Order Code RL33287
CRS Report for Congress
Received through the CRS Web
Data Security: Protecting the Privacy of
Phone Records
March 28, 2006
Gina Marie Stevens
Legislative Attorney
American Law Division
Tara Alexandra Rainson
Law Librarian
Knowledge Services Group
Congressional Research Service ˜ The Library of Congress
Data Security: Protecting the Privacy
of Phone Records
Summary
The privacy of cellular telephone records has the potential to become a high-
priority item on the congressional agenda. The Congress, the Federal
Communications Commission (FCC), the Federal Trade Commission (FTC), and
State Attorneys General are investigating the practices of companies that sell
customer calling records for wireless and landline phones to determine whether they
are in compliance with current confidentiality protections for customer information.
Several federal bills have been introduced to address the breach of phone customers’
privacy and to prevent the fraudulent acquisition of telephone records. Hearings have
been held in both the House and Senate regarding the sale of phone records.
Legislation has also been introduced (H.R. 4657, H.R. 4662, H.R. 4678, H.R. 4709,
H.R. 4714, H.R. 4943, S. 2177, S. 2178, and S. 2389) that seeks to improve
safeguards over customers’ phone records and criminalize fraudulent access to such
records. The House Judiciary Committee reported H.R. 4709 on March 16, and the
Senate Judiciary Committee reported S. 2178 on March 2 without written report.
The House Energy and Commerce Committee reported H.R. 4943 on March 16, and
the Senate Commere, Science, and Transportation Committee is scheduled to mark
up S. 2389 on March 30. The FCC has granted a petition for a rulemaking to
determine whether enhanced security and authentication standards for access to
customer telephone records are warranted. The FTC is investigating data brokers
involved in the practice of selling telephone records and is working with the FCC,
which has jurisdiction over telecommunications carriers. At least five states have
sued data brokers to enjoin the acquisition and sale of customer records. This report
provides a brief discussion of efforts to protect the privacy of customer telephone
records. For additional information, see CRS Report RL31636, Wireless Privacy and
Spam: Issues for Congress, by Marcia S. Smith. This report will be updated when
warranted.
Contents
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Federal Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Gramm-Leach-Bliley Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Federal Trade Commission Act . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Customer Proprietary Network Information (CPNI)
Under the Communications Act . . . . . . . . . . . . . . . . . . . . . . 3
Congressional Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Regulatory Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Litigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Data Security: Protecting the Privacy
of Phone Records
Background
According to recent press accounts and a recent petition filed with the Federal
Communications Commission (FCC) by the Electronic Privacy Information Center
(EPIC), numerous websites advertise the sale of personal telephone records.1
Specifically, data brokers advertise the availability of cell phone records, which
include calls to and from a particular cell phone number, the duration of such calls,
and may include the physical location of the cell phone. In addition to selling cell
phone call records, many data brokers also claim to provide calling records for
landlines and Voice over Internet Protocol (VoIP), as well as nonpublished phone
numbers. Data brokers claim to be able to provide this information fairly quickly, in
a few hours to a few days.
Although personal information such as Social Security numbers can be found
on public documents, phone records are stored only by phone companies.2 For this
reason, data brokers are alleged to have obtained phone records from the phone
companies themselves, albeit without their approval. It is also believed that data
brokers have taken advantage of inadequate company security standards to gain
access to customer telephone information. Data brokers are thought to employ three
different practices to obtain customer telephone records without the approval of the
customer. The first method occurs when an employee of one of the phone companies
sells the records to the data broker. The second method occurs through a practice
called “pretexting,” where a data broker pretends to be the owner of the phone and
obtains the records from the telephone company under false pretenses. The third
method is employed when a data broker obtains the customer’s telephone records by
accessing the customer’s account on the Internet.
