
2/44

Table of Contents

Page

Customer Proprietary Network Information Manual - Objectives ...........................................4

Historical Background .................................................................................................................... 5

CPNI Policy ...........................................................................................................................................6

What is CPNI? ........................................................................................................................... 6

Scope of Rules ........................................................................................................................... 6

Obligation of Rules .......................................................................................................................... 7

Duty to Protect ........................................................................................................................... 7

Customer Authentication Requirements & Procedures ......................................................... 8

Notice to Customer of Account Changes Requirements & Procedures.............................. 8

Notice of Unauthorized Disclosure of CPNI Requirements & procedures ........................ 9

Carrier to Carrier Proprietary Information (CPI) .................................................................... 9

Limited Purpose (Marketing uses for CPNI) ........................................................................ 11

When Can a Carrier use CPNI without Customer Approval? ........................................... 11

Customer Notification Authorizing the Use of CPNI ......................................................... 11

When Does a Carrier Need Customer Approval to use CPNI? ......................................... 12

The Total Service Approach .............................................................................................. 13

Nature of Consents Opt-in and Opt-out Notifications and Consents ......................... 13

Oral Notification and Consent ............................................................................................... 14

Customer Consent Status ........................................................................................................ 15

Use of CPNI in Company Marketing Plans ........................................................................ 15

Outbound Marketing and Third Party Use .......................................................................... 16

Customer Authorization to Release CPNI to a Third Party ............................................... 16

Supervisory Review Process .................................................................................................. 16

Employee Training and Discipline for Misuse .................................................................... 16


3/44

Electronic Safeguards ............................................................................................................. 17

Annual CPNI Certification ..................................................................................................... 17

Violation of CPNI Rules......................................................................................................... 17

CPNI Notification, Authorizations, and Scripts .......................................................................... 19

CPNI Customer Notice ................................................................................................................. 19

Verbal Notification for Limited Use for Duration of Call ............................................... 21

CPNI Customer Written Authorization ................................................................................. 22

CPNI Customer Telephone Authorization ............................................................................ 23

Win-Back Marketing Script ................................................................................................... 24

CPNI Certification .................................................................................................................. 26

CPNI Support Statement ........................................................................................................ 27

CPNI Approvals ...................................................................................................................... 28

CPNI Notice Requirements ................................................................................................... 28

CPNI Safeguards..................................................................................................................... 30

CPNI Definitions .................................................................................................................... 31

CPNI FCC Rules .................................................................................................................... 33


4/44

CPNIPOLICY MANUAL

CUSTOMER PROPRIETARY NETWORK INFORMATION

(CPNI)

POLICY MANUAL

OBJECTIVES

The objectives of this document are to establish the Companys policies and practices in

connection with its treatment of Customer Proprietary Network Information or CPNI and to

provide information to Company employees about their responsibilities relating to CPNI.

As CPNI is subject to detailed FCC regulation, the Companys compliance with the regulatory

requirements is very important. Employees need to understand the significance of their handling

of CPNI and the ramifications of mishandling it.

This document establishes the Companys CPNI policies and practices with respect to theprotection of customers information and the use of CPNI in marketing efforts. This document

contains a customer notification for use in seeking opt-out consents from customers, a script

for potential Company use in seeking customer CPNI consents during inbound and outbound

calls, training material for use with employees and a copy of the Companys annual Certificate

of Compliance along with a support statement that details the Companys compliancy practices,

that must be filed with the FCC, beginning March 1, 2008.

Employees whose job positions allow them access to customer CPNI will receive training with

regard to CPNI requirements, and new employees entering job positions that allow them access

to customer CPNI will receive training with regard to CPNI requirements as part of theirorientation. All employees will have access to VGCSs CPNI Policy Manual and will be

notified, as necessary, when a change occurs in FCCs regulations that subsequently change the

companys obligations or any sensitivities associated with CPNI.

CPNI unquestionably involves complex situations in which detailed requirements pertaining to

Company conduct come into play. If the information contained in this document fails to

address a situation involving CPNI that arises, employees are strongly urged to seek guidance

before proceeding because, once CPNI is used or disclosed, there is no opportunity to reverse

that action. The FCC has indicated that it intends to enforce its CPNI regulations zealously, and as

consumer concerns over the privacy and confidentiality of their information has reached

unprecedented proportions, maintaining the confidentiality of customer CPNI is every bit as

important as providing good customer service.

Please review this document carefully and keep it for future reference and use.


5/44

CPNIPOLICY MANUAL

HISTORICAL BACKGROUND

As technology developed and changed the way people do business, privacy issues were getting

more attention from citizens concerned about the potential abuse of their personal information.

In response, the government, who also recognized the seriousness of this problem, enacted lawsand regulations to protect consumer privacy.

In 1998, the FCC identified the potential use of customer information in ways that could be

invasive of customer privacy and published rules that governed specific uses of customer

information by telecommunication companies. Customer Proprietary Network Information, or

CPNI, is the term for the information that can be gathered and used by telecommunication

companies for marketing services. The intent of these laws was to be pro-competitive and focus

on the use of information in ways that foster competition. The FCC identified what information

could be used by companies and in what form.

Recently, the FCC enacted more stringent rules in response to a pretexting scandal in

Washington DC that occurred in February 2006. An investigation followed, revealing that web-

based Data-Brokers advertised information gathering services, which included call detail records.

These Data-Brokers, also known as pretexters contacted telephone companies and were able to

obtain a consumers call detail records. The method used to obtain the call detail remains

uncertain, but the FCC speculates that either a pretexter fraudulently posed as a consumer to

request call detail records or a telephone company rogue employee released the records in

partnership with the pretexter. The FCC took immediate action to tighten the controls around a

customers CPNI, specifically, call detail information.

Consequently, the new rules not only reinforce the preceding rules but emphasize to telephone

companies the importance to protect and safeguard a customers CPNI. The FCC Enforcement

Bureau is strictly enforcing its rules and considers any unauthorized disclosure of a customers

CPNI as a failure of the telephone company to protect and safeguard. In other words, if a

complaint of unauthorized release of CPNI is lodged against a telephone company, the FCC will

assume that the companys policies and procedures failed in its obligation to protect the

customers CPNI and the company will face enforcement action.

The areas of CPNI requirements that companies must adhere to, to meet their CPNI compliancerequirements are identified as follows:

CPNI trained employees

Defined discipline process and accountability procedures

Customer Authentication via password on in-bound calls for call detail request


6/44

CPNIPOLICY MANUAL

Notifications to customers when password or billing address changes

Marketing ConsentOpt-Out versus Opt-In.

Tracking mechanism that quickly identifies customers consent status

Supervisory review process

Signed and filed compliance certification, with accompanying support statement

CPNI POLICY

WHAT IS CPNI?

Customer Proprietary Network Information (CPNI) is personally identifiable information

that the Company collects when providing telephone service to a subscriber. CPNI pertains to

service quantities, types, technical configurations, destinations, locations and amount of use of a

telecommunication service as well as billing information acquired in the course of furnishing

service, such as call detail and calling plan information.

CPNI does NOT include customer names, addresses, telephone numbers and advertising

classifications, which is defined as Subscriber List Information and usually found in telephone

directories. Subscriber List information may be used without customer consent.

CPNI does NOT include any Customer Premises Equipment (CPE) information or internet, asthese are defined as information services.

CPNI does NOT include aggregate information where all personal attributes have been removed.

SCOPE OF RULES

The FCC has implemented rules prohibiting communications service providers from using CPNI

for purposes other than providing services from which the CPNI is obtained, unless the customer

consents to its use for other purposes. The rules apply to all carriers furnishing local exchange,

long distance and wireless services. Effective December 8, 2007, the rules have been expanded

to include VoIP carriers too. All rules regarding CPNI apply to all telecommunications carriers

EXCEPT aggregators of telecommunications services

The FCC has stated that it intends to enforce it CPNI rules zealously and that carriers will be

subject to penalties for the improper use of CPNI. These penalties are in the form of fines and

forfeitures that could be substantial in amount. Every telecommunications carrier must abide by

the regulations.


