Subchapter J. CONFIDENTIALITY OF CUSTOMER
COMMUNICATIONS AND INFORMATION

 (a)  This subchapter establishes appropriate minimum standards to ensure that public utilities providing regulated telecommunication services maintain the confidentiality of customer communications and customer information.

 (b)  A telephone company subject to this subchapter shall treat customer communications and customer information as confidential. Except for the limited instances provided in this subchapter, release of customer information to the public shall be permitted only on the authority of the customer. When a telephone company or its authorized employes utilize customer information, they shall do so only when necessary and only to the extent necessary to accomplish legitimate and authorized purposes, as set forth in this subchapter. Telephone companies and telephone company employes shall make every reasonable effort to avoid the unauthorized dissemination of customer information to the public.

 (c)  Nothing in this subchapter supersedes the Wiretap Act, or permits a telephone company service or activity which is otherwise prohibited by the Wiretap Act.

   Wiretap Act

 A telephone company shall confirm with each employe the responsibility to maintain the confidentiality of customer communications and customer information in accordance with applicable State and Federal law.

   (1)  Securing commitment from employes. A telephone company shall, at the time a person commences employment, instruct that person regarding telephone company policy covering the following points:

     (i)   State and Federal law generally prohibits the interception, disclosure and use of customer communications.

     (ii)   An employe is prohibited from intercepting, using or disclosing customer communications except in those limited instances which are a necessary incident to:

       (A)   The provision of service.

       (B)   The protection of the legal rights or property of the telephone company where the action is taken in the normal course of employment.

       (C)   The protection of the telephone company, an interconnecting carrier, a customer or user of service from fraudulent, unlawful or abusive use of telephone service.

       (D)   Compliance with legal process or other requirements of law.

     (iii)   An employe is prohibited from using or disclosing customer information except when the use or disclosure is authorized by this subchapter.

     (iv)   Improper interception, use or disclosure of customer communications or customer information may result in disciplinary action, including dismissal or criminal and civil proceedings, or both.

   (2)  Documentation of employe commitment. An appropriate document shall be prepared outlining the policy summarized in paragraph (1) and stating that the telephone company employe has read and understands the policy. The telephone company shall present the document to each employe for signature. A telephone company manager shall witness and date the document, regardless of whether the employe has agreed to sign the document. One copy shall be filed with the employe’s personnel papers and one copy given to the employe to keep and review.

   (3)  Annual review. A telephone company shall annually review with employes the commitment to confidentiality of customer communications and customer information, and shall make a record of that annual review.

 This section describes procedures for determining employe access to customer information and the purposes for which this information may be used by employes responding to requests for customer information from persons outside the telephone company and the recording of use and disclosure of customer information.

   (1)  Employe access to and use of customer information. Access to and use of customer information shall be limited to employes who have a legitimate need to use the information in the performance of their work duties and, because of the nature of their duties, need to examine the data to accomplish the legitimate and lawful activities necessarily incident to the rendition of service by the telephone company. An employe shall be prohibited from using customer information for personal benefit or the benefit of another person not authorized to receive the information.

   (2)  Requests from the public. Customer information that is not subject to public availability may not be disclosed to persons outside the telephone company or to subsidiaries or affiliates of the telephone company, except in limited instances which are a necessary incident to:

     (i)   The provision of service.

     (ii)   The protection of the legal rights or property of the telephone company where the action is taken in the normal course of an employe’s activities.

     (iii)   The protection of the telephone company, an interconnecting carrier, a customer or a user of service from fraudulent, unlawful or abusive use of service.

     (iv)   A disclosure that is required by a valid subpoena, search warrant, court order or other lawful process.

     (v)   A disclosure that is requested or consented to by the customer or the customer’s attorney, agent, employe or other authorized representative.

     (vi)   A disclosure request that is required or permitted by law, including the regulations, decisions or orders of a regulatory agency.

     (vii)   A disclosure to governmental entities if the customer has consented to the disclosure, the disclosure is required by a subpoena, warrant or court order or disclosure is made as part of telephone company service.

