Protecting Phone Records

By Mary Alice Davidson

Congress considers a bill, while the FCC tightens regulatory requirements on telecoms to better safeguard personal data.

Private phone records often end up in the hands of data brokers, and phone companies face few consequences for not protecting the information. Some members of Congress want to raise the bar by passing the Prevention of Fraudulent Access to Phone Records Act (H.R. 936). But complying with the proposed security requirements could add $12 to $64 to the cost of a telephone line, according to Walter B. McCormick, president and CEO of the United States Telecom Association, who spoke at a hearing on the bill.

The intent of the act is to add teeth to the legal sanctions against pretexting, a practice in which the perpetrator uses a false motive, or a pretext, to obtain access to personal information, such as phone records.

Professional pretexters sell the information they gather to people or companies without regard to how they will use it; sometimes the buyers are criminals 'ID thieves' who use the information to steal a person's assets or establish credit in his or her name.

H.R. 936, introduced earlier this year by Rep. John Dingell (D-MI), bans obtaining or attempting to obtain another person's records through pretexting, causing disclosure or attempting to disclose records, or directly selling or disclosing that data. An exemption applies to situations where law enforcement requests records. The bill also triples the fines the Federal Communications Commission (FCC) could levy on companies that violate the implementing regulations, imposing a maximum of $3 million for multiple violations.

The proposal also instructs the FCC to 'prescribe regulations adopting more stringent security standards for customer proprietary network information.'

Those regulations would require telecommunications carriers to notify the commission should a breach occur, undergo periodic audits by the commission to determine compliance, and establish 'administrative, technical, and physical safeguards.'

The bill instructs the commission to consider requiring telecommunications carriers to institute customer-specific identifiers and encryption of customer proprietary data.

Opposing the bill were industry representatives from the United States Telecom Association and the CTIA, an association for the wireless industry. They warned that the additional security required in the legislation would be costly to providers while doing little to put pretexters out of business. It would limit the ability of telecommunications carriers to market new and bundled services to target audiences, for example, or to employ third parties to assist with billing and customer-care functions.

Steve Largent, president and CEO of CTIA, included descriptions of existing safeguards in his testimony. He listed industry practices that use "administrative, technical, and physical safeguards to protect customer information," and confidentiality agreements with subcontractors.

Several laws currently on the books have been used to thwart perpetrators. The 1999 Gramm-Leach-Bliley Act (GLBA) outlawed the use of pretexting to obtain financial data from customers or institutions. The Federal Trade Commission (FTC) has pursued more than a dozen cases alleging violation of GLBA, said Lydia Parnes, director of FTC's Bureau of Consumer Protection. The U. S. Department of Justice has followed up with criminal prosecution in several cases, she added.

Parnes cited additional legislation, which became law in December 2006 and January 2007, that adds further clout for enforcement agencies going after pretexters. The U.S. SAFE WEB Act allows greater cooperation and information sharing between law enforcers in the United States and their counterparts in other countries as they pursue data brokers (who are often trafficking in data obtained through pretexting).

Additionally, the Telephone Records and Privacy Protection Act makes the gathering of confidential records by making false statements to a telephone service provider a crime.

While noteworthy, "Nothing in the [existing laws] puts a duty on the telephone companies that are the actual source of this data to increase their security measures," testified Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC). He applauded the specific H.R. 936 language that gives enforcement powers to the FTC and industry oversight to the FCC.

To illustrate the insidious nature of pretexting, the final testimony given at the hearing was provided by David Einhorn, president of Greenlight Capital, Inc., an investment company. Research on one of the company's investments, Allied Capital, showed significant accounting and operational deficiencies, and Greenlight altered its position on the investment.

Einhorn shared his company's research on Allied at a 2002 conference. Armed with these specifics, as well as the findings of other critics of the company, the Securities and Exchange Commission investigated Allied's practices and the U. S. Attorney for the District of Columbia began a criminal investigation.

Allied responded by hiring private investigators to obtain information that could discredit its critics.

Einhorn subsequently learned that an unknown woman had called his long distance provider, identified herself as his wife, provided her Social Security number, and opened an online account to access the Einhorn's home telephone records. Ultimately, Einhorn learned that the phone records of other known critics of Allied had also been purloined.

A few weeks after the congressional hearing, the FCC issued an order that requires telecom carriers to take precautions before releasing customer data when a request is initiated by telephone. The carrier must (1) obtain from the person claiming to be the customer a preset password, or (2) call back on the customer's phone of record, or (3) agree to mail the information to the customer's address of record. These privacy safeguards were recommended in 2005 by EPIC.

By Mary Alice Davidson, who heads a communications consultancy with offices in Spartanburg, South Carolina, and Tampa, Florida.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.