the customer has been properly authenticated.
(2)Response to failed authentication attempts. A CMRS provider shall develop, maintain, and implement procedures for addressing failed authentication attempts in connection with a SIM change request that are reasonably designed to prevent unauthorized access to a customer's account, which, among other things, take into consideration the needs of survivors pursuant to 47 U.S.C. 345 and subpart II of this part.
(3)Customer notification of SIM change requests. Upon receiving a SIM change request, and before effectuating the request, a CMRS provider shall provide immediate notification to the customer that a SIM change request associated with the customer's account was made, sent in accordance with customer preferences, if indicated, and using means reasonably designed to reach the customer associated with the account and clear and concise language that provides sufficient information to effectively inform a customer that a SIM change request involving the customer's SIM was made, except if the SIM change request was made in connection with a legitimate line separation request pursuant to 47 U.S.C. 345 and subpart II of this part, regardless of whether the line separation is technically or operationally feasible.
(4)Account locks. A CMRS provider shall offer customers, at no cost, the option to lock their accounts to prohibit the CMRS provider from processing requests to change the customer's SIM. A CMRS provider shall not fulfill a SIM change request until the customer deactivates the lock on the account, except if the SIM change request was made in connection with a legitimate line separation request pursuant to 47 U.S.C. 345 and subpart II of this part, regardless of whether the line separation is technically or operationally feasible. The process to activate and deactivate an account lock must not be unduly burdensome for customers such that it effectively inhibits customers from implementing their choice. A CMRS provider may activate a SIM change lock on a customer's account when the CMRS provider has a reasonable belief that the customer is at high risk of fraud, but must provide the customer with clear notification that the account lock has been activated with instructions on how the customer can deactivate the account lock, and promptly comply with the customer's legitimate request to deactivate the account lock.
(5)Notice of account protection measures. A CMRS provider must provide customers with notice, using clear and concise language, of any account protection measures the CMRS provider offers, including those to prevent SIM swap fraud. A CMRS provider shall make this notice easily-accessible through the CMRS provider's website and application.
(6)Procedures to resolve fraudulent SIM changes. A CMRS provider shall, at no cost to customers:
(i) Maintain a clearly disclosed, transparent, and easy-to-use process for customers to report fraudulent SIM changes;
(ii) Promptly investigate and take reasonable steps within its control to remediate fraudulent SIM changes; and
(iii) Promptly provide customers, upon request, with documentation of fraudulent SIM changes involving their accounts.
(7)Employee training. A CMRS provider shall develop and implement training for employees to specifically address fraudulent SIM change attempts, complaints, and remediation. Training shall include, at a minimum, how to identify potentially fraudulent SIM change requests, how to identify when a customer may be the victim of SIM swap fraud, and how to direct potential victims and individuals making potentially fraudulent requests to employees specifically trained to handle such incidents.
(8)SIM change recordkeeping. A CMRS provider shall establish processes to reasonably track, and maintain for a minimum of three years, the total number of SIM change requests it received, the number of successful SIM change requests, the number of failed SIM change requests, the number of successful fraudulent SIM change requests, the average time to remediate a fraudulent SIM change, the total number of complaints received regarding fraudulent SIM change requests, the authentication measures the CMRS provider has implemented, and when those authentication measures change. A CMRS provider shall provide such data and information to the Commission upon request.
(9)Compliance. This paragraph (h) contains information-collection and/or recordkeeping requirements. Compliance with this paragraph (h) will not be required until this paragraph is removed or contains a compliance date.

47 C.F.R. §64.2010

82 FR 44419, Sept. 21, 2017, as amended at 88 FR 85814, Dec. 8, 2023; 88 FR 84448, Dec. 5, 2023; 88 FR 88261, Dec. 21, 2023; 89 FR 47870, June 4, 2024
82 FR 44119, 9/21/2017; 88 FR 85814, 1/8/2024; 88 FR 85814, effective date to be determined ; 88 FR 88261, 1/14/2024; 89 FR 47870, 6/4/2024