Embed Size (px)
DESCRIPTION
FCC CPNI Submission
Citation preview
C3 Teknologies, Ll-,C8201 Peters Road, Suite 1000
Plantation FL
Marlene H. Dortch, Secretary
Federal Communications Commission
445 l lth Street, SW
Washington,DC20554
RE:
Dear Ms. Dortch:
Certification of Compliance with Rule 64.1801
s3324-0000
February 17,201,6
C3 Teknologies, LLC , FRN 00-2274-8644
with the geographic rate averaging and rate integration requirements of Commission Rule
64.180r (47 C.F.R. $ 64.1801).
I hereby verifr that I am an offrcer of C3 Teknologies, LLP am authorized to
make this certification on its behalfl and thatthe foregoing certification is true, complete, and
correct to the best of my knowledge. I declare under penalty of perjury under the laws ofthe
United States that the foregoing is true and correct.
Signature:
PrintName:
Title:
of
Federal Communications Commission
Page Two
C3 Teknologies, LLC certiff that I am an officer of the company
named above, and acting as an agent of the company, that I have personal
knowledge that the company has established operating procedures that are adequate toensure compliance with the Commission's CPNI rules. ,See 47 C.F.R S 64.2001 et seq.
Attached to this certification as Exhibit "A" is an accompanying statement explaining
how C3 Teknologies, LLC procedures ensure that the company is in
compliance with the requirements set forth in Section 64.2001 et seq. of tlrc
Commission's rules.
Signature:
PrintName:
Title:
FCC Annual Filing
Federal Commrmication CommissionPage Three
Annual4T C.F.R S 64.2009(e) CPNI Certification
EB Docket 0G36
C3 Teknologies, LLC has not taken any actions (proceedings
instituted or petitions filed by a company at either state commissions, the court system, or
at the Commission against data brokers) against data brokers in the past year. Companies
must report on any information that they have with respect to the processes pretexters are
using to attempt to access CPNI, and what steps companies are taking to protect CPNI.
C3 Teknologies, LLC has not received any customer complaints in
the past year concerning the unauthorized release of CPNI (number of customer
complaints a company has received related to unauthorized access to CPNI, or
unathorized disclosure of CPNI, broken down by category or complaint, e.g., instances
of improper access by employees, instances of improper disclosure to individuals not
authorized to receive the information, or instances of improper access to online
information by individuals not authorized to view the information).
Print Name:
Title:
Annual4T C.F.R I64.2009(e) CPNI CertificationEB Docket 06-36
Exhibit A
C3 Teknologies, LLC
Compliance Requirements
C3 Teknologies, LLC8201 Peters Road, Suite 1000
Plantation FL 33324-0000
Compliance Requirements
C3 Teknologies, LLC ("Company') maintains the folloring operating procedures toensure complianoe with the requirements set forth in Sedion il.2001 et seq. of the Commission's rubs.
Section 64.2fi)5 Usc of c$tomer proprietrry aetwork lnformetion without customerepprovaL
(a) Any telecommunications carrier may use, disclose, or permit access to CPNI for the purpose ofproviding or marketing service offerings among the categories ofservice (i.e., local. Interexchange, and
CMRS) to which the customer already subscribes from the same carrier, without customer approval.
( I ) Ifa telecommunications carrier provides different categories of servicc' and a customer
subscribes to more than one category ofservice ofM by the carrieq the carrier is permitted to share
CPNI among the carrie/s affiliated entities that provide a service offering to the customer.
(2) Ifa telecommunications carrier provides different categories ofservice, but a customer does
not subscribe !o more than one offering by the canier, the carrier is not permitted to share CPM with itsaffiliates, except as provided in $ 6a.20o7(b).
(b) A telecommunications carrier may not use, disclose, or permit access to CPNI to market to a
customer service offerings that are within a category ofservice to which the subscriber does not already
subscribe from that carrier, unless that carrier has customer approval to do so, except as described inparagraph(c ) ofthis section.