Phone companies are believed to have strict rules preventing and guarding
against the employee sale of telephone records and the unauthorized acquisition of
customer information. On the other hand, private investigators, often routine users
of telephone customer record data, state that information security by carriers to
protect customer records is practically nonexistent and is routinely defeated. The
1 Petition of the Electronic Privacy Information Center for Rulemaking to Enhance Security
and Authentication Standards for Access to Customer Proprietary Network Information, CC
Docket No. 96-115 (filed Aug. 30, 2005), at [http://www.epic.org/privacy/iei/].
2 Jonathan Krim, “Online Data Gets Personal: Cell Phone Records for Sale,” Washington
Post, July 8, 2005, at D01.
CRS-2
Federal Trade Commission (FTC) has indicated that data-theft investigations have
shown that “finding someone on the inside to bribe is not that difficult.”3
Pretext calling for customer telephone records occurs when the data broker or
investigator pretends to be the cell phone account holder and persuades phone
company employees to release the information. The public availability of personal
identifiers, like the Social Security number, makes it easier for someone to
impersonate the account holder to convince the employee that they are the account
holder.
Telephone companies are encouraging customers to receive electronic
statements and to access customer accounts online. Typically, online accounts are
set up in advance, to be activated at a later date by the customer. If someone can
figure out how to activate and access the online account of the customer, the call
records can be obtained.
With respect to the issue of who is purchasing the phone records from data
brokers, EPIC recently investigated this question and concluded that attorneys are
among the top users of private investigators and pretexting. In response to its
finding, EPIC wrote to State Bar Ethics Committees, noting that “it has become
increasingly clear that attorneys are major consumers of pretexting services. In this
letter, we request that appropriate action be taken to ensure that attorneys in your
state are not employing investigators or other companies to engage in pretexting or
other fraud.”4
Federal Laws
Although there is no single federal law governing data brokers, other statutes
and regulations may be applicable. A review of the laws regulating use and
disclosure of information collected by information brokers appears in CRS Report
RL33005, Information Brokers: Federal and State Laws, by Angie A. Welborn.
Certain sectors are currently subject to legal obligations to protect sensitive personal
information. These obligations were created, in large part, through the enactment of
federal privacy legislation in the financial services, health care, government, and
Internet sectors. Federal regulations issued to carry out requirements of federal
privacy laws impose obligations on covered entities to implement information
security programs to protect personal information. For further information, see CRS
Report RS22374, Data Security: Federal and State Laws, by Gina Marie Stevens.
3 Federal Legislation Introduced to Stop the Sale of Phone Records, (Jan. 20, 2006) at
[http://www.govtech.net/magazine/channel_story.php/97955].
4 Electronic Privacy Information Center, Letter to Ethics Board Concerning Attorneys’ Use
of Pretexting (Feb. 21, 2006) at [http://www.epic.org/privacy/iei/attyltr22106.html#_ftn1].
CRS-3
Although pretext calling for financial information is illegal, telephone records
are not included in this prohibition.5 Several federal statutes address illegal conduct
associated with identity theft and pretext calling.6
Gramm-Leach-Bliley Act. Section 523 of the act makes it a crime to obtain
customer information of a financial institution by means of false or fraudulent
statements to an officer, employee, or agent or customer of a financial institution, or
to request another person to obtain customer information from a financial institution
if the requester knows that the information will be obtained by making a false or
fraudulent statement.7
Federal Trade Commission Act. The FTC may bring a law enforcement
action against a pretexter of telephone records for deceptive or unfair practices.8
Using its authority under Section 5, the FTC has brought a number of cases against
businesses that use pretexting to gather financial information on consumers.
Currently, the FTC is investigating data brokers that use pretexting to gather
customer telephone records and is working with the FCC, which has jurisdiction over
telecommunications carriers subject to the Communications Act. In addition, the
FCC is investigating telecommunications carriers to determine whether they have
implemented safeguards that are appropriate to secure the privacy of customer data,
and it has initiated a proceeding to determine what additional rules it should adopt
to protect phone records from unauthorized disclosure.