7/44

CPNIPOLICY MANUAL

OBLIGATIONS OF THE RULES

Congress added CPNI provisions to the Communications Act of 1996 to provide balance

between a customers privacy interests and competitiveness. Section 222 establishes a general

duty to protectthe confidentiality of a customers proprietary information and restricts the useof that proprietary information to the limited purpose of providing the telecommunications

services from which the CPNI was derived in the first place. For any other use, a carrier must

first obtain the customers consent before using or disclosing CPNI - for example, to affiliates or

third parties who wish to use the customers information for marketing purposes.

ALL companies, regardless of plans to use CPNI for marketing purposes, must comply with

CPNI regulations.

DUTY TO PROTECT

All carriers have a duty to protect against the unauthorized disclosure of customers CPNI andmust have internal safeguards in place. These safeguards are the procedures of trained

employees, supervisory review, and discipline procedures.

In this obligation, FCC enforcement will be strict and unyielding as ANY complaint of

unauthorized CPNI disclosure will be assessed as a failure of safeguards in our duty to protect.

CUSTOMER AUTHENTICATION REQUIREMENTS

Effective December 8, 2007, Carriers are required to authenticate a customer via a password

before releasing call detail information to customers during customer-initiated telephone calls. Ifa customer (or its authorized user) does not provide a password, a service provider may release

call detail information only by sending it to the address of record or by calling the customer at

the telephone number of record. Carriers must also provide mandatory password protection for

on line account access.

Carriers will be prohibited from authenticating customers using any readily available biological

account information, for the purposes of releasing call detail information

EXCEPTION: Carriers and business customers are permitted to contractually agree toauthentication practices other than those adopted in the CPNI order. In order to do so, Carriers

must provide the business customer with a dedicated account representative as a primary contact

and specifically address CPNI protection in their contract.


8/44

CPNIPOLICY MANUAL

CUSTOMER AUTHENTICATION PROCEDURES

The latest CPNI rules address customer password authentication only for the release of call detail

information. However, the FCC is also considering a need to require passwords on ALL

customer-initiated calls in the future. In the interest of excellent customer service, meeting the

CPNI compliancy needs of today and preparing for potentially more stringent rules in the future,

the goal will be to invite the customer to establish password on all accounts.

CSRs will use the current standard methods to authenticate a customer on all in-bound calls that

are not related to call detail requests. Once the customer is confidently authenticated using

existing account information, the CSR will request a password and back-up question and insert

this information into the appropriate fields on the software Profile screen.

Customer education information was mailed in the November 2007 statements alerting the

customers that the FCC is requiring a password security for the release of call detail information.

Effective December 8, 2007, if any customer calls to request call detail and does not have apassword established on their account, the requested information will be mailed to the address of

record. The CSR can also call the customer at the telephone number of record to discuss call

detail and at the same time, will establish a password for the customers future needs.

NOTICE TO CUSTOMER OF ACCOUNT CHANGES

Carriers must notify the customer immediately when changes are made to their account. For

example, they must give notification (through voicemail, e-mail,-or mail) in the event of changes

to customers on-line accounts, passwords, password authentication procedures or address of

record, thus providing an additional measure of security against changes to their account withoutcustomers knowledge.

NOTICE TO CUSTOMER OF ACCOUNT CHANGES PROCEDURE

When customers call to change the password, password back-up questions or the billing address,

Employees will:

call the telephone number of record

if no answer, notification message will be left on voice mail (VM) or answering

machine.

if no VM or machine, an e-mail will be sent to the e-mail address of record

if no internet, a written notification will be mailed to address of record

(If notification is due to billing address change, notification will be mailed to previous

address)


9/44

CPNIPOLICY MANUAL

NOTICE OF UNAUTHORIZED DISCLOSURE OF CPNI PROCEDURES

Carriers must adhere to a notification process for both law enforcement and customers in the

event of a CPNI breach.

In the event of an unauthorized disclosure, either witnessed by an employee or reported by a

customer, obtain details, document all information, report to the supervisor who will report the

incident to the Regulatory department, who will contact legal counsel for process, that at this

time, is still under evaluation by authorities.

The most challenging portion of this obligation is the determination of when an unauthorized

disclosure occurs and by what means. Usually, if a data broker (a.k.a. pretexter) is involved in

attempting to obtain customers records, the customer would be the last to know about

unauthorized disclosure of his call records. Employees must be alert and adhere to the safeguard

procedures to ensure protection of all customer records. If any employee suspects another of

inappropriately handling any customer CPNI, the actions must be reported immediately to the

supervisor. If a customer calls suspecting that their CPNI was disclosed without authorization,

immediately contact the supervisor. In all cases, the supervisor will notify the Regulatory

department in any incident related to the unauthorized disclosure of a customers CPNI.

CARRIER TO CARRIER PROPRIETARY INFORMATION (CPI)

(WIN-BACK STRATEGIES)

The CPNI Rules state that carrier change request information transmitted to executing carriers

in order to effectuate a carrier change cannot be used for any purpose other than to provide theservice requested by the submitting carrier. Under no circumstances, can any CPI information

be used to win-back or retain a customer.

However, the FCC draws a distinction between "win-back" efforts and "retention" efforts as it

relates to the use of CPNI for marketing purposes.

Win-back is working to regain a customer that has switched to another provider. The FCC

permits the use of CPNI to win-back lost customers. The FCC clarifies that an executing carrier

may rely on its own information regarding carrier changes in win-back marketing efforts, so long

as the information is not derived exclusively from its status as an executing carrier.

Retention is working to change the mind of a customer who is going to, but has not yet,

switched to another provider. Carriers are prohibited from using CPNI to retain those customers,

if what has triggered the retention effort is carrier-to-carrier information (CPI) such as switch,

porting or PIC orders.

Note: The FCC does not presume that any contact with a customer that's changing carriers is a

CPNI violation. The FCC acknowledges that a carrier's retail operations may legitimately obtain


10/44

CPNIPOLICY MANUAL

notice that a customer plans to switch carriers, without violating CPNI restrictions on use of

carrier-to-carrier information. In the ordinary course of business, carriers may contact

customers, who in turn inform the company that they are considering changing carriers and

inquire what the company is willing to do to keep them as a customer. Other times, customers

call the company to ask what the company is willing to offer in the line of services and prices inorder to retain their business. Retention efforts under these circumstances are not a violation of

CPNI rules1. If this type of scenario should occur, VGCS requires employees to document the

reason for customer contact, substantiate the origin of the information and record the

retention efforts. If at all possible, the retail employee should record that outbound call.

1. Docket 99-223 para 78.


11/44

CPNIPOLICY MANUAL

LIMITED PURPOSE

Section 222 of the Telcom Act 96 restricts the use of CPNI to the limited purpose of providing

the telecommunications services from which the CPNI was derived in the first place. For any

other use, a carrier must first obtain the customers consent before using or disclosing CPNI.

Carriers must send a one-time notice to customers informing them about the FCC CPNI policy

and their right to restrict the Companys use of CPNI. This notification must provide sufficient

information to enable the customer to make an informed decision to permit the Company to use,

disclose, or permit access to CPNI.

WHEN CAN A CARRIER USE CPNI WITHOUT CUSTOMER APPROVAL?

Section 222 (c)(1) of the FCCs CPNI rules describes the circumstances when carriers can use,

disclose or permit access to CPNI without first obtaining customer approval. Carriers are

permitted to use CPNI without customer approval to market improvements or service

enhancements that are related to the customers existing services.