   (3)  Limitation on disclosures to agents, contractors, subsidiaries or affiliates. To comply with this subchapter, a telephone company may not allow disclosure of customer information to an agent, contractor, subsidiary or affiliate (the contracting party) absent the prior establishment of terms and conditions for the disclosure pursuant to a written agreement that requires:

     (i)   Treatment of the information as confidential.

     (ii)   Use of the information by the contracting party or any of its respective employes for only those purposes specified in the contract or agreement. The contract shall require the contracting party to establish a confidentiality statement which provides confidentiality protections which are no less than those required of the telephone company by this subchapter and to maintain the same employe commitment to the protections in §  63.134 (relating to employe commitment to confidentiality of customer communications and customer information). The contract may not allow the interception or use of the customer information or customer communications in a manner not authorized with respect to a telephone company employe. The contracting party shall also be subject to the operational restrictions specified in this subchapter with regard to the handling of customer communications and customer information as would otherwise apply to a telephone company employe.

     (iii)   Nondisclosure of the customer information and customer communications to third parties except as required by law.

   (4)  Requests from law enforcement agencies and civil litigation. Government administrative, regulatory and law enforcement agencies and parties in civil litigation may be able to compel the telephone company to disclose customer information by serving upon the utility a subpoena, search warrant, court order or other lawful process.

     (i)   In response to legal process requiring the disclosure of customer information, the security department shall make the necessary arrangements with the government agency or attorney who caused the legal process to be issued regarding the information to be produced and the identity of the employe or other telephone company representative who will produce the information. The employe assigned to produce this information shall secure the information, including applicable records, from the department having possession of the information and records and shall ascertain the meaning of a code word or letters or nomenclature which may appear on the records, to explain the meaning, if requested to do so. The employe shall then comply with the legal process.

     (ii)   If information, including applicable records, is unavailable, the employe selected to respond to the legal process shall be prepared to explain the unavailability of the information requested.

     (iii)   When a request for customer information is presented by a law enforcement agency, but that request is not accompanied by legal process, the request shall be referred to the security department. Absent legal process, the security department may not make disclosure of customer information to a law enforcement agency, except as required or permitted by law. Written, oral or other communication to law enforcement officials to indicate whether obtaining legal process would be worthwhile is prohibited by the Commission.

   (5)  Safeguarding customer information. A telephone company is responsible for implementing appropriate procedures to safeguard customer information and prevent access to it by unauthorized persons. Tangible customer records such as paper or microfiche records and electromagnetic media shall be stored in secure buildings, rooms and cabinets, as appropriate, to protect them from unauthorized access. Data processing and other electronic systems shall contain safeguards, such as codes and passwords, preventing access to customer information by unauthorized persons.

     (i)   Transmission of customer information. Customer information shall be transmitted in a manner which will reasonably assure that the information will not be disclosed to persons who are not authorized to have access to it.

     (ii)   Reproduction. Customer records may not be reproduced unless there is a business need for the reproduction. Only sufficient copies shall be made to satisfy the business purpose for the reproduction.

     (iii)   Destruction of customer records. Customer records shall be disposed of by the most advantageous method available at each location when retention of the records is no longer required by applicable Federal Communications Commission (FCC) regulations, other legal requirements, contract provisions such as government contract requirements or appropriate document retention guidelines.

   (6)  Recording use and disclosure of customer information. Because of the frequency with which customer information is used and disclosed in the ordinary course of business, it is neither practical nor desirable to record each instance in which customer information is used or disclosed by an employe. However, the importance of some forms of customer information and the circumstances under which the information may be used or disclosed dictate that a record is required of the use or disclosure of customer information, as follows:

     (i)   Each instance in which customer information is used or disclosed for purposes other than to furnish service to the customer, to collect charges due from the customer or to accomplish other ordinary and legitimate business purposes.

     (ii)   Each instance in which information is disclosed to persons outside of the telephone company, subject to subparagraph (i).

     (iii)   Each instance in which customer information is disclosed to a governmental entity or the telephone company security department.

     (iv)   Each instance in which a record is required by other telephone company practices or procedures.

