On January 12, 2007, President Bush signed into law the Telephone Records and Privacy Protection Act of 2006 (“TRPPA”). The new law targets a practice known as "pretexting," where someone calls a company impersonating a customer and attempts to secure personal records without the consumer's knowledge or permission. The new law focuses on pretexting to obtain phone records. It provides criminal penalties for those who attempt to fraudulently obtain confidential telephone records or to sell or purchase such records. In most cases, those prosecuted under this law face fines and imprisonment of up to ten years, or both.

For many years, data brokers and others have used a variety of pretexting methods to gather personal information. The Gramm Leach Bliley Act, enacted in 1999, made pretexting illegal in the context of the collection of financial information. Several State laws forbid the use of "false or fraudulent pretenses" to obtain confidential information from a public utility. The TRPPA focuses on unwanted access to telephone records.

BACKGROUND

Telephone service providers keep logs of calls made and received by individuals. These records are maintained for the exclusive use of phone companies, their authorized agents, and authorized consumers.

The information collected in any such records may reflect the daily schedule of an individual. It may identify the telephone users' personal or business associates, and reveal frequent communications with the likely target in a merger or acquisition. Both companies might otherwise make great efforts to keep these communications secret. The log of calls may also provide an account of private relationships, such as calls made to a psychotherapist or psychiatrist, or received from a secret special friend.

Telephone records are frequently obtained without the knowledge or consent of consumers through numerous methods and devices. For example, a data broker may attempt to purchase the data from telephone company employees. The data broker or private investigator may also represent that his is an authorized consumer, and attempt to convince an agent of the telephone company to release the data. In other circumstances, unauthorized access to account data may be gained by improperly activating a consumer's account management features on a phone company's webpage or contracting with an Internet-based data broker who traffics in such records.

Once obtained, an individual’s telephone records can be of great use to criminals and others because the information contained in call logs may include a wealth of personal data. It may, as well, be used to undermine law enforcement investigations.

SCOPE OF THE LAW

The new Telephone Records and Privacy Protection Act of 2006 focuses on the obtention, sale, transfer, purchase, or receipt of confidential telephone records information from telecommunications carriers and other “covered entities”. The law amends Title 18 of the US Code, by adding a new Section 1039.

BASICS

- Covered entities

“Covered entities” are defined in the law as entities that either qualify as “telecommunications carrier” in section 3 of the Communications Act of 1934 (47 U.S.C. 153), or are providers of IP-enabled voice service. For the purpose of the law, an “IP-enabled voice service” is the provision of real-time voice communications offered to the public, or such class of users as to be effectively available to the public, transmitted through customer premises equipment using TCP/IP protocol, or a successor protocol, (whether part of a bundle of services or separately) with interconnection capability such that the service can originate traffic to, or terminate traffic from, the public switched telephone network, or a successor network.

- Who is protected?

The law protects the “customers” of covered entities. A “customer” is any individual, partnership, association, joint stock company, trust, or corporation, or authorized representative of such customer, who receives products or service from a covered entity.

- What information is protected?

The law focuses on the protection of “confidential phone records information”. The term is defined as any information that--

(A) Relates to the quantity, technical configuration, type, destination, location, or amount of use of a service offered by a covered entity, subscribed to by any customer of that covered entity, and kept by or on behalf of that covered entity solely by virtue of the relationship between that covered entity and the customer;

(B) Is made available to a covered entity by a customer solely by virtue of the relationship between that covered entity and the customer; or

(C) Is contained in any bill, itemization, or account statement provided to a customer by, or on behalf of a covered entity solely by virtue of the relationship between that covered entity and the customer.

WHAT Is PROHIBITED?

The law prohibits the obtention, sale, transfer, purchase, or receipt of confidential telephone records information from telecommunications carriers of covered entities.

- Obtention of Confidential Phone Records

The TRPPA makes it a crime for anyone, in interstate or foreign commerce, to knowingly and intentionally obtain, or attempt to obtain, confidential phone records information of a “covered entity”, by--

(1) Making false or fraudulent statements or representations to an employee of a covered entity;

(2) Making such false or fraudulent statements or representations to a customer of a covered entity;

(3) Providing a document to a covered entity knowing that such document is false or fraudulent; or

(4) Accessing customer accounts of a covered entity via the Internet, or through computer fraud without prior authorization from the customer to whom such confidential phone records information relates.

Those prosecuted under this law face fines, or imprisonment of up to ten years, or both.

