Author: Thiago D. Modelli Revision: CPNI2014.

3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

Annual statement of PCC CPNI rule compliance - 2014

1|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

Revision History
Version
D001

Date
2.28.2014

Author
Bob Russo

Modifications
Document initiation New template execution

2|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

Table of contents
1. 2. Introduction ____________________________________________________________________ 4 Stakeholders ____________________________________________________________________ 4
2.1. 2.2. Companies & Affiliates ______________________________________________________________ 4 People & Roles _____________________________________________________________________ 4

3.

Statement ______________________________________________________________________ 4
3.1. 3.2. Duty to Protect CPNI ________________________________________________________________ 4 Our Own Use of CPNI________________________________________________________________ 5
Marketing _______________________________________________________________________________ 5 Provision of services ______________________________________________________________________ 5

3.2.1. 3.2.2.

3.3.

Authenticating customers before disclosing CPNI _________________________________________ 6

Telephone_______________________________________________________________________________ 7 In Person Authentication ___________________________________________________________________ 8 By mail _________________________________________________________________________________ 8 Online access ____________________________________________________________________________ 8

3.3.1. 3.3.2. 3.3.3. 3.3.4.

3.4. 3.5. 3.6. 3.7. 3.8.

Customer Notification of CPNI Rights ___________________________________________________ 8 Training and Discipline ______________________________________________________________ 9 Record keeping ____________________________________________________________________ 9 Notification of account changes _______________________________________________________ 9 Unauthorized disclosure of CPNI ______________________________________________________ 9

4.

Requirements, Baseline & Definition _______________________________________________ 10

4.1. 4.2. 47 CFR 64 ________________________________________________________________________ 10 Definitions _______________________________________________________________________ 11

Attachment I ________________________________________________ Error! Bookmark not defined.

3|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

1. Introduction
Customer proprietary network information (CPNI) is the data collected by telecommunications companies about a consumer's telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer's telephone bill. The FCC regulations on the release of this information are strict. We must be sure that we release no call information to any party that is not properly authorized. We can verify information that is given to us and if a specific call is identified to us (such as from which number, the number dialed and the time of the call) we can discuss that particular call but otherwise we cannot reveal phone numbers, IP addressing or routing details.

2. Stakeholders
2.1.

Companies & Affiliates

ESI hosted Services, LLC 499 ID: Estech Systems, Inc.

2.2.

People & Roles

George Platt Executive Reviewer CEO/President Karen boyd Legal Counsel - Officer Bob Russo Process Creator Network Operations Manager Thiago Modelli Process owner Director of Operations

3. Statement
ESI Hosted Services, LLC has created a CPNI Policy set containing procedures that it has adopted to ensure the protection of CPNI. The handbook describes our procedures in greater detail and provides practical guidance on how to protect against unauthorized disclosure or use of CPN. The policy documentation is distributed to our employees during training and serves as an important reference tool for our employees.

3.1.

Duty to Protect CPNI

We as a communications company recognize our duty to protect customer CPN!. We may not disclose CPNI to unauthorized persons, nor may we use CPNI in certain ways without consent from our customers. Before we can provide customers with their own CPNI, we must authenticate the customer. We recognize that there are a few cases in which we can disclose CPNI without first obtaining customer approval: a. Administrative use: We may use CPNI to initiate, render, bill and collect for communications services. b. Protection of carrier and third parties: We may use CPNI to protect the interests of our company, such as to prevent fraud or illegal use of our systems and network. Employees are notified of the steps to take, if any, in these sorts of situations.

4|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance c. As required by law: We may disclose CPNI if we are required to by law, such as through legal process (subpoenas) or in response to requests by law enforcement. Employees are notified of any steps they must take in these situations.

3.2.

Our Own Use of CPNI

We may use CPNI to provide or market services to our existing customers. We understand that we are required to obtain customers approval prior to using CPNI in certain ways. 3.2.1. Marketing We understand that we do not need to obtain customer approval before using CPNI to market services to our existing customers within the categories of service to which the customer already subscribes. We understand that we may not use CPNI to market services that are in a service category to which the customer does not already subscribe without customer approval. We understand that we cannot use CPNI to solicit a customer to add a new category of service without first obtaining the customer's approval. We also understand that we do not need customer consent before using CPNI to market "adjunct to-basic" services such as speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller ID, call forwarding, and certain Centrex features. We understand that we may not use CPNI to identify or track customers that call competing service providers. We regularly review our marketing practices to determine when and how CPNI is used within the company, and whether CPNI is being shared with other entities. We also review new marketing or sales campaigns to ensure compliance with these CPNI policies and with the FCC's CPNI regulations. We will only share CPNI with our affiliate ESI Hosted Services.
.