   (7)  Annual notice of Customer Proprietary Network Information (CPNI) rights. The telephone company shall provide an annual written notice of CPNI rights, as defined by the FCC, to customers with less than 20 access lines. The notice shall be submitted to the Commission’s Bureau of Consumer Services for plain language review prior to issuance.

 This section sets forth procedures for service evaluation and monitoring; use of pen registers and trap and trace devices; and responses to government requests for assistance in conducting wiretap, pen register, trap and trace and other types of investigations.

   (1)  Compliance with State and Federal laws. The telephone company shall comply with State and Federal laws regulating the interception, disclosure or use of customer communications and the use of pen registers and trap and trace devices.

   (2)  Service evaluation and monitoring. The telephone company may evaluate and monitor those aspects of its operations, including customer communications, necessary for the provision of service to its customers. The recording of conversations is prohibited.

     (i)   Service evaluation. A telephone company may engage in the sampling of customer communications by telephone company employes or automated equipment to measure service quality. This sampling of customer communications shall be kept to the minimum needed to measure service quality. Service evaluation facilities may not have monitoring access points outside official evaluation quarters. Entry to evaluation quarters shall be strictly controlled. During periods when evaluation quarters are not in use or when otherwise considered appropriate, the quarters shall be securely locked or the equipment rendered inoperative or accessible only by authorized personnel. Access to service evaluation documents that contain individual employe-customer contact information shall be closely guarded to protect the customer’s privacy.

     (ii)   Maintenance monitoring. A telephone company may engage in the monitoring of telephone company facilities by an employe entering the circuit to listen and carry out tests to determine whether noise, ‘‘cross-talk,’’ improper amplification, reproduction or other problems may exist. This includes the mandatory routines covered by equipment test lists, tracing of circuits for corrective action and other similar activities. The monitoring may not interfere with the voice or data information being carried.

     (iii)   Administrative monitoring. A telephone company may engage in the monitoring of telephone company employe contacts with customers and with other employes which have a direct bearing on the quality of service provided to customers. The monitoring equipment shall be secure at all times and only used by authorized persons. The monitoring may be performed from a remote location. When the equipment is in a remote location and is not in use, it shall be secured or made inoperative or accessible only by authorized personnel.

   (3)  Security department monitoring. To the extent permitted by applicable State and Federal law, the security department may conduct monitoring, including recording of conversations, in conjunction with the investigation of toll fraud or other unlawful uses of the telephone network. The security department shall maintain complete records of monitoring performed. At a minimum, the records shall include the date and times between which the monitoring was conducted, the name, address and telephone number of the person from whose service the communication was placed and by whose service it was received, the name of the person making the communication, the duration of the communication and information derived from the monitoring. The records shall be retained for the period of time required by telephone company document retention guidelines.

   (4)  Use of pen registers and trap and trace devices.

     (i)   Pen register and trap and trace devices may be used by telephone company employees in accordance with applicable State and Federal law.

     (ii)   In each instance in which pen register or trap and trace devices are used for a purpose other than for the operation, maintenance or testing of the network, for billing purposes or for the provision of service, a record shall be made showing the dates and times between which the pen register or trap and trace device was used, the names of the persons by whom the use was authorized, directed to be performed and conducted, and the name, address and telephone number of the person whose service was subject to use of the pen register or trap and trace device. The record shall be retained for the time required by applicable telephone company document retention guidelines.

   (5)  Employee authorization. An employee may not perform service evaluation, maintenance monitoring or administrative monitoring or direct that these activities be performed unless the employee is authorized and has a need to do so as part of the employee’s work duties. An employee may not use pen register or trap and trace facilities or direct that such a device or facilities be used unless the employee is authorized and has a need to do so as part of regular work duties.

   (6)  Government orders. Orders from courts and other lawful process requiring the telephone company to assist in the performance of pen register searches, trap and trace searches, wiretap searches and other types of investigations shall be handled in accordance with applicable State and Federal law. The telephone company shall maintain a record of each investigation conducted under this subsection. The record shall be retained for the time required by applicable telephone company document retention guidelines.