- Sale, Transfer, Purchase, or Receipt of Confidential Phone Records Information

The law makes it crime, as well, to knowingly and intentionally sell, transfer, purchase, receive, or attempt to sell, transfer, purchase or receive confidential phone records information of a covered entity, in interstate or foreign commerce (a) without prior authorization from the customer to whom such confidential phone records information relates; or (b) when knowing, or having reason to know, that such information was obtained fraudulently.

Those prosecuted on these grounds also face fines, or up to ten years imprisonment, or both.

- Exception

There is an exception. There is no violation if the confidential phone records information is used by a covered entity to (1) initiate, render, bill, and collect for telecommunications services; (2) protect the rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services; or (3) provide call location information concerning the user of a mobile device in case of an emergency.

PENALTIES

In most instances, those prosecuted under TRPPA face fines and imprisonment of up to ten years, or both. By mid July 2007 (within 180 days after the date of enactment of the law) the United States Sentencing Commission must review and, if appropriate, amend the Federal sentencing guidelines and policy statements applicable to persons convicted of any offense under the TRPPA.

- Aggravated Cases

If the violation described above is combined with a violation of another Federal law, or is part of a pattern of illegal activity involving more than $100,000, or more than 50 customers of a covered entity, in a 12-month period, then, in addition to the penalties provided above, those prosecuted may be fined up to $500,000 or imprisoned for up to five years, or both.

- Enhanced Penalties

In addition, there are enhanced penalties for the use of the protected information in furtherance of certain criminal offenses. The law focuses on the use of information obtained through pretexting in the case of domestic disputes and relationship abuses, or for other types of harassment. There are enhanced penalties when the protected information is accessed or collected in furtherance of domestic violence, stalking, or violation of a protective order, or with the intent to commit such offenses. There are also enhanced penalties if the information obtained through pretexting is used with the intent to intimidate, threaten, harass, injure, or kill any Federal, State, or local law enforcement officers, in furtherance of such acts. In these cases, there are additional fines, and prison terms up to 5 years.

PREEMPTION?

The Federal TRPPA is silent as to preemption.

COMPARISON WITH CALIFORNIA ANTI-PRETEXTING LAW

Several months before Congress passed the Federal law, California enacted its own anti-pretexting law. Governor Arnold Schwarzenegger signed California’s Senate Bill 202 into law in September 2006, just a few days before the revelation of questionable activities at Hewlett Packard. The California law bans the use of deceit to obtain telephone calling records.

The California law – codified as California Penal Code Section 638 - punishes any person who (a) purchases, sells, offers to purchase or sell, or conspires to purchase or sell any telephone calling pattern record or list, without the written consent of the subscriber, or (b) procures or obtains through fraud or deceit, or attempts to procure or obtain through fraud or deceit, any telephone calling pattern record or list.

Under California law, the protected information is a “telephone calling pattern record or list”. This term is defined as information retained by a telephone company that relates to the telephone number dialed by the subscriber, or other person using the subscriber's telephone with permission, or the incoming number of a call directed to the subscriber, or other data related to such calls typically contained on a subscriber telephone bill such as the time the call started and ended, the duration of the call, or any charges applied. Also included is any information as to whether the call was made from or to a telephone connected to the public switched telephone network, a cordless telephone, a VOIP telephony device, a satellite telephone, or commercially available interconnected mobile phone service that provides access to the public switched telephone network via a mobile communication device employing radiowave technology to transmit calls, including cellular radiotelephone, broadband Personal Communications Services, and digital Specialized Mobile Radio.

The law provides for a fine of up to two thousand five hundred dollars ($2,500), or imprisonment for up to one year, or by both. If the prosecuted person has previously been convicted of a similar violation, he or she is punishable by a fine up to ten thousand dollars ($10,000), up to one-year jail term, or both.

The California anti-pretexting law presents, in addition, a feature that is not found in the TRPPA. It addresses the use of the information obtained through pretexting in litigation. The California law makes personal information obtained in violation of the law inadmissible as evidence in any judicial, administrative, legislative, or other proceeding unless the information is offered as proof in an action or prosecution for a violation of the law itself.

WHAT CONSEQUENCE FOR BUSINESSES?

The directors and officers of a company are responsible for ensuring the success of the company. This includes, among other things, preserving the company’s most valuable assets, such as the company’s strategic plans or its intellectual assets. When leaks occur and there is a suspicion of illegal practices by certain individuals, the company management has an obligation and a legitimate need to make theses practices stop. To do so, it is necessary to identify those who are responsible for the leakage of information or IP assets. Such investigation presents a delicate challenge.