(1) A wireless provider may use, disclose or permit access to CPNI d€rived from its provision ofCMRS, without customer approval, for the provision of CPE and information servic(s). A wireline carriermay uie, disclose or permit access to CPNI derived from its provision oflocal exchange service orinterexchange service, without customer approval, for the provision ofCPB and call answering voice mailor messaging, voice storage and retrieval services, fax store and forward protocol conversion.
(2) A telecommunications carrier may not use, disclose, or permit access to CPNI to identiry ormck customers that call competing service providen. For orample, a local exchange carrier may not use
local service CPNI to track all customers that call local service competitors.
(c ) A telecommunications carrier may use, disclose, or permit access to CPNI, without customer
approval, as described in this paragraph (c ).
(l) A telecommunications carrier may use, disclose, or permit access to CPNI, without customer
approval, in its provision of inside wiring installation, maintenance, and repair services.
(2) CMRS providers may use, disclose, or permit access to CCPNI for the purpose of conductingresearch on the health effects of CMRS.
(3) LECs, CMRS providers, and interconnected VoIP providen may use CPNI, without customer
approval, to market services formerly known as a junct-to-basic services, such as, but not limited to, speed
dialing computer-provided directory assistance, call monitoring, call tracing call blocking, call retum,
repeat dialing, call tr-acking, call waiting caller I.D., call forwarding, and certain Centrex features.
(d) A telecommunications carrier may use, disclose, or permit access to CPNI to protect the rights
or propefty ofthe carrier, or to protect users ofthose services and other carriers from fradulent, abusive, or
unlaufrrl use of, or subscription to, such services.
The Company has adopted specific CPNI policies to ensure that, in the absence ofcltstomer approval,
CPNI is only rced by the Company O prodde or morket service offerings anong the categories ofsemice (i.e., local inlerexchange, and CMRS) to 't hich the castomer already subscribes. The
Company's CPNI policies prohibit the shoring ofCPNIwith afliliated companies, except as perrnitted
underRale64.2005(a)(l)orwithcustomerapprovalpursuanttoRule64.200T(b). Theonlyexceptions
to tltese policies are as peruitted urrder 47 U.S.C $ 222(d) and Rale 64.2005.
Section 64.2fi)7 Approval required for usc ofcustonrcr proprietary network information.
(a) A tslecommunications carrier mayobtain approval through written, oral orelectronic
methods.
( I ) A telecommunications carrier relying on oral approval shall bear the burden of demonstrating
that such approval has been given in compliance with the Commission's rules in this part-
(2) Approval or disapproval to use, disclose, or permit access to a customer's CPNI obtained by a
telecommunications carrier must remain in effect until the customer revokes or limits such approval or
disapproval.
(3) A telecommunications carrier must maintain records ofapproval, whether oral, written, or
electronic, for at least one year.
In all circumslances *herc utstomer approval is requircd to use, disclose or perrtt access to CPNI, lhe
Company,s CPNI policies requfue thal the Company oblaln customer approval through written, oral or
electronic melhods in compliance wlth Rule 64.2007 A castomer's opprcval or disopproval remains ln
efled antil the customer revokes or limits the approval or disapproval The Compary maintoins recotds
of customer approval (whelher writle4 oral or electonlc) for a minimum of one yeat
(b) we of Opt-Ott and Opt-In Approval Processes. A telecommunications carrier may, subject
to opt-out approval or opt-in approval, disclose its customer's individually identifiable CPNI for the purpose of
marketing communications-related services to that customer. A tslecommunications carrier may, subject to
opt-out approval or opt-in approval, disclose its customer's individually identifiable CPM, for the purpose
ofmarketing communications-relatod services to that customer, to its agents and its affiliates that provide
communications-related services. A t€lecommunications canier may also permit such person or entities to
obtain access to such CPNI for such purposes. Except for use and disclosure of CPNI that is permitted
without customer approval under section S 64.2005, or that is described in this paragraph, or as otherwise
provided in section 222 ofthe Communications Act of 1934, as amended, a telecommunications canier
may only use, disclosq or permit access to its customeCs individually identifiable CPNI subject to opt-in
approval.