3.2.2. Provision of services We understand that we do not need customer approval to use CPNI to provide CPE and call answering, voice mail or messaging, voice storage and retrieval services, fax store and forward, and protocol conversion.

5|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

3.3.

Authenticating customers before disclosing CPNI

We understand that we are required to objectively determine that our customers are who they say they are before disclosing CPNI to them. With this in mind, a workflow for such process has been attached as figure one and the required process for each access method is expressed bellow.

6|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

Customer request CPNI information

Yes Does customer give specific call information You are free to dicuss details for call

No

Is there a Kyako ticket open concerning issue

Yes

You may enter details on existing ticket

No

Can caller create Kyako ticket under authorized log-in

Yes

You may enter details on created ticket.

No

Customers Person of Record must make written request* or allow authorized log-in to Kyako for caller

* Written request can come from the billing address of the account, or from accounts email address of record

Fig. 1 3.3.1. Telephone We understand that when a customer calls, we may not release call detail information, or information relating to the transmission of specific telephone calls until we have obtained the account password from the caller, or have called the customer back at the telephone number of record to ensure that the customer is 7|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance
who s/he says s/he is. Alternatively, we may offer to send the call detail information to the address of record or provide it to the customer or authorized individual in person after s/he has produced valid photo identification at our office. We understand that we may disclose non-call detail information over the telephone after authenticating the customer by calling back the telephone number of record, checking valid photo identification, or by mailing the information to the account address of record.

3.3.2. In Person Authentication We understand that before we can disclose CPNI to customers in person, the customer must present valid government-issued photo identification. The name on the photo identification must match the name on the account. If the customer cannot present the required identification, we offer to provide the requested CPNI by sending it to the account address of record. Before providing the CPNI to the customer, we make a copy of the photo identification. This copy is then placed in the customer's file, together with a copy of the CPNI provided to the customer. These records are then kept in the customer file in accordance with our record-keeping policies. 3.3.3. By mail If the customer requests CPNI through regular mail, or if the customer cannot comply with one of the authentication methods above, we send the requested information to the customer's address of record only. 3.3.4. Online access Online access of CPNI data is available via password protected technics to authenticate the customer for direct access. Secured password reset technics via registered account email has been implemented and it is enforced following the same requirements as above.

3.4.

Customer Notification of CPNI Rights

We provide a CPNI privacy policy to all customers online, via our website and support tools. This policy provides notification to each customer of his/her right to restrict use of, disclosure of, and access to that customer's CPNI. We provide additional copies of the CPNI privacy policy to all customers who request it and to all new customers upon activation of service. The policy contains an opt-out customer approval notice. Customers who do not wish to allow us to use their CPNI to market services outside their existing service categories, or who do not wish to allow us to share their CPNI with affiliates, have 30 days to contact us to tell us that they do not approve of this use. If we do not hear back from the customer within 30 days, we understand that we are free to use their CPNI for these purposes. We understand that customers can change their option at any time by contacting us, and we notify our customers of this right. We maintain records of the customers who received the opt-out approval notice and records of the customers who contacted us to opt out in accordance with our record-keeping policies. We understand that we must provide written notice to the FCC within five (5) business days if our opt-out mechanisms do not work properly to the degree that our customers' inability to opt out is more than an anomaly.

8|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

3.5.

Training and Discipline

We provide our internal policy and employee handbook to every new employee, and require new and existing employees to sign acceptance of the employee handbook and any attached policy. Also, existing employees are required to review and accept any existing or modified policies on a periodic basis, following standard company policies for hand-book distribution and acceptance.
Violation by company employees of such CPNI requirements will lead to disciplinary action (including remedial training, reprimands, unfavorable performance reviews, and probation), depending upon the circumstances of the violation (including the severity of the violation, whether appropriate guidance was sought, and the extent to which the violation was or was not deliberate or malicious. Disciplinary records are maintained in the company files in accordance with our record-keeping policies.