In addition, a carrier can obtain and use CPNI without customer approval to:

bill and collect for telecommunications services;

protect the rights or property of the carrier;

protect users of those services from unlawful or fraudulent use of these services;

provision inside wiring installation, maintenance and repair services.

publish an annual directory

provide CPE or voice mail,

use aggregate customer information with all personally identifiable traits removed.

disclose CPNI to LEC or customers designated agent as required in the course of

business

CUSTOMER NOTIFICATION AUTHORIZING THE USE OF CPNI

Companies that intend to use CPNI for marketing purposes must get a one-time authorization

from the customer to use that information. The Company must send a notification that will:

indicate the scope and duration of the companys use of CPNI,

explain the companys duty to protect the confidentiality of such information,


12/44

CPNIPOLICY MANUAL

advise customers of the precise steps that must be taken to grant or deny access to

CPNI,

clearly state that a denial of approval will not affect the provision of any services to

which the customer subscribes.

permit customers to approve via oral, written or electronic means.

For carriers that were previously obligated to obtain prior written authorization from business

customers with more than 20 access lines to use CPNI to market enhanced services, and in

circumstances where a carrier has provided annual notification and received prior written

authorization from those customers, the requirements for notice and approval are satisfied for

those customers.

WHEN DOES A CARRIER NEED CUSTOMER CONSENT TO USE CPNI?

Carriers may NOT use CPNI to market services that fall outside the scope of the customers

existing service relationship without first getting customer approval.

A company may market products related only to those telecommunications services to

which a customer presently subscribes, whether or not those services are provided by a

single company or an affiliated company.

If Carriers want to use CPNI to market additional telecommunications services, that do

not fall within the service category to which the customer currently subscribes, then

customer consent is necessary.

Carriers need prior customer consent to use CPNI to market non-communication related

services, such as Customer Premise Equipment (CPE), or information services, such as

Internet or Digital TV.

If a company affiliate wants to market new products or services to a customer based on

the CPNI of the individual customer, and the customer is not a subscriber of that affiliate,

then the carrier must get customer approval to use CPNI.

If a customer has not purchased CPE or information services from the carrier that is

providing its telecommunications services, the carrier is prohibited from using CPNI tomarket CPE and information services without prior customer approval.

Remember: Customer information derived from the provisioning of any non-telecommunications

service, such as CPE or information services, is not regulated by section 222 (c)( 1). This

customer information is not considered CPNI and may be used to provide or market any

telecommunications service regardless of telecommunications service categories or customer


13/44

CPNIPOLICY MANUAL

approval. Therefore, customer consent is not necessary for the use of any customer information

that comes from the sale of CPE or the provisioning of information services.

USING CPNI FOR MARKETING - THE TOTAL SERVICE APPROACH

The FCC has adopted an approach to safeguard CPNI based on the services to which a customersubscribes. This is called the total service approach. This approach permits the use of CPNI

for marketing of telecommunication services, depending on the existing service relationship

between a customer and the carrier.

Telecommunication services are segmented into three category silos, local, long distance and

wireless services. A carrier is allowed to use the customers CPNI for marketing purposes within

the particular silo, to which the customer already subscribes. The carrier may use that

information to market products and services that are directly related to those particular services,

but only those services.

For example: if a customer subscribes to local exchange service but not to long distance service,the company could use any existing information about that customer to market new products,

service enhancements, or other improvements related to the local exchange service, without any

additional customer approval. However, in order to use CPNI to market a service that is outside

the customers existing service relationship, in this example the long distance service, the

company is required to obtain express customer approval to use this information.

When a company wants to use a customers CPNI to market services outside of the existing

service relationship, the company will need the customers consent to do so.

NATURE OF CONSENTS

OPT-IN& OPT-OUT NOTIFICATIONS AND CONSENTS

The FCC has established specific rules governing customer notifications and consents. Two

approaches are available for company use: opt-in and opt-out.

Opt-in consent is required before there can be any CPNI use or disclosure with respect to

marketing other than communications-related services. This approach requires express

LOCAL LONGDISTANCE

WIRELESS


14/44

CPNIPOLICY MANUAL

customer consent that is obtained after giving customers actual notification of the intended use of

their CPNI. The consent must be affirmative not passive and must be manifested by a

customer signature, either actual or electronic. Opt-in consent is a tell us we can use

approach, such as no response by the customer means that the CPNI may not be used. In other

words, silence is NOT acceptance. (Opting-in is the more difficult approach because thepotential that CPNI may be more widely disseminated and used by those providing non-

communications related services, thereby justifying the solicitation and receipt of written

consents from customers.) Currently, the Company does not use CPNI for any marketing

requiring an opt-in consent.

Opt-out consent solicited by the Company, is obtained before the Company, or an affiliate

uses customer CPNI to market communications-related services. Individual customers are

notified of the intended use of their CPNI and are given the opportunity to indicate that the

Company may not use their CPNI. Any failure by the customers to respond to the Companys

CPNI notification by opting-out constitutes a knowing consent to the intended use of the

CPNI. (Opting-out is less onerous than opting-in because it is a tell me if we cant use the

CPNI, such that no response on the part of the customer constitutes a known consent to the

intended use.) In other words, silence is acceptance.

Opt-out notifications will be written and delivered by bill insert to affected customers. The

notice will provide information sufficient to enable customers to make informed decisions as to

whether to permit the Company to use, disclose, or permit access to the their CPNI. The notice

will inform customers of their ability to opt-out at no additional cost and at any time.

After notice is delivered to customers, the Company will wait at least 30 days before assumingconsent. (The 30-day timeframe begins on the third day after the notice is mailed.)

A copy of the a sample Opt-Out notice is listed in the Attachments to this policy manual. If

the Company decided to use this approach to marketing, an opt-out refresher notice must be

mailed every two years.

ORAL NOTIFICATION AND CONSENT

The FCCs rules allow carriers to seek and obtain consent to use CPNI for the limited purpose of

marketing to customers and prospective customers via inbound or outbound telephone calls,

provided that such calling is pre-approved, documented and records of marketing activities are

retained for at least one year. CSRs will obtain one time approval to up-sell services on in-bound

calls and records the consent in the customer account logs.

A script for the conduct of such calls is listed on page 19.


15/44

CPNIPOLICY MANUAL

CUSTOMER CONSENT STATUS

All customers received an opt-out CPNI notification in their November 2007 bill statements.

(A copy of that notification is appended hereto for reference) If the Company does not receive a

response from the customer within 33 days of the mailing of the notification, the Company will

consider the customer as consenting to the use of its CPNI in marketing campaigns. This is opt-out consent and the customer always has the option of withdrawing that consent by notifying

the company by telephone or e-mailat [email protected]. The CSR will enter the

consent status in the assigned field. All new customers will receive the CPNI notification as a

bill page insert in their first statement.

The consent field is established with a post-it note icon in the software Profile screen for easy

review by CSR to know the customers consent status.

USE OF CPNI IN COMPANY MARKETING PLANS

The FCCs CPNI rules govern the protection of the customers privacy, and specifically address

the use of customer information in marketing new services or products. Essentially, every

company must now determine whether the Companys use of CPNI in its marketing plans

protects the customers privacy according to the guidelines set forth by the FCC.

Marketing plans that do not use CPNI, or are not customer-specific, or are addressed to all

customers in the database or random individuals, are not subject to CPNI regulations.

Marketing plans that use the individuals customer information to target market new services and

products, and the services and products are NOT related to those to which the customer presently

subscribes, need to have prior customer consent or the campaign will be in violation of the CPNI

regulations and subject to enforcement proceedings.

Marketing plans that use CPNI can be developed without customer notification or consent when:

An employee responds to a customer inquiry regarding existing services to which

they currently subscribe.

The Company intends to market any services the company offers currently or in the

future to ALL current customers, or any randomly selected group of customers.