The Company does not ase CPNI Ior any purpose (includtng marheting communicolions-related
services) and does not disclose or gtant access to CPNI to any parT! (including lo agenls or olfrllates th0t
provide conununlcations-relaled semices), except as pennitted undef 47 U'S.C. $ 222(d) and Rule
61.2005.
Scction 64.2008 Notice rrquired for use ofcustomer proprietery tretwork informrtion.
(a) Notificatio4 Generally. (l) Prior to any solicitation for customer approval, a
telecommunications carrier must provide notification to the customer ofthe customer's right to restrict use
ol disclose of, and access to that custome/s CPNI.
(2) A telecommunications carrier must maintain records of notification, whether oral, written, orelectronic, for at least one year.
(b) Individual notice to customers must be provided when soliciting approval to usg disclose, orpermit access to customers' CPNI.
(c) Content of Notice. Customer notifiication must provide su{ficient information to enable the
cuitomer to make an informed decision as to whether to permit a carrier to use, disclosg or permit access
to, the customels CPNI.
( I ) The notification must state that the customer has a right, and the carrier has a duty, under
federal law, to protect the confidentiality ofCPNL
(2) The notification must specify the types of information that constitute CPNI and the specificentities that will receive the CPNI, describe the purposes for *{rich CPNI will be used, and inform the
customer of his or her right to disapprove those uses, and deny or withdraw access to CPNI at any time.
(3) The notification must advise the customer ofthe percise steps the customer must take in order
to grant or deny access to CPNI, and must clearly state that a denial ofapproval will not affect the
provision of any services to which the customer subscribes. However, carriers may provide a briefstatement, in a clear and neutral languagg describing consequences directly resulting from the lack ofaccess to CPNI.
(4) The notification must be comprehensible and must not be misleading.
(5) Ifwritten notification is provided, the notice must be clearly legible, use sufficiently large
type, and be placed in an area so as to be readily apparent to a customer.
(6) Ifany portion ofa notification is translated into another language, then all portions ofthenotification must be translated into that language.
(7) A carrier may state in the notification that the customefs approval to use CPNI may enhance
the carrier's ability to offer products and services tailored to the customels needs. A carrier also may state
in the notifrcation that it may be compelled to disclose CPNI to any person upon afiirmative written request
by the customer.
(8) A carrriermay not include in the notification any statement attempting to encourage a customer
to freeze third-party access to CPNL
(9) The notification must slate that any approval, or denial ofapproval for the use ofCPNIoutside ofthe service to which the customer already subscribes from that carrier is valid until the customer
affrrmatively revokes or limits such approval or denial.
(l 0) A telecommunications carrie/s solicitation for approval must be proximate to the
notification of a cusomeds CPNI rights.
Ihe Company's CPNI policies rcqaire that customen be notiJied of theb rtghts, and the Company's
obllgaions, with rcspecl to CPNI prior to arr! solicitdionfu cuslomer approval All requlred customet
notices (whelherwrltlen, oral or ekaronic) comp$ wilh the requhemenls of Rule 61.2008. The
Company maintains records of all rcquired customer notices (wheather written, oral or eledronic) for aminimum of one yeat
(d) Notice Requirements Specific to Opt-Out. A telecomunications carrier must providenotification to obtain opt-out approval through electronic or written methods, but not by oralcommunication (except as provided in paragraph (f) olthis section). The contents ofany such notificationmust comply with the reluirements of paragraph (c) of this section.
( I ) Carriers must wait a 30-day minimum period of time after giving customers notice and an
opportunity to opt-out before assuming customer approval to use' disclose, or permit access to CPNI. Acarrier may, in its discretion, provide for a longer period. Carriers must notiff customers as to the
applicable waiting period for a response before approval is assumed.