3.6.

Record keeping

We maintain the following records in our files for two (2) years: a. Records relating to the annual mailing of the customer CPNI privacy policy; b. Records of customer approval or disapproval of CPNI use, or the limitation or revocation thereof; c. Records of disclosure or provision of CPNI to third parties for marketing purposes, including Buckland Telephone Company's and affiliates' sales and marketing campaigns using customer CPNI, the CPNI used, and what products and services were offered as part of the campaign; d. Employee disciplinary records; and e. Records of discovered CPNI breaches, notifications to law enforcement regarding breaches, and any responses from law enforcement regarding those breaches.

3.7.

Notification of account changes

We understand that we are required to notify customers when changes have been made to passwords, customer responses to back-up means of authentication, or addresses of record by mailing a notification to the account address of record. We do not reveal the changed account data in the notification

3.8.

Unauthorized disclosure of CPNI

We understand that we must report CPNI breaches to law enforcement no later than seven (7) business days after determining the breach has occurred, by sending electronic notification through the link at http://www.fcc.gov/eb/CPNII to the central reporting facility, which will then notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI). We understand that we may not notify customers or the public of the breach earlier than seven (7) days after we have notified law enforcement through the central reporting facility. If we wish to notify customers or the public immediately, where we feel that there is "an extraordinarily urgent need to notify" to avoid "immediate and irreparable harm," we inform law enforcement of our desire to notify and comply with law enforcement's directions. Records relating to such notifications are kept in accordance with our record-keeping policies. These records include: (i) the date we discovered the breach, (ii) the date we notified law enforcement, (iii) a detailed description of the CPNI breached, and (iv) the circumstances of the breach.

9|Page This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance
During the course of the year, we compile information regarding pretexted attempts to gain improper access to CPNI, including any breaches or attempted breaches. We include this information in our annual CPNI compliance certification filed with the FCC.

4. Requirements, Baseline & Definition

4.1. 47 CFR 64
64.2010 Safeguards on the disclosure of customer proprietary network information. (a) Safeguarding CPNI. Telecommunications carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. Telecommunications carriers must properly authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an in-store visit. (b) Telephone access to CPNI. Telecommunications carriers may only disclose call detail information over the telephone, based on customer-initiated telephone contact, if the customer first provides the carrier with a password, as described in paragraph (e) of this section, which is not prompted by the carrier asking for readily available biographical information, or account information. If the customer does not provide a password, the telecommunications carrier may only disclose call detail information by sending it to the customer's address of record, or by calling the customer at the telephone number of record. If the customer is able to provide call detail information to the telecommunications carrier during a customer-initiated call without the telecommunications carrier's assistance, then the telecommunications carrier is permitted to discuss the call detail information provided by the customer. (c) Online access to CPNI. A telecommunications carrier must authenticate a customer without the use of readily available biographical information, or account information, prior to allowing the customer online access to CPNI related to a telecommunications service account. Once authenticated, the customer may only obtain online access to CPNI related to a telecommunications service account through a password, as described in paragraph (e) of this section, that is not prompted by the carrier asking for readily available biographical information, or account information. (d) In-store access to CPNI. A telecommunications carrier may disclose CPNI to a customer who, at a carrier's retail location, first presents to the telecommunications carrier or its agent a valid photo ID matching the customer's account information. (e) Establishment of a Password and Back-up Authentication Methods for Lost or Forgotten Passwords. To establish a password, a telecommunications carrier must authenticate the customer without the use of readily available biographical information, or account information. Telecommunications carriers may create a back-up customer authentication method in the event of a lost or forgotten password, but such back-up customer authentication method may not prompt the customer for readily available biographical information, or account

10 | P a g e This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

information. If a customer cannot provide the correct password or the correct response for the back-up customer authentication method, the customer must establish a new password as described in this paragraph. (f) Notification of account changes. Telecommunications carriers must notify customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a carrieroriginated voicemail or text message to the telephone number of record, or by mail to the address of record, and must not reveal the changed information or be sent to the new account information. (g) Business customer exemption. Telecommunications carriers may bind themselves contractually to authentication regimes other than those described in this section for services they provide to their business customers that have both a dedicated account representative and a contract that specifically addresses the carriers' protection of CPNI.