Customer Proprietary Network Information (CPNI) Under the
Communications Act. Section 222 of the Communication Act of 1934, as
amended, establishes a duty of every telecommunications carrier to protect the
confidentiality of its customers’ customer proprietary network information (CPNI).9
CPNI includes personally identifiable information derived from a customer’s
relationship with a telephone company, irrespective of whether the customer
purchases landline or wireless telephone service. CPNI is defined as
(A) information that relates to the quantity, technical configuration, type,
destination, location, and amount of use of a telecommunications service
subscribed to by any customer of a telecommunications carrier, and that is made
available to the carrier by the customer solely by virtue of the carrier-customer
5 See CRS Report RS20185, Privacy Protection for Customer Financial Information, by M.
Maureen Murphy.
6 Board of Governors of the Federal Reserve System, Identity Theft and Pretext Calling,
Apr. 26, 2001, at [http://www.federalreserve.gov/boarddocs/SRLetters/2001/sr0111.htm].
7 15 U.S.C. § 6828.
8 15 U.S.C. §§ 41-58.
9 47 U.S.C. § 222. Section 222 was added to the Communications Act by the
Telecommunications Act of 1996. Telecommunications Act of 1996, P.L. 104-104, 110 Stat.
56 (codified at 47 U.S.C. §§ 151 et seq.)
CRS-4
relationship; and (B) information contained in the bills pertaining to telephone
exchange service or telephone toll service received by a customer of a carrier.10
In section 222, Congress created a framework to govern telecommunications
carriers’ use of information obtained through provision of a telecommunications
service. Section 222(a) imposes a general duty on telecommunications carriers to
protect the confidentiality of proprietary information of other carriers, equipment
manufacturers, and customers.11 Section 222(b) states that a carrier that receives or
obtains proprietary information from other carriers in order to provide a
telecommunications service may use such information only for that purpose and may
not use that information for its own marketing efforts.12 Section 222(c) establishes
the confidentiality protections applicable to customer information. Section 222(c)(1)
provides that a carrier may only use, disclose, or permit access to customers’
individually identifiable CPNI in limited circumstances: (1) as required by law; (2)
with the customer’s approval; or (3) in its provision of the telecommunications
service from which such information is derived, or services necessary to or used in
the provision of such telecommunications service. Section 222(c)(2) provides that
a carrier must disclose CPNI “upon affirmative written request by the customer, to
any person designated by the customer.”13 Section 222(c)(3) provides that a carrier
may use, disclose, or permit access to aggregate customer information other than for
the purposes described in subsection (1). Section 222(d) delineates certain
exceptions to the general principle of confidentiality.14 Section 222(e) addresses the
disclosure of subscriber list information.
The FCC’s regulations implementing Section 222 govern the use and disclosure
of customer proprietary network information by telecommunications carriers.15
When the FCC implemented Section 222, telecommunications carriers were required
to obtain express written, oral, or electronic consent from their customers (i.e., “opt-
in consent”) before a carrier could use customer phone records to market services
outside of the customer’s relationship with the carrier.
The United States Court of Appeals for the Tenth Circuit struck down those
rules, finding that they violated the First and Fifth Amendments of the Constitution.16
In that case, the plaintiffs argued that the regulations adopted by the CPNI Order
constituted an arbitrary and capricious interpretation of Section 222. In response to
the decision, the FCC reversed its opt-in requirement and implemented an opt-out
rule; telecommunications carriers must receive opt-in (affirmative) consent before
disclosing CPNI to third parties or affiliates that do not provide
10 47 U.S.C. § 222(h)(1).
11 47 U.S.C.§ 222(a).
12 47 U.S.C. § 222(b).
13 47 U.S.C. § 222(c).
14 47 U.S.C. § 222(d).
15 47 C.F.R. §§ 64.2005 - § 64.2009.
16 U.S. West v. FCC, 182 F.3d 1224 (10th Cir. 1999), cert. denied Competition Policy Instit.
v. U.S. West, Inc., 530 U.S. 1213 (2000).