(i) ln the case ofan electronic form ofnotification, the waiting period shall begin to run lrom the
date on which the notification was sent; and
(iD In the case ofnotification by mail, the waiting period shall begin to run on the third dayfollowing the date that the notification was mailed.
(2\ Caniers using the opt-out mechanism must provide notices to their customers every twoyears.
(3) Telecommunications carriers that use e-mail to provide opt-out notices must comply with the
following requirements in addition to the requirements genemlly applicable to notification:
(i) Carriers must obtain express, verifiable, prior approval from consumers to send notices via e-
mail regarding their service in general, or CPNI in particular;
(ii) Carriers must allow customers to reply directly to e-mails conaining CPNI notices in order toopt-out;
(iii) Opt-out e-mail notices that are returned to the carrier as undeliverable must be sent to the
customer in snother form before carriers nay consider the customer to have received notice;
(iv) Caniersthatusee-mailtosendCPNInoticesmustensurethatthesubjectlineofthemessageclearly and accumtely identifies the subject matter ofthe e-mail; and
(v) Telecommunications carriers must make available to every customer a method to opt-out thatis ofno additional cost to the customer and that is avallable24 hours a day, seven days a week. Carriers
may satisry this requirement through a combination ofmethods, so long as all customers have the ability toopt{ut at no cost and are able to effectuate that choice whenever they choose.
The Company does ,rol cwrenll! soficil "opt out" cuslomer approval fot lhe use or disclosure of CPNI,The Company does nol use CPNI for any purposes Ancfuding markeTlng communicalions-rclatedsemlces) and does not dlsclose ot grurrt access lo CPNI to att! parE qncluding to ogetts ot a1filid6 lhatpruvide communications-relaled sepices), except as petmitted under 47 U.SC I 222(d) and Rule64.200s.
(e) Notice Requirements Specific to Opt-In. A telecommunications carrier may provide
notification to obtain oprin approval through oral, written, or electronic methods. The contents ofany such
notification must comply with the requirements ofparagraph (c) ofthis section.
The Company does not cuncatly soliclt 'opt-in" cuslomer approvol for the use or disclosure ofCPNLThe Company does ,rot use, dislclose or granl access to CPNI for ant putpose, to any pad! or in ony
manner ,htrt teould require a cuslomet's "opt in" apptovd undet the Comrnission's CPNI Rules
(f) Notice Requirements Specific to One-Time Use of CPNI. (l) Caniers use oral notice to
obtian limited, one-time use ofCPNI for inbound and outbound customer contacts for the
duration ofthe call, regardless ofwhether carriers use opt-out or opt-in approval based on the nature ofthecontact.
(2) The contents ofany such notification must comply with the requirements ofparagraph (c) ofthis section, except that telecommunications carriers may omit any ofthe following notice provisions if,notrelevant to the limited use for which the carrier seeks CPNI:
(i) Carriers need not advise customers that ifthey have optd-out previously, no action is needed
to maintain the opt-out election;
(ii) Carriers need not advise customen thatthey may share CPNI with their affiliates orthirdparties and need not any thos€ entities, ifthe limiM CPNI usage will not result in use by, or disclosure
to, an afliliate or third party;
(iii) Caniers need not disclose the means by which a customer can deny or withdraw future access
to CPNI, so long as carriers explain to customers that the scope ofthe approval the carrier seeks is limitedto one-time uso and;
(iv) Caniers may omit disclosure of the precise steps a customer must take in order to gamt ordeny access to CPNI, as long as the carrier clearly communicates that the customer can deny access to his
CPNI for the call.
In instances where the Company seehs one-time cuslomer opprovalfor lhe use ot disclosaru ofCPNI,lhe Compary obrains such approval in accordancewith the discloswes, methods and rcquircmenlscontained in Rule 2U)EA).