The events that affected Hewlett Packard in the Fall of 2006 have shown that even the best occasionally may stumble. Despite having received numerous awards for its privacy awareness and the quality of its privacy practices, the company’s reputation was tarnished when there were accusations that aggressive investigation methods might have been used to discover hard to find information.

When investigating an information leak, businesses must ensure that they remain within the boundaries of the law. They must ensure that their service providers do the same, as well. Indeed, the company ultimately remains fully liable for the activities of its subcontractors.

To keep on track, and avoid costly detours, companies need to have in place procedures, and safeguards. They should take steps to instill proper ethics and values to their personnel (and subcontractors or service providers) through rigorous training that sets the tone and sensitizes to the delicate balance between the company’s interest and the protection of individual rights and freedoms. They also need to constantly monitor compliance with the set guidelines, and punish the infringers.

When evaluating or improving their current practices, procedures and safeguards, companies may want to learn from the recent events. The terms of the settlement between Hewlett Packard and the California’s Attorney General Office after the events that were widely reported in the press in the Fall of 2006, may serve as guidance and a checklist of action items. In the settlement agreement, Hewlett Packard agreed to institute corporate governance reforms to help ensure that the company complies with legal and ethical standards when it conducts investigations. These reforms include:

- The appointment of an independent director to serve as the board’s watchdog on compliance with ethical and legal requirements. The director will have specific responsibilities in carrying out that oversight function, and report violations to the Board, other responsible HP officials and the Attorney General. 

- Maintaining the employment of a chief ethics and compliance officer. The chief ethics and compliance officer (CECO) will have expanded oversight and reporting duties, and authority to retain independent legal advisors. The CECO will review the company’s investigation practices and make recommendations to the Board on how to improve the practices. The CECO will report to the Board’s Audit Committee. 

- Expansion of the role of the company's chief privacy officer in the review and oversight of the company’s practices. HP will expand the duties and responsibilities of its chief privacy officer to include review of the firm’s investigation protocols to ensure they protect privacy and comply with ethical requirements. 

- Establishment of a Compliance Council, headed by the CECO and comprised of the chief privacy officer, deputy general counsel for compliance, head of internal audit, and ethics and compliance liaisons. The Council will develop and maintain policies and procedures governing the company’s ethics and compliance program, and provide periodic reports to the CEO, Audit Committee and Board. 

- Strengthening the ethics and conflict-of-interest components of the company’s training program. The training redesign will be directed and monitored by the CECO, Compliance Council, independent director and chief privacy officer.

- Expanding the company's employee and vendor codes of conduct to ensure that they address ethical standards regarding investigations. The company will create a separate code of conduct, for use by outside investigators, that addresses privacy and business ethics issues.

The list of activities that Hewlett Packard has agreed to embark on to reshape its internal practices provides an example of what a business may wish to aim for, within the limits of its financial capabilities and resources.

CONCLUSION

The new federal Telephone Records and Privacy Protection Act of 2006 prohibits access to confidential telephone records through "pretexting" or similar methods that facilitate access to telephone records and similar information of an individual without the individual’s knowledge or permission.

The TRPPA makes it a crime to obtain, or attempt to obtain, without the prior consent of an individual, confidential phone records information of that individual, by making false or fraudulent statements or representations to an employee or a customer of a telecommunications or VOIP carrier, or by accessing customer accounts via the Internet, or through computer fraud. The new law also prohibits the sale, transfer, purchase, receipt of confidential phone records information without prior authorization from the customer to whom such confidential phone records information relates; or when knowing that such information was obtained fraudulently.

Those prosecuted under this law face fines, or imprisonment of up to ten years, or both. These fines and prison terms may be increased in case of violation compounded with other activities, or some egregious crimes. To avoid costly detours, companies need to have in place appropriate policies, procedures, and safeguards. They should take steps to instill proper ethics and values to their personnel through rigorous training that sets the tone and sensitizes their personnel and critical subcontractors to the delicate balance between the company’s interest and protection of individual freedoms. They also need to constantly monitor compliance with the set guidelines, and punish the infringers. To ensure proper performance of such a program, they must identify champions within the company and on the board, who receive adequate authority and sufficient financial and other support to lead the program.

* ** ** *

We can help

The IT Law Group assists clients in evaluating compliance with evolving privacy and information security laws and standards. Our team has in depth experience with privacy, data protection, and information security matters. We monitor regulatory trends and developments in the leading business centers of the world. If you have any questions about the new pretexting law, please contact us.