CRS-5
communications-related services.17 However, telecommunications carriers are
permitted to disclose CPNI to their joint venture partners and independent contractors
that provide communications-related services after obtaining a customer’s “opt-out”
consent.18 Carriers are also required by the rules to establish safeguards to protect
against unauthorized disclosure of CPNI, including requirements that carriers
maintain records that track access to customer CPNI records. Each carrier is also
required to certify annually its compliance with the CPNI requirements and to make
this certification publicly available.
In sum, telecommunications carriers are subject to clear and unambiguous
obligations to guard the confidentiality of CPNI and to ensure that it is not disclosed
to third parties without customer approval or as required by law.
Congressional Response
The House Energy and Commere Committee held a hearing on February 1,
2006,19 and the Senate Commerce, Science, and Transportation Subcommittee on
Consumer Affairs, Product Safety, and Insurance held a hearing on February 8,
2006.20 Legislation has also been introduced that seeks to improve safeguards over
customers’ phone records.21 The House Judiciary Committee reported H.R. 4709 on
March 16, and the Senate Judiciary Committee reported S. 2178 on March 2 without
written report. The House Energy and Commerce Committee reported H.R. 4943 on
March 16, and the Senate Commere, Science, and Transportation Committee is
scheduled to mark up S. 2389 on March 30. In addition, the House Energy and
Commerce Committee has launched an investigation into website operators that sell
customers’ phone records.
H.R. 4657, Secure Telephone Operations Act of 2006 (Lipinski) amends the
federal criminal code to prohibit the sale of telephone customer proprietary network
information.
H.R. 4662, Consumer Telephone Records Protection Act of 2006
(Blackburn). This bill prohibits the obtaining of telephone records by false
pretenses and the selling or disclosure of records obtained by false pretenses. False
17 Except as required by law, carriers may not disclose CPNI to third parties or their own
affiliates that do not provide communications-related services unless the consumer has given
“opt in” consent, which is express written, oral, or electronic consent. 47 C.F.R. §§
64.2005(b), 64.2007(b)(3); 64.2008(e); see also 47 C.F.R. § 64.2003(h) (defining “opt-in
approval”).
18 47 C.F.R. §§ 64.2005(b), 64.2007(b)(1).
19 Phone Records for Sale: Why Aren’t Phone Records Safe From Pretexting? Hearing
Before the House Comm. on Energy and Commerce, 109th Cong., 2nd Sess. (Feb. 10, 2006).
20 Protecting Consumers’ Phone Records, Hearing Before the Subcomm. on Consumer
Affairs, Product Safety, and Insurance of the Senate Comm. on Commerce, Science, and
Transportation, 109th Cong., 2nd Sess. (Feb. 8, 2006).
21 Bill summaries prepared by Tara A. Rainson, Law Librarian, Congressional Research
Service, Knowledge Services Group.
CRS-6
pretenses include making a false statement to a telecommunications carrier or
providing any information to a telecommunication carrier knowing that it is false or
that it was obtained fraudulently or without the customer’s consent. The bill also
requires that a carrier notify a customer when the customer’s records are disclosed
to someone other than the customer. A violation would be treated as a violation of
the Federal Trade Commission Act. All powers and functions of the FTC under that
act are available to enforce compliance. Prescribed penalties include a fine, up to
five years imprisonment, or both. Penalties are doubled for offenses that involve
more than $100,000 or more than 50 customers in a 12-month period, or take place
while violating another federal law.
H.R. 4678, Stop Attempted Fraud Against Everyone’s Cell and Land Line
(SAFE CALL) Act (Schakowsky). This bill prohibits the obtaining of telephone
records by false pretenses and the selling or disclosing of records obtained by false
pretenses. False pretenses include making a false statement to a telecommunications
carrier or providing any information to a telecommunication carrier knowing that it
is false or that it was obtained fraudulently or without the customer’s consent. A
violation would be treated as a violation of the Federal Trade Commission Act. All
powers and functions of the FTC under that act are available to enforce compliance.