The company uses customer information from information services. This includes

such services as voice mail, Internet access and Digital TV services. These are

services provided to consumers independently of their telecommunications service

and are not necessary to the provision of the customers telecommunications service.
mailto:at%[email protected]:at%[email protected]:at%[email protected]


16/44

CPNIPOLICY MANUAL

In addition, all companies, whether or not they use CPNI in marketing services, must have a

marketing plan and supervisory review process in place to be in compliance with the FCCs

CPNI regulations.

OUTBOUND MARKETING AND THIRD PARTY USE

The Company neither provides CPNI to third parties nor uses it to out-bound marketing calls at

this time.

CUSTOMER AUTHORIZATION TO RELEASE CPNI TO A THIRD PARTY

If a customer wants to allow a third party, such as a Competitive Local Exchange Company, to

have access to his/her CPNI, authorization to release the CPNI must be given to the company

who presently has that information.

SUPERVISORY REVIEW PROCESS

The Marketing Manager will fulfill the role of CPNI Compliance Manager and will have the

following responsibilities:

Review and approve all marketing plans developed by company employees on behalf of

the company.

Review any request by marketing personnel to use CPNI for outbound marketing

purposes.

Maintain record of all sales and marketing campaigns that use CPNI for at least one year.These records include CPNI used by an affiliate.

Develop internal procedures to train all employees in the use of CPNI for marketing

purposes.

Assure complete compliance with the federal CPNI regulations with regard to the use or

non-use of CPNI and the need for prior customer consent.

Verify to the Company President, who signs the annual CPNI certification form, that

every marketing campaign is in compliance with the CPNI regulations.

EMPLOYEE TRAINING AND DISCIPLINE FOR MISUSE

Employees are trained on the rules regarding the use of CPNI, as implemented by the Company,

the guidelines established in this Policy and Practices statement, and the consequences of any

misuse. New employees are trained during their orientation.


17/44

CPNIPOLICY MANUAL

Any employee found violating the Companys CPNI Polices and Practices is subject to

disciplinary action ranging from written warnings to discharge, depending on the nature,

frequency, and severity of the violation(s).

Employees are also advised that Congress has recently enacted civil penalties against the act of

pretexting by data-brokers. Any employee who willfully violates the CPNI regulations may alsobe subject to the penalties of civil litigation.

ELECTRONIC SAFEGUARDS

The FCC also requires all telecommunications carriers to implement effective electronic

safeguards to protect unauthorized access to CPNI by employees, agents or unaffiliated third

parties. In addition, companies are required to track all customer accounts regarding use of

CPNI. Specifically, the Company has complied with its requirement to:

Develop and implement software systems that flag customer service records inconnection to CPNI; this flag would indicate whether a customer has approved the

marketing use of his or her CPNI.

Maintain an electronic audit mechanism (audit trail) that tracks access to customer

accounts. Information recorded would include when a customers record is opened,

by whom, and for what purpose.

ANNUAL CPNI CERTIFICATION

The Company must file an annual CPNI certification with the FCC, signed by an officer of thecompany, including a detailed support statement of how the CPNI rules are enforced within the

company procedures, and an explanation of any actions taken against so-called data brokers

engaging in pretexting, ( if any). The certification must also include a summary of all consumer

complaints received in the previous year regarding the unauthorized release of CPNI, (if any).

The Regulatory department will fulfill this annual requirement.

VIOLATION OF CPNI RULES

Violation of the CPNI rules could occur as a result of ignorance of their existence and/or

application or as a result of willful intent on the part of a carrier not to comply with them. The

primary rules associated with enforcement action is listed under CPNI-FCC RULES, following.

The FCC is strengthening its enforcement of the CPNI rules and what once was considered as

ignorance, or an unintentional violation of CPNI rules, and therefore not subject to enforcement

proceedings, will not be tolerated on a go-forward basis. The FCC regards the privacy issue"

associated with CPNI very seriously and will enact undercover activities, by hiring pre-texters, to

test how telephone companies are adhering to the new rules.


18/44

CPNIPOLICY MANUAL

Enforcement proceedings will initiate as a meeting between the carrier and the FCC, followed

by a Letter of Inquiry (LOI), Request for Information (RFI), subpoena or all three. If any of these

documents are received by departments outside of Regulatory, please forward them immediately

to the Regulatory Department. The willful or deliberate violation of CPNI rules or failure to

respond to LOI or RFI could result in substantial fines and forfeitures. Moreover, and in addition

to dollar forfeitures, it is possible that, in egregious instances of wrongdoing, a carrier could lose

its licenses and, thus, its business altogether, and criminal charges could be brought against the

officers and directors of a company. The penal provisions in the Communications Act speak to

fines and jail time per incident, although it is rare that these are ever invoked.

The FCC's enforcement procedure involves an initial determination, after investigation, that a

carrier has failed to comply with a rule. The facts usually disclose whether the failure was

willful or deliberate. The FCC then issues a "Notice of Apparent Liability" in which it sets forth

its findings and proposes a forfeiture amount, as explained below. The target then has an

opportunity to prove its innocence or, otherwise, negotiate a dollar settlement with the FCC. If a

settlement is reached, the parties then enter into a "consent judgment" in which the target

promises never again to violate the rules and, significantly, makes a "voluntary" contribution into

the U.S. Treasury based on its negotiation with the FCC.

As to forfeiture amounts, the FCC has established "forfeiture guidelines" to be used in

appropriate circumstances. The rules provide that for a common carrier, "the amount of any

forfeiture penalty ... shall not exceed $150,000 for each violation or each day of a continuing

violation, except that the amount assessed for any continuing violation shall not exceed a total of

$1,500,000 for any single act or failure to act ...." That provision sets a "cap" or "ceiling"

beyond which fines may not be increased. The actual amount to be assessed may be affected by

the FCC's taking into account "the nature, circumstances, and gravity of the violations and, with

respect to the violator, any history of prior offenses, ability to pay, and such other matters as

justice may require." All these factors will be taken into account by the FCC in setting the

violation amount.

The FCC has established guidelines for particular violations, e.g., "slamming" ($7,000 per

incident), but none addresses the violation of a CPNI rule. Even this amount, once established,

may be adjusted upwards or downwards based on the particular facts in a case.


19/44

CPNIPOLICY MANUAL

CUSTOMER NOTIFICATION

REGARDING CUSTOMER PROPRIETARY NETWORK INFORMATION (CPNI)

(Enclosed in customers November 2007 bill statement)

(Will be enclosed in the first statement for all new customers)

Important Customer Notice

VGCS employs comprehensive safeguards to protect the privacy of your information under federal law.

The Federal Communications Commission (FCC) requires VGCS to notify all customers of their

additional rights to restrict the use of their Customer Proprietary Network Information (CPNI).

What is Customer Proprietary Network Information (CPNI)?

CPNI is simply defined as a customers individual information that relates to the quantity, technical

configuration, type, destination and amount of use of your telecommunications service, including the

information contained in your bill. CPNI does not include your published directory information or any

information that is already in the public domain, such as your name, address or published telephonenumber:

Examples of CPNI include information about which services you purchase, the amount of your long

distance bill or call detail information. These examples are the kind of information that VGCS possesses

because we need that information to serve you.

Permitted Use of CPNI by VGCS Without Your Permission

CPNI can be used for certain purposes without your permission. CPNI may be used to offer you new or

enhanced services, such as speed calling, call forwarding or caller ID, that are related to the services to

which you currently subscribe or to respond to your inquiry regarding services which you currently use.CPNI may also be used for company functions related to billing and collection, repair and maintenance,

installation of inside wiring, to protect the property of VGCS and to prevent fraud.

