§  64.2010   Safeguards on the disclosure of customer proprietary network
information.

   (a) Safeguarding CPNI. Telecommunications carriers must take reasonable
   measures to discover and protect against attempts to gain unauthorized
   access to CPNI. Telecommunications carriers must properly authenticate
   a customer prior to disclosing CPNI based on customer-initiated
   telephone contact, online account access, or an in-store visit.

   (b) Telephone access to CPNI. Telecommunications carriers may only
   disclose call detail information over the telephone, based on
   customer-initiated telephone contact, if the customer first provides
   the carrier with a password, as described in paragraph (e) of this
   section, that is not prompted by the carrier asking for readily
   available biographical information, or account information. If the
   customer does not provide a password, the telecommunications carrier
   may only disclose call detail information by sending it to the
   customer's address of record, or by calling the customer at the
   telephone number of record. If the customer is able to provide call
   detail information to the telecommunications carrier during a
   customer-initiated call without the telecommunications carrier's
   assistance, then the telecommunications carrier is permitted to discuss
   the call detail information provided by the customer.

   (c) Online access to CPNI. A telecommunications carrier must
   authenticate a customer without the use of readily available
   biographical information, or account information, prior to allowing the
   customer online access to CPNI related to a telecommunications service
   account. Once authenticated, the customer may only obtain online access
   to CPNI related to a telecommunications service account through a
   password, as described in paragraph (e) of this section, that is not
   prompted by the carrier asking for readily available biographical
   information, or account information.

   (d) In-store access to CPNI. A telecommunications carrier may disclose
   CPNI to a customer who, at a carrier's retail location, first presents
   to the telecommunications carrier or its agent a valid photo ID
   matching the customer's account information.

   (e) Establishment of a password and back-up authentication methods for
   lost or forgotten passwords. To establish a password, a
   telecommunications carrier must authenticate the customer without the
   use of readily available biographical information, or account
   information. Telecommunications carriers may create a back-up customer
   authentication method in the event of a lost or forgotten password, but
   such back-up customer authentication method may not prompt the customer
   for readily available biographical information, or account information.
   If a customer cannot provide the correct password or the correct
   response for the back-up customer authentication method, the customer
   must establish a new password as described in this paragraph.

   (f) Notification of account changes. Telecommunications carriers must
   notify customers immediately whenever a password, customer response to
   a back-up means of authentication for lost or forgotten passwords,
   online account, or address of record is created or changed. This
   notification is not required when the customer initiates service,
   including the selection of a password at service initiation. This
   notification may be through a carrier-originated voicemail or text
   message to the telephone number of record, or by mail to the address of
   record, and must not reveal the changed information or be sent to the
   new account information.

   (g) Business customer exemption. Telecommunications carriers may bind
   themselves contractually to authentication regimes other than those
   described in this section for services they provide to their business
   customers that have both a dedicated account representative and a
   contract that specifically addresses the carriers' protection of CPNI.