No new penalties established.
H.R. 4709, Law Enforcement and Phone Privacy Protection Act of 2006
(Smith). H.R. 4709 was reported by the House Judiciary Committee on March 16,
2006.22 It amends the federal criminal code to prohibit the obtaining by fraud or
other unauthorized means of confidential phone records information of a consumer
from a telecommunications carrier or IP-enabled voice service provider (covered
entity); the unauthorized sale or transfer of such records by any person, including any
employee of a covered entity; and the purchase of such records with knowledge that
they were fraudulently obtained or obtained without authorization. This bill exempts
lawfully authorized investigative, protective, or intelligence activities of a law
enforcement or intelligence agency. Penalties for the crime of obtaining confidential
information from a covered entity by fraud include a fine for individuals up to
$250,000 and up to $500,000 for companies, and/or imprisonment for up to 20 years.
Similar fines are imposed for the sale, transfer, or attempts to sell or transfer such
records without authorization and for individuals who purchase confidential phone
records information knowing the records were obtained without authorization. For
the latter two offenses, imprisonment up to five years may also be imposed.
Enhanced penalties are provided for violations occurring in a 12-month period
involving more than $100,000 or more than 50 customers of a covered entity. The
legislation allows for enhanced penalties for cases in which the information is used
to commit further crimes, is used to further a crime of violence, or causes substantial
financial harm. The bill directs the U.S. Sentencing Commission to review and
amend, if appropriate, federal sentencing guidelines and policy statements for the
crimes defined by this act.
22 Law Enforcement and Phone Privacy Protection Act of 2006: Report of the House
Committee on the Judiciary on H.R. 4709, H. Rep. No. 109-395 (2006).
CRS-7
H.R. 4714, Phone Records Protection Act of 2006 (Boswell) amends the
federal criminal code to prohibit the intentional sale or fraudulent transfer or use of
the records of a customer or a telephone service provider. Telephone service means
any form of telecommunications service as defined in 47 U.S.C. §153 (46).
Telephone service also includes any form of wireless phone service, including
cellular phones, broadband, and specialized mobile radio service. Penalties include
a fine, up to 10 years imprisonment, or both. An exception is made for providing
customer records to law enforcement.
H.R. 4943, Prevention of Fraudulent Access to Phone Records Act (Barton).
H.R. 4943 was reported by the House Energy and Commerce on March 16, 2006.23
H.R. 4943 would prohibit deceitfully obtaining or selling the personal information
of telecommunications customers, including customers’ phone records. The bill
provides an exemption from its prohibitions for any action by a law enforcement
agency in connection with the performance of the official duties of the agency. The
bill also would require telecommunications carriers to take precautions to safeguard
customers’ personal information and to notify customers and the Federal
Communications Commission (FCC) whenever there is a breach in the security of
this information. The FCC and the Federal Trade Commission (FTC) would enforce
these restrictions and requirements. The bill also would direct the FCC to write
regulations regarding security precautions for carriers, to periodically audit the
security practices of telecommunication carriers, and to prepare reports on the
assessment of the new regulations and requirements. It would increase the penalty
for privacy violations to a minimum of $300,000 and a maximum of $3 million.
Under current law, the penalty ranges from $100,000 to $1 million.
S. 2177, Phone Records Protection Act of 2006 (Durbin). This bill prohibits
the sale or fraudulent use of the records of a customer of a telephone service
provider. Telephone service means any form of telecommunications service as
defined in 47 U.S.C. §153 (46). Telephone service also includes any form of
wireless phone service, including cellular phones, broadband, and specialized mobile
radio service. The bill makes an exception for law enforcement agencies that seek to
obtain telephone records in connection with official law enforcement duties. It
imposes a fine, up to 10 years imprisonment, or both.
S. 2178, Consumer Telephone Records Protection Act of 2006 (Schumer).
S. 2178 was reported by the Senate Judiciary Committee without report on March 2
after it adopted a substitute amendment that makes the bill identical to a House bill
(H.R. 4709).