4.2.

Definitions

(a) Account information. Account information is information that is specifically connected to the customer's service relationship with the carrier, including such things as an account number or any component thereof, the telephone number associated with the account, or the bill's amount. (b) Address of record. An address of record, whether postal or electronic, is an address that the carrier has associated with the customer's account for at least 30 days. (c) Affiliate. The term affiliate has the same meaning given such term in section 3(1) of the Communications Act of 1934, as amended, 47 U.S.C. 153(1). (d) Call detail information. Any information that pertains to the transmission of specific telephone calls, including, for outbound calls, the number called, and the time, location, or duration of any call and, for inbound calls, the number from which the call was placed, and the time, location, or duration of any call. (e) Communications-related services. The term communications-related services means telecommunications services, information services typically provided by telecommunications carriers, and services related to the provision or maintenance of customer premises equipment. (f) Customer. A customer of a telecommunications carrier is a person or entity to which the telecommunications carrier is currently providing service.

11 | P a g e This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

(g) Customer proprietary network information (CPNI). The term customer proprietary network information (CPNI) has the same meaning given to such term in section 222(h)(1) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(1). (h) Customer premises equipment (CPE). The term customer premises equipment (CPE) has the same meaning given to such term in section 3(14) of the Communications Act of 1934, as amended, 47 U.S.C. 153(14). (i) Information services typically provided by telecommunications carriers.The phrase information services typically provided by telecommunications carriers means only those information services (as defined in section 3(20) of the Communication Act of 1934, as amended, 47 U.S.C. 153(20)) that are typically provided by telecommunications carriers, such as Internet access or voice mail services. Such phrase information services typically provided by telecommunications carriers, as used in this subpart, shall not include retail consumer services provided using Internet Web sites (such as travel reservation services or mortgage lending services), whether or not such services may otherwise be considered to be information services. (j) Local exchange carrier (LEC). The term local exchange carrier (LEC) has the same meaning given to such term in section 3(26) of the Communications Act of 1934, as amended, 47 U.S.C. 153(26). (k) Opt-in approval. The term opt-in approval refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. This approval method requires that the carrier obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the carrier's request consistent with the requirements set forth in this subpart. (l) Opt-out approval. The term opt-out approval refers to a method for obtaining customer consent to use, disclose, or permit access to the customer's CPNI. Under this approval method, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in 64.2008(d)(1) after the customer is provided appropriate notification of the carrier's request for consent consistent with the rules in this subpart. (m) Readily available biographical information. Readily available biographical information is information drawn from the customer's life history and includes such things as the customer's social security number, or the last four digits of that number; mother's maiden name; home address; or date of birth. (n) Subscriber list information (SLI). The term subscriber list information (SLI) has the same meaning given to such term in section 222(h)(3) of the Communications Act of 1934, as amended, 47 U.S.C. 222(h)(3).

12 | P a g e This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

(o) Telecommunications carrier or carrier. The terms telecommunications carrier or carrier shall have the same meaning as set forth in section 3(44) of the Communications Act of 1934, as amended, 47 U.S.C. 153(44). For the purposes of this subpart, the term telecommunications carrier or carrier shall include an entity that provides interconnected VoIP service, as that term is defined in section 9.3 of these rules. (p) Telecommunications service. The term telecommunications service has the same meaning given to such term in section 3(46) of the Communications Act of 1934, as amended, 47 U.S.C. 153(46). (q) Telephone number of record. The telephone number associated with the underlying service, not the telephone number supplied as a customer's contact information. (r) Valid photo ID. A valid photo ID is a government-issued means of personal identification with a photograph such as a driver's license, passport, or comparable ID that is not expired. [72 FR 31961, June 8, 2007]

13 | P a g e This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.

Author: Thiago D. Modelli Revision: CPNI2014.3 Status: Draft Certification docket

Created on: 2.28.2014 Modified on: N/A

CPNI Policies & Procedures Annual statement of FCC CPNI rule compliance

14 | P a g e This document is proprietary and confidential. Copyright ownership of ESI. All rights reserved.