STATEMENT OF POLICY REGARDING CUSTOMER PROPRIETARY NETWORK INFORMATION
In accordance with Section 222 of the Communications Act and the Federal Communications Commission’s (“FCC”) CPNI Rules (47 C.F.R. § 64.2001, et seq.), Cloud Compliance Solutions, Inc. (“Cloud Compliance Solutions, Inc.”) files this Statement of Policy outlining the Company’s procedures for accessing, using and storing Customer Proprietary Network Information (“CPNI”).
Cloud Compliance Solutions, Inc. provides telecommunications services to retail customers. Because Cloud Compliance Solutions, Inc. may access, use, or store CPNI when providing these types of services, the Company undertakes the steps outlined in this Statement of Policy to protect CPNI from unauthorized access or misuse.
Definition of CPNI
Under federal law, CPNI is certain customer information obtained by a telecommunications provider during the course of providing telecommunications services (including interconnected VoIP) to a customer. This includes information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier.
Examples of CPNI include information typically available from telephone-related details on a monthly bill such as the types of services purchased by a customer, numbers called, duration of calls, directory assistance charges, and calling patterns. CPNI does not include names, addresses, and telephone numbers, because that information is considered subscriber list information under applicable law.
Use of CPNI
It is the policy of Cloud Compliance Solutions, Inc. not to use CPNI for any activity other than as permitted by applicable law. Any disclosure of CPNI to other parties (such as affiliates, vendors and agents) occurs only if it is necessary to conduct a legitimate business activity related to the services already provided by Cloud Compliance Solutions, Inc. to the customer. Except in instances where Cloud Compliance Solutions, Inc. is required by law to disclose CPNI, such as through subpoenas or other requests by law enforcement officials, or if the intended use is permitted by FCC Rules, Cloud Compliance Solutions, Inc. will first obtain the customer’s consent prior to using or sharing CPNI.
Disclosure of CPNI
Cloud Compliance Solutions, Inc. prohibits the release of CPNI based upon a customer- initiated telephone call except under the following three (3) circumstances.
- When the customer has pre-established a password;
- When the information requested by the customer is to be sent to the customer’s address of record;
or
- When Cloud Compliance Solutions, calls the customer’s telephone number of record and discusses the information with the party initially identified by customer when service was initiated.
Online Access to CPNI
If Cloud Compliance Solutions, Inc. grants online access to CPNI, the Company authenticates a customer without the use of readily available biographical or account information prior to allowing the customer online access to CPNI stored online. Once authenticated, the customer may only obtain online access to CPNI through a password that is not prompted by the carrier asking for readily available biographical or account information.
Password Authentication Procedures
To establish a password, Cloud Compliance Solutions, Inc. authenticates the identity of the customer without the use of readily available biographical or account information. The
Company may create a back-up customer identification method in the event a customer misplaces or forgets a password, but such alternative customer authentication will not depend on readily available biographical or account information. If a customer cannot provide the correct password or the correct response for the back-up customer authentication method, the customer must establish a new password.
Account Change Notification
Cloud Compliance Solutions, Inc. notifies customers immediately of any account changes, including address of record, authentication, online account and password related changes.
Disclosure to Business Customers
Cloud Compliance Solutions, Inc. may negotiate alternative authentication procedures for services that the Company provides to business customers that have a dedicated account representative and a contract that specifically addresses the protection of CPNI.
Employee Training Policies and Disciplinary Procedures
All employees of Cloud Compliance Solutions, Inc. are trained as to when they are, and are not, authorized to use CPNI. Through this training, Cloud Compliance Solutions, Inc. has informed its employees and agents that it considers compliance with the Communications Act and FCC Rules regarding the use, disclosure, and access to CPNI to be very important.
Violation by company employees or agents of such CPNI requirements will lead to disciplinary action (including remedial training, reprimands, unfavorable performance reviews, probation, and termination), depending upon the circumstances of the violation (including the severity of the violation, whether the violation was a first time or repeat violation, whether appropriate guidance was sought or received from a supervisor, and the extent to which the violation was or was not deliberate or malicious).
Use of CPNI in Sales and Marketing Campaigns
If Cloud Compliance Solutions, Inc. uses CPNI in marketing campaigns, the company will maintain a record of all sales and marketing campaigns that use the CPNI. The record will include a description of each campaign, the specific CPNI that was used in the campaign, and what products and services were offered as part of the campaign.