S. 2264, Consumer Phone Record Security Act of 2006 (Pryor) prohibits the
unauthorized access or use of customer proprietary network information, the
unauthorized sale of customer proprietary network information, and solicitation to
obtain customer proprietary network information. The bill makes an exception for
law enforcement agencies that seek to obtain telephone records in connection with
official law enforcement duties. A violation would be treated as a violation of the
23 Prevention of Fraudulent Access to Phone Records Act: Report of the House Committee
on Energy and Commerce on S. 4963, H. Rep. No. 109-398 (2006).
CRS-8
Federal Trade Commission Act. Concurrent enforcement by the Federal
Communications Commission is also provided for. A State may bring a civil action
on behalf of its residents in an appropriate district court of the United States to
enforce the prohibitions or to impose the authorized civil penalties. An individual
whose customer proprietary network information has been obtained, used, or sold
may bring a civil action in any court of competent jurisdiction against the person,
excluding a telecommunications carrier, who committed the violation seeking a civil
penalty of not more than $11,000 for each violation of this Act; and such additional
relief as the court deems appropriate, including the award of court costs, investigative
costs, and reasonable attorney’s fees. Telecommunications carriers are required to
comply with additional provisions to protect customer proprietary network
information.
S. 2389, Protecting Consumer Phone Records Act (Allen) amends the
Communications Act of 1934 to prohibit the unlawful acquisition and use of
confidential customer proprietary network information. This bill prohibits the
acquisition or use of customer proprietary network information (CPNI) without the
affirmative written consent of the customer; misrepresentation of customer consent
to the acquisition or use of CPNI; unauthorized access to system or records of a
telecommunications carrier or an IP-enabled voice service provider to acquire CPNI;
the sale of CPNI; or requests for another person to obtain CPNI in an unlawful
manner. The bill authorizes a civil action in state court or federal district court by a
telecommunications carrier or an IP-enabled voice service provider based on
violations of its provisions or prescribed regulations to recover actual money
damages, and/or $11,000 for each violation. Treble damages may be assessed by the
court for willful and knowing violations. Violators are subject to civil penalties up
to $11,000 per violation or each day of continuing violation up to $11,000,000.
Subscribers are expressly not authorized to bring a civil action for violations of this
Act of section 222 of the Communications Act of 1934. The Federal
Communications Commission (FCC) is directed to issue regulations (similar to the
Federal Trade Commission’s Safeguards Rule for personal consumer information)
within 180 days of enactment to require a telecommunications carrier or a IP-enabled
voice service provider to ensure the security and confidentiality of CPNI, to protect
CPNI against threats and hazards, and to protect CPNI from unauthorized access or
use that could result in substantial harm or inconvenience to customers. Covered
entities are required to annually certify to the FCC their compliance. Civil forfeiture
penalties for each violation up to $30,000, or 3 times that amount for each day of
continuing violation not to exceed $3,000,000 may be imposed. Criminal fines for
willful and knowing violations may also be imposed. The FCC is required to
promulgate regulations requiring covered entities to notify each customer, within 14
calendar days of any incident the covered entity becomes or is made aware that CPNI
is improperly disclosed. The Federal Trade Commission has primary enforcement
authority for this Act, and violations are to be treated as violations of the Federal
Trade Commission Act. The FCC has concurrent jurisdiction. State Attorneys
General may bring civil actions in federal district court after notifying the FTC and
FCC which has the option of intervening. This bill preempts any state statute,
regulation, or rule that requires covered entities to develop, implement, or maintain
procedures for protecting CPNI, or that restricts or regulates a covered entities ability
to use, disclose, or permit access to such information; and preempts any state law or
court ruling that imposes liability on a carrier or provider for failure to comply with
CRS-9
any statute, rule, or regulation describing in the preceding sentence or with this Act
or with section 222 of the Communications Act or its regulations. The bill does not
preempt state contract or tort law, or other state laws that relate to acts of fraud or
computer crime. The FTC and FCC are required to consumer outreach and education
campaign about the protection of CPNI.