Secion 64.2ffi9 Safeguards required for use ofcustomer propritery nctwork information.
(a) Telecommunications carriers must implement a system by which the status of a customefs
CPNI approval can be clearly established prior to the use ofCPNI.
The Compnay's billiag s!f,em allows atthoriTed company perconnel to ereily detetmine ,he sla/us of ocustomer's CPNI appruval on the cuslomet accounl soten priot to lhe ase o disclosure of CPNI.
(b) Telecommunications carriers must train their personnel as to when thay are and are not
authorized to use CPM, and carriers must have an express disciplinary process in place.
The Company has eslablished CPNI compliance pofices thal include employee training on ratrictionson lhe use and disclosurc ofCPNI and rcquired safeguads lo prolect against unaathorized use ordisclosure of CPNI. Employees have slgned thal they understand the CPNI pollcies and a viobtion ofthose policies will resull in disciplinary actiorl
(c) All carrien shall maintain a record, eletronically or in some other manner, oftheir own and
their affiliates' sales and ma*eting campaigns that use their customers' CPNI. All carriers shall maintain a
record ofall instances where CPNI was disclosed or provided to third parties, or where third parties were
allowed access to CPNI. The record must include a description ofeach campaign, the specific CPNI thatwas used in the campaign, and what products and services were offered as a part ofthe campaign. Caniersshall retain the record for a mininmum ofone year.
The Company's CPM policies require thal all salcs and marketlng canpaigns includng those uliliingCPNI be rearded and *eN on frle Iu d leasl one year. Records are abo mointained for disclosure oraccess lo CPNI b! third parti* The recods include thc rcquircd information listed in Rule 61.2009 (c).
(d) Telecommunications carriers must establish a supervisory review process regarding carrier
compliance with the rules in this subpart for out-bound marketing situations and maintain records ofcarriercompliance fbr a minimum period of one year . Specifically, sales personnel must obtain supervisory
approval ofany proposed out-bound marketing request for customer approval.
The Company's CPNI policies require employees lo oblain approval from the Company's CPNICompliance Olficerfor all ma*eting campaigns, including those utilizing CPNI, priot to lnitiaring thatcampaign Recod of the marketing campaigts, along with the apprcpraite superuisor! approval ismaintained for at least one leat
(e) A telecommunications carrier must have an officer, as an agent ofthe carrier, sign and filewith the Commission a compliance certificate on an annual basis. The officer must state in the certification
that he or she has personal knowledge that the company has established operating procedures that are
adequate to ensure compliance with the rules in this subpart. The carrier must provide a statement
accompanying the certificate explaining how its operating procedures ensure that it is or is not in
compliance with the rules in this subject. In addition, the carrier must include an explaination ofanyactions taken against data brokers and a summary ofall customer complaints received in the past tear
conceming the authorized release of CPNI. This filing must be made annually with the Enforcement
Bureau on or before March I in EB Docket No- 06-36, for data pertaining to the previous calendar year.
The required olficer cerliJication actions laken againsl data broken and summary of cuslometcomplaint documenls are includedwith this accomanying slalemenl The Company willfile these
documents on an annual basis on or before March I for data pertaining lo the previous calendar year.
(f) Carriers must provide written notice within five business days to the Commission olanyinstance where the opt-out mechanisms do not work properly, to such a degree that consumers' inability to
opt-out is more than an anomaly.
(l ) The notice shall be in the form ofa letter, and shall include the carrie/s name, a description ofthe opt-out mechanism(s) used, the problem(s) experienced, the remedy proposed and when it will be/was
implemented, whether the relevant state commission(s) has been notified and whether it has taken any
action, a copy ofthe notice provided to customers and contact information.
(2) Such notice must be submitted even ifthe carrier offers other methods by which consumers
may opt-out.
The Company does not cuilently solicil "opl out" customer approvalfor lhe use or disclosurc ofCPNI.
Section 64.2010 Safeguards on the disclosure ofcustomer proprietary network informstion.