Opt-Out Consent for Marketing Communication

We are sending this notification regarding your CPNI rights because we need your consent to use this

information to provide you with marketing information for new and progressive communications services

that we offer.. You need to respond only if you do not wish to give us permission to use your information

in our marketing plans. These plans may include using your information to contact you about Digital TV,

High-Speed DSL, Home Networking Services, Internet Content, Select Packages and other new services.

You need to respond only if you wish to deny permission to use your information in our marketing plans.

If you have not denied consent within 30 days, VGCS will be authorized use your CPNI for marketing

purposes.

In addition to your right to disapprove of the use of CPNI as set forth above, and you may withdraw

consent at any time by notifying us in writing at [email protected]. Your consent will

remain valid until we receive a notice withdrawing consent. If you deny consent for use of your CPNI, it

will not effect our provisioning your services.
mailto:at%[email protected]:at%[email protected]


20/44

CPNIPOLICY MANUAL

Notice (contd)

This notification was sent in all customers November 2007 bill statement and will be enclosed

in the first bill of every new customer. i

FCC STRENGTHENING PRIVACY RULES

The Federal Communications Commission has strengthened its privacy rules by requiring telephone and

wireless carriers to adopt additional safeguards to protect personal telephone records of consumers from

unauthorized disclosure. The new safeguards include not releasing call detail information during a

customer-initiated telephone call unless the customer provides a password. In order to comply with these

new requirements, VGCS will implement new procedures effective December 8, 2007.

As you have contact with VGCS over the course of the next few months you may be asked to complete

the password set-up process. We encourage all customers to set up a password on their account to ensure

full access to account information over the phone. Furthermore, such password protection will better

allow us to serve your needs in the manner that works for you. If there is no password established foryour account, VGCS will be required to wither mail the information to the address of record or to call

the customer at the telephone of record. Access to personal telephone records at our retail offices will

require presentation of a valid government issued photo ID. Ensuring the privacy of your information is

very important to VGCS and though the password set-up may seem cumbersome, it is designed to protect

your information from those who might try to gain access to it.

If you have questions, please contact Customer Care at 540-463-4451

. Thank you for your cooperation.


21/44

CPNIPOLICY MANUAL

INBOUND/OUTBOUND CUSTOMER CALLS

VERBAL NOTIFICATION OF CUSTOMER RIGHTS FOR LIMITED USE OF CPNI FOR

THE DURATION OF THE CALL

Under federal and state law, you have the right - and the Company has a dutyto protect the

confidentiality of information about your telecommunications services that is collected in the

normal course of our business relationship, including information about how many

telecommunication services you have, which services and features you use, how many calls you

make, what time of day you make most calls, and the related billing for these services.

With your permission, I can obtain access to and use your information for the duration of this

call to inform you of services provided by the Company or an affiliate. Do I have your

permission for such limited, one-time use?

Your decision to grant or deny permission will not affect the service you receive.

The Company respects your privacy, and will not sell, trade or share your confidential

information with unaffiliated third parties without your approval, except as required by law.


22/44

CPNIPOLICY MANUAL

CPNI Customer Authorization for Release of CPNI

(WRITTEN AUTHORIZATION)

I authorize VGCS to release any information in its possession protected under the FederalCommunications Commission (FCC) CPNI rules. I have read the customer notification

information and understand my rights under FCC CPNI rules. I understand that I may limit orrevoke this authorization at any time upon proper notice to VGCS. My authorization is effectiveuntil I revoke it.

Customer Name:

Address:

Phone #:

Date:

Signature:

Please return this customer authorization to our business office at:

VGCS Customer Care Center

30 Crossing Lane

Lexington, VA 24450

Facsimile copies can be sent to: VGCSFAX

Number: (540) 463-4438


23/44

CPNIPOLICY MANUAL

CPNI Customer Authorization for Release of CPNI

Script

(TELEPHONE AUTHORIZATION)

(To be read by employee to customer via telephone. If customer has questions, employee may need to refer to the

Customer Notification Regarding CPNI section. This information must be verified by either an independent third

party, such as audio-taping, independent verification company or authorized company employee.)

Employee:

I understand that you are interested in giving VGCS your permission to use your customer

proprietary network information. This information may be used to market new services that may

be of interest to you. If you are interested in authorizing VGCS to use this information, I have an

authorization form that I need to read to you that will give us your permission. Also, thisconversation is recorded for verification purposes OR for independent, third party

verification.

If you have no further questions about this information or how companies can use this

information, I will read the following statement. If you agree with it, I will then sign it and will

then have a supervisor sign it.

If customer agrees, employee will continue and read the following:

I authorize VGCS to use any information in its possession protected under FCC CPNI rules. I

understand my rights under Federal CPNI rules. I understand that I may limit or revoke this

authorization at any time upon proper notice to VGCS.

Customer Information:

Name: Phone:

Address: Date:

Signed: _________________________________________ Job Title:

(company employee)

Date:


24/44

CPNIPOLICY MANUAL

SCRIPT FOR WIN-BACK MARKETING

Hello, this is _______________________________ from VGCS.

We noticed that you recently disconnected service with us. In order for us to improve ourservices with our customers, your feedback would be very helpful. Would you be able to answer

a couple questions for us?

Customer Response:

NoCSR: Okay. Before you go, we just wanted to let you know that we have {

INSERT CURRENT MARKETING PLAN HERE}. Please take a look at what you are

paying currently and see if VGCS can save you some money. We appreciated you as a

customer and hope that we can do business with you in the future.

YesCSR: Thank you. What was the main reason for leaving VGCS?

Customer Response:

New Carrier had cheaper rates/prices Go to line 1

New Carrier had a bundle with cable and phone Go to line 1

Other price related responsesGo to line 1

Quality of service/service issuesGo to line 2

1. Thank you for taking the time to talk to us. If we offered you a phone package that included

{Insert marketing plan here} would you switch back to VGCS? (includes free activation)

Customer Response:

YesCSR: Great! It will only take a few minutes to get you switched back to VGCS.

We also have a new DSL package {insert latest offering here} includes

free activation). Would you be interested in signing up for High-Speed DSL today?

YesCSR: Great! Thank you for switching back to VGCS. It will just take a few minutesto get you signed up for our new services.

NoCSR: Okay. Thank you again for signing up on our {marketing plan}.

NoCSR: If we offered a DSL package with {Latest offering}(includes free activation),

would you switch back to VGCS?


25/44

CPNIPOLICY MANUAL

NoCSR: Okay. We appreciated you as a customer and hope that we can do

business with you in the future.

YesCSR: Great! Thank you for switching back to VGCS. It will just take a

few minutes to get you signed up for our new DSL Basic package for {latestoffering}.

SCRIPT FOR WIN-BACK MARKETING (Contd)

2. If the customer had quality/service issues, please document the problems that occurred and

why they left. Apologize for the service quality and explain that we strive to provide the best

service possible to our customers and ask if there is anything we can do to win them back as a

customer. If they are open to switching back for better service and pricing, please refer to #1.

If they dont want to switch back:

CSR: We appreciated you as a customer and hope that we can do business with you in the

future.


26/44

CPNIPOLICY MANUAL

EXAMPLE of CPNI Certification

December XX, 200X

The undersigned _____________________________________________ is president of

VGCS, 30 Crossing Lane Suite 206 Lexington, VA 24450, and provides this Certification of

CPNI Compliance for 2006 in accord with 47 CFR 64.2009(e).

Our Company has established operating procedures that are adequate to ensure its compliance

with the rules in Title 47Telecommunications, Section 64.2009.

Furthermore I am certifying that I have personal knowledge of these procedures, that our

Companys personnel are trained on these procedures, and that these procedures are in fact

insuring that our Company is in compliance with the rules in Title 47Telecommunications ,

Section 64.2009.

The attached Statement demonstrates such compliance.