Regulatory Response
The FCC launched a proceeding on February 10, 2006, Telecommunications
Carriers’ Use of Customer Proprietary Network Information and other Customer
Information, to determine whether enhanced security and authentication standards
for access to customer telephone records are warranted. 24 In a Notice of Proposed
Rulemaking (NPRM), the Commission seeks comment on a variety of issues related
to customer privacy, including what security measures carriers currently have in
place, what inadequacies exist in those measures, and what kind of security measures
may be warranted to better protect consumers’ privacy.25 The NPRM grants a petition
for rulemaking filed by the Electronic Privacy Information Center (EPIC) expressing
concerns about whether carriers are adequately protecting customer call records and
other customer proprietary network information, or CPNI. In its petition, EPIC
proposed five additional security measures to more adequately protect CPNI. The
NPRM specifically seeks comment on these five measures, which are (1) passwords
set by consumers; (2) audit trails that record all instances when a customer’s records
have been accessed and whether information was disclosed, and to whom; (3)
encryption by carriers of stored CPNI data; (4) limits on data retention that require
deletion of call records when they are no longer needed; and (5) notice provided by
companies to customers when the security of their CPNI may have been breached.
Litigation
In January 2006, a federal district judge in Georgia blocked online data broker
First Source Information Specialist, Inc. from selling the illegally obtained phone
records of Cingular Wireless customers. The complaint stated that the
[d]efendants wrongfully obtain and disseminate confidential customer
information, such as a customer’s call records, through fraud and deception by
engaging in “social engineering,” improper hacking, and/or unauthorized access
to online account information stored on Cingular’s computer network. For
example, Defendants or their agents call Cingular’s customer service
representatives and dishonestly pose as customers seeking information about his
or her own account, pose as fellow employees facing an urgent access problem
24 Federal Communications Commission, FCC Examines Need For Tougher Privacy Rules:
Comment Sought On Measures Proposed by EPIC, (Feb. 10, 2006), available at
[http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-263765A1.pdf].
25 Federal Communications Commission, Notice of Proposed Rulemaking to Enhance
Security and Authentication Standards for Access to Customer Proprietary Network
Information, CC Docket No. 96-115 (Feb. 10, 2006), available at
[http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-06-10A1.pdf].
CRS-10
in accessing a customer account, and/or access customers’ online accounts
fraudulently, using customers’ passwords without their knowledge or consent.26
The complaint alleged fraud, conversion of property, unfair and deceptive acts and
practices, civil conspiracy, replevin, intentional access of a protected computer
system without authorization in violation of the federal Computer Fraud and Abuse
Act (18 U.S.C. § 1030(a)(2)c)), knowingly and with intent to defraud access of a
protected computer system without authorization and/or in excess of authorized
access and obtaining without authorization customer information the value of which
exceeds $5000 in any one-year period in violation of the federal Computer Fraud and
Abuse Act (18 U.S.C. § (a)(4)(g)), and trespass to chattels.
The federal district court determined that Cingular had shown a substantial
likelihood of success on the merits with respect to the fraud claim and granted
Cingular’s motion for a temporary restraining order. The court enjoined the
defendants from attempting to obtain information from Cingular regarding any of its
customers; using the name or identity of any Cingular employee or customer;
contacting Cingular; providing Cingular customer information in their possession to
third parties; advertising that defendants can or will obtain information regarding
wireless telephone subscribers; possessing confidential information obtained from
Cingular; and disposing of any confidential Cingular customer information.