(a) Safeguarding CPNI. I'elecommunications carriers must take reasonable measures to discover
and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must
properly authenicate a customer prior to dislclosing CPNI based on customer-initiated telephone contact,
online account access, or an on-store vistt.
The Company's CPNI polocia and emplolee tadning include reasonable measures lo discover andprolect against activlt! thal is indicalive of prelexting ond employees arc inslructed to notw lhe CPNIComplionce OlJicer ifany such activity is suspected
(b) Telephone access to CPNI. Telecommunications carriers may only disclose call detail
information over the telephone, based on customer-initiated telephone contact, ifthe customer firstprovides the carrier with a password, as described in pamgraph (e) ofthis section, that is not prompted by
the carrier asking lor readily available biographical information, or account inflormation. Ifthe customer
does not provide a password, the telecomminications canier may only disclose call detail information by
sending it to the custome/s address ofrecord, or by calling the customer at the telephone number ofrecord. lfthe customer is able to provide call detail information to the telecommunications carrier during a
customer-initiated call without the telecommunications canieds assistance, then the telecommunications
canier is permitted to discuss the call daail information provided by the customer.
The Company's CPNI policies ensute lhal o customer is only able to occess call detail infon ralion ovetlhe telephone on one of the ways listed in Rule 64.2010(b). If the customer cannol rcmembet theitpassword, thq arc prompled lo answer a secufit! questiotl Neithet lhe password not the securi0t
queslion are based on readillt available biographical informalion or accounl lnformalion Custometservice rcprcsenlatives arc inslructed to aalhenicate customets over lhe telephone in alll instances except
in the case where lhe cuslomet pruvides the call detail informalion withoul lhe assistance of theCompany.
(c) Online qccess to CPNI. A telecommunications canier must authenticate a customer without
the use ofreadily available biographical information, or account information, prior to allowing the
Customer online access to CPNI related to a telecommunications service account. Once authenticated, the
customer may only obtain access to CPNI related to a telecommunications service account through a
password, as described in paragraph (e) ofthis section, that is not prompted by the carrier asking tbr readily
available biographical information, or account inlormation,
The cgmpany autherrricafes cuslomo/s withotrt tha use of r@dily atnileile biographical or accounl informatloo prior toaltowing on acc8s to CPNI tdalted lo an &counl Once aulhenticad,lhe cusromeilnay only ouain *cess b CPNI
lhrough a r€ssword,lhat is not prcmpted by readily availawe blognphical or accounl information.
(d) In Store occess lo CPNI. A telecommunications carrier may disclose CPNI to a customer
who, at a carrier's retail location, llrst presents to the telecommunications carrier or its agent a valid photo
lD matching the custome/s account information.
The Company does not l,€ve rcbil locations.
(e) Establishment ofa Password and Back-up Authentication Methodsfor Lost or ForgottenPasswords. To establish a password, a telecommunications carrier must authenticate the customer without
the use ofreadily available biographical information, or account information. Telecommunications carriers
may create a back-up customer authentication method in the event ofa lost or forgotten password, but such
back-up customer authentication method may not prompt the customer lor readily available biographical
information, or account information. If a customgr cannot provide the correct password or the correct
response for the back-up customer authentication method, the customer must establish a new password as
described in this paragraph.
The Compony's CPNI policies allov, fot afew ways to eslablish a password, all of which ensure
compliance with lhe above paragraph. Each mdhod also allows lhe customet to eslablish a back-up orsecurit! question in lhe event that they forget lheb password- In no evenl d.oes the Company use readily
available biograhical informotion ot accounl infomalion as a back-up question or os a means to
establish a password or authenlicate the customet.
(0 Nottfication of account chonges. Telecommunications carriers must notify customers
immediately whenever a password, customer response to a back-up means ofauthentication for lost or
forgotten passwords, online account, or address ofrecord is created or changed. This notification is not
required when the customer initiates service, including the selection ofa password at service initiation.