Cloud Compliance Solutions, Inc. will also implement a system to obtain prior approval and informed consent from its customers in accordance with the CPNI Rules. This system will allow for the status of a customer’s CPNI approval to be clearly established prior to the use of CPNI.
Prior to commencement of a sales or marketing campaign that utilizes CPNI, Cloud Compliance Solutions, Inc. will establish the status of a customer’s CPNI approval. The following sets forth the procedure that will be followed by the Company:
- Prior to any solicitation for customer approval, Cloud Compliance Solutions, Inc. will notify customers of their right to restrict the use of, disclosure of, and access to their CPNI.
- Cloud Compliance Solutions, will use opt-in approval for any instance in which Company must obtain customer approval prior to using, disclosing or permitting access to CPNI.
- A customer’s approval or disapproval remains in effect until the customer revokes or limits such approval or disapproval.
- Records of approvals are maintained for at least one
- Cloud Compliance Solutions, provides individual notice to customers when soliciting approval to use, disclose or permit access to CPNI.
- The CPNI notices sent by Cloud Compliance Solutions, comply with FCC Rule 64.2008(c).
Cloud Compliance Solutions, Inc. will also establish a supervisory review process regarding compliance with the CPNI rules for outbound marketing situations and will maintain compliance records for at least one
(1) year.
FCC Notification
The Company is prepared to provide written notice within five (5) business days to the FCC of any instance where the opt-in mechanisms do not work properly or to such a degree that consumers’ inability to opt-in is more than an anomaly.
Third Party Use of CPNI
To safeguard CPNI, prior to allowing joint venturers or independent contractors access to customers’ individually identifiable CPNI, Cloud Compliance Solutions, Inc. will require all such third parties to enter into a confidentiality agreement that ensures compliance with this Statement of Policy. Cloud Compliance Solutions, Inc. shall also obtain opt-in consent from a customer prior to disclosing the information to such third parties for marketing purposes. In addition, Cloud Compliance Solutions, Inc. requires all outside agents to acknowledge and certify that they may only use CPNI for the purpose for which that information has been provided. Cloud Compliance Solutions, Inc. requires express written authorization from the customer prior to dispensing CPNI to new carriers, except as otherwise required by law. Cloud Compliance Solutions, Inc. does not market or sell CPNI information to any third party.
Law Enforcement Notification of Unauthorized Disclosure
If an unauthorized disclosure of CPNI occurs, Cloud Compliance Solutions, Inc. shall provide notification of the breach within seven (7) days to the United States Secret Service (“USSS”) and the Federal Bureau of Investigation (“FBI”). Cloud Compliance Solutions, Inc. shall wait an additional seven (7) days from its government notice prior to notifying the affected customers of the breach. Notwithstanding the above, Cloud Compliance Solutions, Inc. shall not wait the additional seven (7) days to notify its customers if the Company determines there is an immediate risk of irreparable harm to the customers. Cloud Compliance Solutions, Inc. shall maintain records of discovered breaches for a period of at least two (2) years.
Customer Complaints
Cloud Compliance Solutions, Inc. has not received any customer complaints in the past year concerning the unauthorized release of or access to CPNI.
Contact Information
Individuals or entities that have questions about this CPNI Certification or the use of
CPNI by Cloud Compliance Solutions, Inc. may contact the company’s legal counsel, The CommLaw Group at (703) 714-1300.
Actions taken against Pretexters
Cloud Compliance Solutions, Inc. has not taken any actions against data brokers before state commissions, state or federal courts, or the FCC in the past year. Cloud Compliance Solutions, Inc. has no information, other than information that has been publicly reported, regarding the processes that pretexters are using to attempt to access CPNI.
Annual CPNI Certification
Pursuant to FCC regulations, 47 C.F.R. § 64.20089(e), Cloud Compliance Solutions, Inc. will annually submit to the FCC, prior to March 1st, a CPNI Certification of Compliance and accompanying Statement regarding the company’s CPNI policies and operating procedures. These documents certify that Cloud Compliance Solutions, Inc. complied with federal laws and FCC regulations regarding the protection of CPNI throughout the prior calendar year.