President

Dated:

Attachment


27/44

CPNIPOLICY MANUAL

CPNI SUPPORT STATEMENT

The operating procedures of Virginia Global Communications Systems (VGCS), is designed to

ensure compliance with the CPNI rules applicable to them. Such procedures are as follows.

CPNI Use

(1) We use, disclose or permit access to CPNI to protect our rights and property, our

Customers, and other carriers from fraudulent, abusive or unlawful use of, or

subscription to, our services.

(2) We use, disclose or permit access to CPNI to provide or market service offerings among

the categories of servicelocal, and interexchange - to which the Customer already

subscribes. When we provide different categories of service, and a Customer subscribes

to more than one service category, we share the Customers CPNI with the affiliate that

provides service to the Customer; but if a Customer subscribes to only one service

category, we do not share the customers CPNI with an affiliate without the Customers

approval.

(3) We use, disclose or permit access to CPNI derived from our provision of local exchange

or interexchange service for the provision of CPE and call answering, voice mail or

messaging, voice storage and retrieval services, fax store-and-forward, and protocol

conversion, without Customer approval.

(4) Without Customer approval, we do not use, disclose or permit access to CPNI to provideor market service offerings within a category of service to which the Customer does not

already subscribe, except that we use, disclose or permit access to CPNI to: (a) provide

inside wiring installation, maintenance and repair services; and (b) market, when we

provide local service or interexchange services formerly known as adjunct-to-basic

services such as, but not limited to, speed dialing, computer-provided directory

assistance, all monitoring, call tracing, call blocking, call return, repeat dialing, call

tracking, call waiting, caller ID, call forwarding, and certain Centrex features.

(5) We do not use, disclose or permit access to CPNI to identify or track Customers that call

competing service providers. For example, as a local exchange carrier, we do not uselocal service CPNI to track Customers that call local service competitors.


28/44

CPNIPOLICY MANUAL

CPNI Approvals

(1)When Customer approval to use, disclose or permit access to Customer CPNI is required,

we obtain approval through written, oral or electronic methods. If we rely on oral

approval, we understand we bear the burden of demonstrating that such approval was

given in compliance with the CPNI rules. We honor a Customers approval or

disapproval until the Customer revokes or limits such approval or disapproval. We

maintain all records of Customer approvals for at least one year.

(2)Subject to opt-out approval requirements, we use a Customers individually

identifiable CPNI to market communications-related services to that Customer, and we

disclose that CPNI to our affiliates that provide communications-related services. We

also allow these to obtain access to such CPNI to market communications-related

services.

(3)If we disclose or allow access to Customers individually identifiable CPNI to our joint

venturers or independent contractors, we will require, in order to safeguard that

information, their entry into confidentiality agreements that: (a) require their use of the

CPNI only for the purpose of marketing or providing the communications-related

services for which the CPNI has been provided; (b) disallow their permitting any other

party to use, allow access to, or disclose the CPNI to any other party, unless they are

required to make disclosure under force of law; and (c) require that they have in place

appropriate protections to ensure the ongoing confidentiality of the CPNI.

CPNI Notice Requirements

(1)We individually notify and inform each Customer of his or her right to restrict the use or

disclosure of, and access to, CPNI along with a solicitation of approval, and we maintain

records of that notification, whether oral or written, for at least one year.

(2)Our notifications provide information sufficient to enable our Customers to make

informed decisions as to whether to permit the use or disclosure of, or access to, their

CPNI. Our notifications: (a) contain a statement that the Customer has a right, and we

have a duty, under federal law, to protect the confidentiality of CPNI; (b) specify thetypes of information that constitute CPNI and the specific entities that will receive CPNI,

describe the purposes for which the CPNI will be used, and inform the Customer of his or

her right to disapprove those uses and deny or withdraw access to CPNI use at any time.

With regard to the latter, we indicate that any approval, or disapproval, will remain in

effect until the Customer affirmatively revokes or limits such approval or denial.


29/44

CPNIPOLICY MANUAL

(3) We advise the Customer of the precise steps the Customer must take in order to grant or

deny access to CPNI, and we clearly state that a denial of approval will not affect the

provision of any services to which the Customer subscribes. However, we may provide a

brief statement, in clear and neutral language, that describes the consequences directly

resulting from the lack of access to CPNI. In addition, we may state that the Customersconsent to use his or her CPNI may enhance our ability to offer products and services

tailored to meet the Customers needs and that we will disclose the Customers CPNI to

any person upon the affirmative written request of the Customer.

(4)Our notifications are comprehensible and not misleading and, if written, are legible,

sufficiently in large type, and placed in an area readily apparent to the Customer. And, if

any portion of a notification is in another language, all portions of the notification will be

in that language.

(5)We do not include in the notification any statement that attempts to encourage a

Customer to freeze third-party access to CPNI.

(6)For opt-out approvals, our notifications satisfy (1) (5). We do not use oral

notifications except to obtain limited, one-time use of CPNI for inbound and outbound

customer telephone contacts for the duration of the call. When we use oral notice in this

manner, we comply with (1)(5), except that, if none of the following situations are

relevant to the limited use for which we seek CPNI, we will not: (a) advise Customers, if

they have opted out previously, that no action is needed to maintain the opt-out

election; (b) advise Customers that we may share CPNI with our named or unnamed

affiliates or third parties if the limited CPNI usage does not result in use by, or disclosure

to, an affiliate or third party; (c) disclose the means by which a Customer can deny or

withdraw future access to CPNI, so long as we explain that the scope of the approval is

limited to one-time use; and (d) disclose the precise steps a Customer must take to grant

or deny access to CPNI, so long as we clearly communicate that the Customer can deny

access to his or her CPNI for the call.

(7)In addition, for opt-out approvals, we wait at least 30 days aftergiving Customers

notice and an opportunity to opt-out before assuming Customer approval to use, disclose,

or permit access to CPNI and notify Customers of the applicable waiting period for a

response before approval is assumed. For electronic notifications, we recognize that the

waiting period begins to run on the date the notification is sent and, for mail notifications,

it begins to run on the third day following the date the notification was mailed. For e-

mail opt-out notices, in addition to other requirements, we: (a) obtain express, verifiable,

prior approval to send notices by e-mail regarding their service in general or their CPNI,

in particular; (b) allow Customers to reply directly to e-mails in order to opt-out; (c) use

another means of communicating the notice if the e-mail is returned as undeliverable


30/44

CPNIPOLICY MANUAL

before considering the Customer to have received notice; and (d) ensure that the subject

line in the e-mail clearly and accurately identifies the subject matter of the e-mail.

(8)In addition, for opt-out approvals, we provide notices to our customers every two years,

and we make available to every customer a method to opt-out that is of no additional cost

to the Customer and is available 24 hours a day, seven days a week. We may satisfy this

requirement through a combination of methods, but we allow Customers to opt-out at no

cost and whenever they choose.

(9) For opt-in approvals, we provide notification to Customers through oral, written or

electronic methods that satisfy the requirements of (1)(5).

CPNI Safeguards

(1)We have implemented a system by which the status of a Customers CPNI approval can

be clearly established prior to the use of the CPNI.

(2)We have trained our personnel as to when they are, and are not, authorized to use CPNI,

and we have an express disciplinary process in place to deal with employee failures.

(3)We maintain a record of our own and our affiliates sales and marketing campaigns that

use Customers CPNI. The record includes a description of each campaign, the specific

CPNI that was used in the campaign, and what products and services were offered as part

of the campaign. We retain these records for at least one year.

(4)We have established a supervisory review process regarding compliance with the CPNIrules for outbound marketing situations and we maintain compliance records for at least

one year. Specifically, our sales personnel obtain supervisory approval of any proposed

outbound marketing request for customer approval of the use of CPNI.