This notihcation may be through a carrier-originated voicemail or text message to the telephone number ofrecord or by mail to the address ofrecord. and must not reveal the changed information or be sent to the
new account information.
me company will ,rotry a custom€/, imn?€,dialdy whqt accf,unt chang@ occur, induding a passwor4 a /€sponse io a
back-up means of euthentlcatlon, or addrss of racord. The notification will be thtough a canier-oiginated volcemeil or,exf ,ressagp ro fre lElephone numbq of rccotd, ot by ,,,eil tothe a&res6of r€f,,ord, and will not c?,nt,,in the changed
infomation or be sqtt to the new accounl informetion.
(g) Business Cuslomer Exemption. Telecommunications carriers may bind themselves
contractually to authentication regimes other than those described in this section for services they provide
to their business customer thal have both a dedicated account representative and a contract that specificallyaddresses the carriers' protection of CPNI.
The Cqnwny & not ulilize {B busln€ss customa exception at lhis firn€,.
Section 64.201I Notillcation ofcustomer proprietsry network informetion s€curitybreaches.
(a) A telecommunications carrier shall notiry law enforcernent of a breach of its customers' CPNIas provided in this section. The canier shall not notify its customers or disclose the breach publicly,whether voluntarily or under state or local law or these rules, until it has completed the process of notiryinglaw enforcement pursuant to paragraph (b).
(b) As soon as pmcticable, and in no event later than seven (7) business days, after reasonable
determination ofthe breach, the telecommunications carrier shall electronically notiry the United States
Secret Service (USSS) and the Federal Bureau oflnvestigation (FBI) through a central reporting facility.The Commission will amintain a link to the reporting facility at http://www.fcc.gov/eb/cpni.
(l) Notwithstanding any state law to the contrary, the carrier shall not notiff customers ordisclose the breach to the public until 7 full business days have passed after notification to the USSS andthe FBI except as provided in pamgraphs (2) and (3).
(2) Ifthe carrier believes that there is an extraordinarily urgent need to notif! any class ofaffectedcustomers sooner than otherwise allowed under paragraph (l ), in order to aviod immediate and ineparable
harm, it shall so indicate in its notification and may proceed to immediatley notify its affected customersonly after consultation with the relevant investigating agency. The carrier shall cooperate with the relevant
investigating agenry's request to minimize any adverse effects of such customer notification.
(3) Ifthe relevant investigating agency determines that the public disclosure or notice tocustomers would impede or compromise an ongoing or potential criminal investigation or national security,
such agency may direct the carrier not to so disclose or notiry for an initial period ofup to 30 days. Suchperiod may be extended by the agency as reasonable necessary in thejudgernent ofthe agenry. Ifsuchdirection is given, the agency shall notifr the carrier when it appears that public disclosure or notice to
affected customers will no longer impede or compromise a criminal investigation or national security. Theagency shall provide in writing is initial direction to the carrier, any subsequent extension and anynotification that notice will no longer impede or compromise a criminal investigation or national security
and such writings shall be contemporaneously logged on the same reporting facility that contains records ofnotifications filed by carriers.
(c) Recordteeping. AII caniers shall maintain a record, electronically or in some other manner, ofany breaches discovered, notification made to the USSS and the FBI pusuant to pamgraph (b) and
notification !o customers. The record must include, ifavailablq dates ofdiscovery and notification, a
detailed description ofthe CPNI that was the subject ofthe breach, and the circumstances ofthe breach.
Carriers shall retain the record for a minimum of 2 years.
The Compony has policies arrd ptocedures in place to ensure compliance with Rale 61.201 l. Wen it isreasonably derermined thd a breach has occurred, the CPNI Compliance Wcer will notily lawenforecemmt and its customen in the rcqulrud timefram$. A recoil of fie brcach wlll be maintoinedfora minlmum of two yean and *ill include all information reqalrcd by Rule 64.201 I.