At least five states (Florida, Illinois, Missouri, Connecticut, and Texas) have
brought suits against individual information brokers. In Florida, a suit was brought
against First Source Information Specialist, Inc. (doing business as locatecell.com,
celltolls.com, datafind.org, and peoplesearchamerica.com), located in Tamarac,
Florida, the same company sued by Cingular.27 The state sued for deceptive trade
violations in obtaining and selling phone call records through the company’s Internet
sites and is seeking a $50 million fine — $10,000 for each of the 5,000 alleged
transactions in which employees of the data broker impersonated phone company
customers or employees to get copies of people’s phone records.28 Florida has
brought another suit against a second data broker, alleging that it obtained
information by impersonating either customers or telephone company employees to
26 Complaint of Cingular in Cingular Wireless LLC v. Data Find Solutions, Inc., James
Kester, 1st Source Information Specialists, Inc., Kenneth W. Gorman, Steven Schwartz, John
Does 1-100,and XYZ Corps. 1-100, Docket No. 1 05-CV 3269-CC (D.N.D. Ga. filed Dec.
23, 2005) (Cingular Petition). In addition to the Cingular lawsuit, Verizon Wireless has also
sued data brokers, claiming they posed as customers to obtain private calling records and
then advertised and sold the phone call records on the Internet. See, e.g., Cellco Partnership
d/b/a/ Verizon Wireless v. Source Resources, Permanent Injunction on Consent, Docket No.
SOM-L-1013-05 (Sup. Ct. of N.J.; Law Div.: Somerset County, Sept. 13, 2005).
27 Fla. v. IST Source Information Specialists, Inc. (2006), available at
[http://myfloridalegal.com/webfiles.nsf/WF/MRAY-6L8KGC/$file/1stSource_
Complaint.pdf].
28 C. B. Hanif, “Private Information, Too Many Prying Eyes,” Palm Beach Post, 1E (Jan.
29, 2006).
CRS-11
obtain consumers’ personal calling information.29 Illinois also filed suit against First
Source Information Specialist, Inc.30 In response to a suit filed by the Missouri
attorney general, a Missouri judge prohibited Completeskiptrace.com from obtaining
or selling the cell phone records of Missourians. Missouri also obtained a
preliminary injunction against Locatecell.com, an Internet business that sells cell
phone records, from conducting business in the state.31 The Texas Attorney General
has filed suit against a “data broker” and his companies — USA Skiptrace, AMS
Research Services Inc., and Worldwide Investigations Inc. — for fraudulently
marketing consumers’ private phone records.32
Some State Attorneys General have begun investigations into data brokers that
sell phone records. The state of Connecticut has launched an investigation into
several specific companies that obtain and sell personal cellular phone records,
including a listing of calls consumers make from their phones.33 The Massachusetts
Attorney General issued letters to Cingular Wireless, Sprint, T-Mobile, U.S. Cellular,
and Verizon requesting that the cell phone companies “discuss with us your policies
and practices regarding access to billing and other account information via telephone
and online.”
crsphpgw
29 Fla. v. Global Information Group, (2006), available at [http://myfloridalegal.com/
webfiles.nsf/WF/MRAY-6M9RY3/$file/Global_Complaint.pdf].
30 Office of the Illinois Attorney General, Madigan Sues Company That Buys Cell Phone
Records: Attorney General Calls Abuse “Privacy Theft,” (Jan. 20, 2006), available at
[http://illinoisattorneygeneral.gov/pressroom/2006_01/20060120.html].
31 Missouri Attorney General’s Office, Court Orders Web Business to Stop Obtaining,
Selling Cell Phone Records of Missourians, (Feb. 23, 2006) available at
[http://www.ago.mo.gov/newsreleases/2006/022306c.htm].
32 Attorney General of Texas, Attorney General Abbott Files First Suit Against Sellers Of
Private Phone Records, (Feb. 9, 2006), available at [http://www.oag.state.tx.us/oagnews/
release.php?id=1449&PHPSESSID=qg0f5ul9clscml5e685r4n9dn7].
33 State of Connecticut Attorney General’s Office, Attorney General Continues Investigating
Companies Selling Personal Cell Phone Records, (Jan. 18, 2006), available at
[http://www.ct.gov/ag/cwp/view.asp?A=2426&Q=308758].