(5)We have a corporate officer who acts as agent for the Company and signs a compliance

certificate on an annual basis stating that the officer has personal knowledge that the

Company has established operating procedures adequate to ensure compliance with

applicable CPNI rules. We provide a Statement accompanying the Certificate that

explains our operating procedures and demonstrates compliance with the CPNI rules.

(6)We are prepared to provide written notice within five business days to the FCC of any

instance where the opt-out mechanisms do not work properly to such a degree that

consumers inability to opt-out is more than an anomaly. That notice would be in the

form of a letter and would include the Companys name, a description of the opt-out

mechanism(s) used, the problem(s) experienced, the remedy proposed and when it would

be/was implemented, whether relevant state commission(s) were notified and what action

was taken, a copy of any notice provided to customers, and contact information. We


31/44

CPNIPOLICY MANUAL

would submit the notice even if other methods by which consumers may opt-out were

offered.

CPNI DEFINITIONS

Employee: a person hired to perform work on behalf of the company. The employee is either

directly employed by the Company or is employed by an Affiliate of the company and is

performing work on behalf of, and charging time to, the accounts of the company.

Telecommunications Carriers: includes telephone companies, wireline carriers, and service

providers, local exchange carriers, interexchange carriers, competitive access providers, operator

service providers, telephone operators, wireless carriers, cellular service carriers, mobile service

carriers, broadband PCS licensees, SMR licensees and resellers. All rules regarding CPNI apply

to all telecommunications carriers. This does not include aggregators of telecommunicationsservices

Telecommunications Services: distinct telecommunications offerings of a telecommunications

carrier which can be further classified into one of the three service groups as defined within,

and for the sole purpose of, these CPNI rules. The following are related service group categories:

local exchange service,

toll service, or

Commercial Mobile Radio Service (CMRS).

Customer Premise Equipment (CPE): any equipment employed on the premises of a person to

originate, route, or terminate telecommunications.

Customer Proprietary Network Information (CPNI): the information that is extremely

personal to customers as well as commercially valuable to carriers. This includes such

information as to whom, where and when a customer places a call, as well as the types of service

offerings to which the customer subscribes and the extent to which the service is used.

Aggregate Customer information: the collective data that relates to a group or category of

services or customers from which individual customer identities and characteristics have been

removed.

Subscriber List Information: although contains individually identifiable information, it is

defined in terms of public (not private) information including the listed names, numbers,


32/44

CPNIPOLICY MANUAL

addresses or classifications that the carrier or an affiliate has published, caused to be published or

accepted for publication in any directory format.

Information Services: involve the offering of a capability for generating, acquiring, storing,

transforming, processing, retrieving, utilizing, or making available information via

telecommunications. This includes such services as call answering, voice mail or messaging,

voice storage and retrieval services, fax store and forward and Internet access services. These are

services that are provided to consumers independent of their telecommunications service and are

not necessary to the provision of the customers telecommunications service.

Customer information: there are three categories of customer information to which different

privacy and carrier obligations apply:

Individually identifiable CPNI

Aggregate customer information

Subscriber list information

Services which cannot be classified into one of the three groupings listed in this section of the

rules, such as yellow-page listings or CPE sales, are not telecommunications services. As such,

use of CPNI to market such non-telecommunications services is prohibited unless notification

and authorization by customers has been secured

NOTE: The definitions of the terms employee and service as used for the purpose(s)defined within this section of the Company policy manual are used solely for the purpose(s)

defined within this section of the policy manual and have no effect on the terms employeeor

service as those terms may be used in other sections of this manual, or other company

documents.


33/44

CPNIPOLICY MANUAL

CPNI FCC RULES

47 CFR Part 64-- MISCELLANEOUS RULES RELATING TO COMMON CARRIERS

Subpart U --Customer Proprietary Network Information

64.2001 Basis and Purpose.

(a)Basis. These rules in this subpart are issued pursuant to the Communications Act of 1934, as

amended.

(b)Purpose. The purpose of these rules in this subpart is to implement section 222 of the

Communications Act of 1934, as amended, 47 U.S.C. 222.

64.2003 Definitions.

Terms used in this subpart have the following meanings:

(a)Account information. Account information" is information that is specifically connected tothe customer's service relationship with the carrier, including such things as an account number

or any component thereof, the telephone number associated with the account, or the bill's

amount.

(b)Address of record. An address of record," whether postal or electronic, is an address thatthe carrier has associated with the customer's account for at least 30 days.

(c)Affiliate. An affiliate is an entity that directly or indirectly owns or controls, is owned orcontrolled by, or is under common ownership or control with, another entity.

(d)Call detail information. Any information that pertains to the transmission of specifictelephone calls, including, for outbound calls, the number called, and the time, location, or

duration of any call and, for inbound calls, the number from which the call was placed, and the

time, location, or duration of any call.

(e)Communications-related services. The term communications-related services meanstelecommunications services, information services typically provided by telecommunicationscarriers and services related to the provision or maintenance of customer premises equipment.

(f) Customer. A customer of a telecommunications carrier is a person or entity to which thetelecommunications carrier is currently providing service.

(g)Customer proprietary network information (CPNI). Customer proprietary networkinformation (CPNI) is:


34/44

CPNIPOLICY MANUAL

(1) information that relates to the quantity, technical configuration, type, destination, and

amount of use of a telecommunications service subscribed to by any customer of a

telecommunications carrier, and that is made available to the carrier by the customer

solely by virtue of the customer-carrier relationship;

(2) information contained in the bills pertaining to telephone exchange service or

telephone toll service received by a customer of a carrier. Customer proprietary

network information does not include subscriber list information.

(h)Customer premises equipment (CPE). Customer premises equipment (CPE) is equipmentemployed on the premises of a person (other than a carrier) to originate, route, or terminate

telecommunications.

(i)

Information services typically provided by telecommunications carriers. The phraseinformation service typically provided by telecommunications carriers means only those

information services that are typically provided by telecommunications carrier, such as Internet

access or voice mail services that offer a capability for generating, acquiring, storing,

transforming, processing, retrieving, utilizing, or making available information via

telecommunications and includes electronic publishing, but does not include any use of any such

capability for the management, control, or operation of a telecommunications system or the

management of a telecommunications service.

(j) Local exchange carrier (LEC). A local exchange carrier (LEC) is any person that isengaged in the provision of telephone exchange service or exchange access. For purposes of thissubpart, such term does not include a person insofar as such person is engaged in the provision of

commercial mobile service under 47 U.S.C. 332(c).

(k)Opt-In Approval. The term opt-in approval refers to a method for obtaining customerconsent to use, disclose, or permit access to the customers CPNI. This approval method

requires that the carrier obtain from the customer affirmative, express consent allowing the

requested CPNI usage, disclosure or access after the customer is provided appropriate

notifications of the carriers request consistent with the requirements set forth in this subpart.

(l) Opt-Out Approval. The term opt-out approval refers to a method for obtaining customerconsent to use, disclose, or permit access to the customers CPNI. Under this approval method, a

customer is deemed to have consented to the use, disclosure, or access to the customers CPNI if

the customer has failed to object thereto within the waiting period after the customer is provided

appropriate notification of the carriers request for consent.


35/44

CPNIPOLICY MANUAL

(m)Readily available biographical information. Readily available biographical information"is information drawn from the customer's life history and includes such things as the customer's

social security number, or the last four digits of that number; mother's maiden name; home

address; or date of birth.

(n) Subscriber list information (SLI). Subscriber list information (SLI) is any information:

(1) identifying the listed names of subscribers of a carrier and such subscribers telephone

numbers, addresses, or primary advertising classifications (as such classifications are

assigned at the time of the establishment of such service), or any combination of such

listed names, numbers, addresses, or classifications;

(2) that the carrier or an affiliate has published, caused to be published, or accepted for

publication in any directory format.

(o) Telecommunications carrier. A telecommunications carrier is any provider of

telecommunications services, except that such term does not include aggregators of

telecommunications services (as defined in 47 U.S.C. 226(a)(2)).

(p) Telecommunications service. The term telecommunications service" has the same

meaning given to such term in section 3(46) of the Communications Act of 1934, as amended, 47

U.S.C. 153(46).

(q) Telephone number of record. The telephone number associated with the underlying

service, not the telephone number supplied as a customer's contact information."

(r) Valid photo ID. A valid photo ID" is a government-issued means of personal identificationwith a photograph such as a driver's license, passport, or comparable ID that is not expired.

64.2005 Use of Customer Proprietary Network Information Without Customer Approval

(a) Any telecommunications carrier may use, disclose, or permit access to CPNI for the purpose

of providing or marketing service offerings among the categories of service (i.e., local,

interexchange, and CMRS) to which the customer already subscribes from the same carrier,

without customer approval.

(1) If a telecommunications carrier provides different categories of service and a

customer subscribes to more than one category of service offered by the carrier, the

carrier ispermitted to share CPNI among the carriers affiliated entities that provide a

service offering to the customer.

(2) If a telecommunications carrier provides different categories of service, but a

customer does not subscribe to more than one offering by the carrier, the carrier is not

permitted to share CPNI among the carriers affiliated entities.


36/44

CPNIPOLICY MANUAL

(b) A telecommunications carrier may not use, disclose, or permit access to CPNI to market to a

customer service offerings that are within a category of service to which the customer does

not already subscribe from that carrier, unless the carrier has customer approval to do so,

except as described in paragraph (c) of this section.

(1) A telecommunications carrier may use, disclose, or permit access to CPNI derivedfrom its provision of local service, interexchange service, or CMRS, without

customer approval, for the provision of CPE and information services, including call

answering, voice mail or messaging, voice storage and retrieval services, fax store

and forward, and Internet access services.

(2) A telecommunications carrier may not use, disclose, or permit access to CPNI to

identify or track customers that call competing service providers. For example, a

local exchange carrier may not use local service CPNI to track all customers that call

local service competitors.

(c) A telecommunications carrier may use, disclose, or permit access to CPNI, without customer

approval, as described in this subparagraph.

(1) A telecommunications carrier may use, disclose, or permit access to CPNI, without

customer approval, in its provision of inside wiring installation, maintenance, and

repair services.

(2) CMRS providers may use, disclose, or permit access to CPNI for the purpose of

conducting research on the health effects of CMRS.

(3) LECs and CMRS providers and entities that provide interconnected VoIP service

may use CPNI, without customer approval, to market services formerly known as

adjunct-to-basic services, such as, but not limited to, speed dialing, computer-

provided directory assistance, call monitoring, call tracing, call blocking, call return,

repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain

Centrex features.

(d) A telecommunications carrier may use, disclose, or permit access to CPNI to protect the

rights or property of the carrier, or to protect users of those services and other carriers from

fraudulent, abusive or unlawful use of, or subscription to, such services.

64.2007 Approval required for Use of CPNI

(a) A telecommunications carrier may obtain approval through written, oral or electronic

methods.


37/44

CPNIPOLICY MANUAL

(1) A telecommunications carrier relying on oral approval shall bear the burden of

demonstrating that such approval has been given in compliance with the

Commissions rules.

(2) Approval or disapproval to use, disclose, or permit access to a customers CPNI

obtained by a telecommunications carrier must remain in effect until the customerrevokes or limits such approval or disapproval.

(3) A telecommunications carrier must maintain records of approval, whether oral,

written or electronic, for at least one year.

(b) Use of Opt-out and Opt-In Approval Processes. A telecommunications carrier may, subject

to opt-out approval or opt-in approval, use its customer's individually identifiable CPNI for the

purpose of marketing communications-related services to that customer. A telecommunications

carrier may, subject to opt-out approval or opt-in approval, disclose its customer's individually

identifiable CPNI, for the purpose of marketing communications-related services to thatcustomer, to its agents and its affiliates that provide communications-related services. A

telecommunications carrier may also permit such persons or entities to obtain access to such

CPNI for such purposes. Except for use and disclosure of CPNI that is permitted without

customer approval under section Sec. 64.2005, or that is described in this paragraph, or as

otherwise provided in section 222 of the Communications Act of 1934, as amended, a

telecommunications carrier may only use, disclose, or permit access to its customer's

individually identifiable CPNI subject to opt-in approval.

(1) Joint Venture/Contractor Safeguards. A telecommunications carrier that discloses or

provides access to independent contractors shall enter into confidentiality agreementswith independent contractors or joint venture partners that comply with the following

requirements. The confidentiality agreement shall:

(i) Require that the independent contractor or joint venture partner use the CPNI only

for the purpose of marketing or providing the communications-related services for

which that CPNI has been provided;

(ii) Disallow the independent contractor or joint venture partner from using, allowing

access to, or disclosing the CPNI to any other party, unless required to make such

disclosures under force of law; and

(iii)Require that the independent contractor or joint venture partner have appropriate

protections in place to ensure the ongoing confidentiality of consumers CPNI.

(2) Except for use and disclosure of CPNI that is permitted without customer approval

under section 64.2005 or that is described in paragraph (b)(1) of this section, or as

otherwise provided in Section 222 of the Communications Act of 1934, as amended,


38/44

CPNIPOLICY MANUAL

a telecommunications carrier may only use, disclose, or permit access to its

customers individually identifiable CPNI subject to opt-in approval

64.2008 Notice required for use of CPNI

(a) Notification generally:

(1)Prior to any solicitation for customer approval, a telecommunications carrier must

provide a one-time notification to the customer of the customers right to restrict use

of, disclosure of, and access to that customers CPNI.

(2)A telecommunications carrier must maintain records of notification, whether oral or

electronic, for at least one year.

(b) Individual notice to customers must be provided when soliciting approval to use, disclose or

permit access to customers CPNI.

(c) Content of notice. Customer notification must provide sufficient information to enable the

customer to make an informed decision as to whether to permit a carrier to use, disclose

or permit access to the customers CPNI.

(1) The notification must state that the customer has a right, and the carrier a duty, under

federal law, to protect the confidentiality of CPNI.

(2) The notification must specify the types of information that constitute CPNI and the

specific entities that will receive the CPNI, describe the purposes for which CPNI will

be used, and inform the customer of his or her right to disapprove those uses and denyor withdraw access to CPNI at any time.

(3) The notification must advise the customer of the precise steps the customer must take

in order to grant or deny access to CPNI and must clearly state that a denial of

approval will not affect the provision of any services to which the customer

subscribes. However, carriers may provide a brief statement, in clear and neutral

language, describing consequences directly resulting from the lack of access to CPNI.

(4) The notification must be comprehensible and not be misleading.

(5) If written notification is provided, the notice must be clearly legible, use sufficiently

large type, and be placed in an area so as to be readily apparent to a customer.

(6) If any portion of a notification is translated into another language, then all portions of

the notification must be translated into that language.


39/44

CPNIPOLICY MANUAL

(7) A carrier may state in the notification that the customers approval to use CPNI may

enhance the carriers ability to offer products and services tailored to the customers

needs. A carrier also may state in the notification that it may be compelled to

disclose CPNI to any person upon affirmative written request by the customer.

(8) A carrier may not include in the notification any statement attempting to encourage acustomer to freeze third-party access to CPNI.

(9) The notification must state that any approval, or denial of approval for the use of

CPNI outside of the service to which the customer already subscribes from that

carrier is valid until the customer affirmatively revokes or limits such approval or

denial.

(10)A telecommunications carriers solicitation for approval must be proximate to the

notification of a customers CPNI rights.

(d) Notice Requirements Specific to Opt-Out . A telecommunications carr

Customer Proprietory Network Information Manual1

Documents

Transcript of Customer Proprietory Network Information Manual1