Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Code website reflects the Pennsylvania Code changes effective through 53 Pa.B. 8238 (December 30, 2023).

Pennsylvania Code



Subchapter J. CONFIDENTIALITY OF CUSTOMER
COMMUNICATIONS AND INFORMATION


Sec.


63.131.    General provisions.
63.132.    Definitions.
63.133.    Confidentiality.
63.134.    Commitment to confidentiality of customer communications and customer information.
63.135.    Customer information.
63.136.    [Reserved].
63.137.    [Reserved].

Authority

   The provisions of this Subchapter J issued under the Public Utility Code, 66 Pa.C.S. § §  501 and 1501, unless otherwise noted.

Source

   The provisions of this Subchapter J adopted July 24, 1992, effective September 23, 1992, 22 Pa.B. 3892, unless otherwise noted.

§ 63.131. General provisions.

 (a)  [Reserved].

 (b)  A telecommunications company subject to this subchapter shall treat customer communications and customer information as confidential. Except for the limited instances provided in this subchapter, release of customer information to the public shall be permitted only on the authority of the customer. When a telecommunications company or its authorized employees, agents or independent contractors utilize customer information, they shall do so only when necessary and only to the extent necessary to accomplish legitimate and authorized purposes, as set forth in this subchapter. Telecommunications companies and their employees, agents or independent contractors shall make every reasonable effort to avoid the unauthorized dissemination of customer information to the public. A telecommunications company, its employee, its affiliates or subsidiaries, or an agent or independent contractor that has entered into a contractual relationship with the telecommunications company and handles customer communications and customer information is subject to this subchapter.

 (c)  Nothing in this subchapter supersedes the Wiretap Act, or permits a telecommunications company service or activity which is otherwise prohibited by the Wiretap Act.

Authority

   The provisions of this §  63.131 amended under 66 Pa.C.S. §  3019(b)(2) and (3).

Source

   The provisions of this §  63.131 amended August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial page (332466).

Notes of Decisions

   Wiretap Act

   The Public Utility Commission lacked jurisdiction to interpret the Wiretap Act and determine the legality of an instance of electronic surveillance. The United Telephone Company of Pennsylvania v. Pennsylvania Public Utility Commission, 676 A.2d 1244 (Pa. Cmwlth. 1996).

§ 63.132. Definitions.

 The following words and terms, when used in this subchapter, have the following meanings, unless the context clearly indicates otherwise:

   Agent—An individual or entity that performs work on behalf of a telecommunications public utility who is the principal in the contractual relationship with the agent.

   Customer communications—A customer voice or data communication made in whole or in part by wire, cable, microwave or other means for the transmission by a telecommunications company of communications between the point of origin and the point of reception by a telecommunications company.

   Customer information—Information regarding a customer of a telecommunications company or information regarding the services or equipment ordered and used by that customer. The term includes a customer’s name, address and telephone number, occupation, information concerning toll calls, collect calls and third-party billed calls, local message detail information and information concerning services ordered or subscribed to by a customer. The term also includes bills, statements, credit history, toll records whether on paper, microfiche or electromagnetic media; computer records; interexchange carrier selection, service problems and annoyance call records.

   Destruction—The mutilation of documents in a manner which insures that their content is obliterated by sufficiently tearing or shredding prior to collection by public waste or trash collectors or by appropriately erasing information stored electromagnetically.

   Employee—An individual who works directly for and is paid a salary by a telecommunications company subject to this subchapter.

   Independent contractor—An individual or entity that is not an employee or agent of the telecommunications company but performs work on behalf of a telecommunications company under a contractual relationship.

   Security department—The department or individuals with responsibility for the prevention and investigation of the loss, destruction or theft of telecommunications company property, the unauthorized or unlawful use of telecommunications company equipment or services and the unlawful conduct of telecommunications company employees, agents or independent contractors which occurs during the course of employment.

   Service evaluation and monitoring—Evaluation and monitoring of telecommunications company operations, including communications, to maintain or improve the quality of service to the customer. The term includes review of employee, agent or independent contractor relationships with customers, system checks and facility maintenance.

   Telecommunications company—A public utility which provides telecommunication services subject to Commission jurisdiction.

   Telecommunications services—The offering of the transmission of messages or communications for a fee to the public.

   Wiretap Act—Title 18 of the Pennsylvania Consolidated Statutes § §  5701—5781 (relating to Wiretapping and Electronic Surveillance Control Act).

Authority

   The provisions of this §  63.132 amended under 66 Pa.C.S. §  3019(b)(2) and (3).

Source

   The provisions of this §  63.132 amended August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial pages (332466) to (332467).

§ 63.133. Confidentiality.

 A telecommunications company shall distribute a written statement of its fundamental policy and obligation to maintain the confidentiality of customer communications and customer information to its customers annually. The written statement shall declare the responsibility of each employee, agent or independent contractor to maintain the confidentiality of customer communications and customer information in accordance with applicable State and Federal law.

Authority

   The provisions of this §  63.133 amended under 66 Pa.C.S. §  3019(b)(2) and (3).

Source

   The provisions of this §  63.133 amended August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial page (332467).

§ 63.134. Commitment to confidentiality of customer communications and customer information.

 A telecommunications company shall confirm with each employee, agent or independent contractor the responsibility to maintain the confidentiality of customer communications and customer information in accordance with applicable Federal and State law.

   (1)  Securing commitment from employees, agents or independent contractors. A telecommunications company shall, at the time a person commences employment or an agency or independent contractor relationship, instruct that person regarding telecommunications company policy covering the following points:

     (i)   State and Federal law generally prohibits the interception, disclosure and use of customer communications.

     (ii)   An employee, agent or independent contractor is prohibited from intercepting, using or disclosing customer communications except in those limited instances which are a necessary incident to:

       (A)   The provision of service.

       (B)   The protection of the legal rights or property of the telecommunications company where the action is taken in the normal course of employment.

       (C)   The protection of the telecommunications company, an interconnecting carrier, a customer or user of service from fraudulent, unlawful or abusive use of telecommunications service.

       (D)   Compliance with legal process or other requirements of law.

     (iii)   An employee, agent or independent contractor is prohibited from using or disclosing customer information except when the use or disclosure is authorized by this subchapter.

     (iv)   Improper interception, use or disclosure of customer communications or customer information may result in disciplinary action, including dismissal or criminal and civil proceedings, or both.

   (2)  Documentation of employee, agent or independent contractor commitment. An appropriate document shall be prepared outlining the policy summarized in paragraph (1) and stating that the telecommunications company employee, agent or independent contractor has read and understands the policy. The telecommunications company shall present the document to each employee, agent or independent contractors for signature. A telecommunications company manager shall witness and date the document, regardless of whether the employee, agent or independent contractor has agreed to sign the document. One copy shall be filed with the personnel papers of the employee, agent or independent contractors and one copy given to the employee, agent or independent contractors to keep and review.

   (3)  Annual review. A telecommunications company shall annually review with employees, agents or independent contractors the commitment to confidentiality of customer communications and customer information, and shall make a record of that annual review.

Authority

   The provisions of this §  63.134 amended under 66 Pa.C.S. §  3019(b)(2) and (3).

Source

   The provisions of this §  63.134 amended August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial pages (332467) to (332468).

Cross References

   This section cited in 52 Pa. Code §  63.135 (relating to customer information).

§ 63.135. Customer information.

 This section describes procedures for determining access to customer information and the purposes for which this information may be used by employees, agents or independent contractors responding to requests for customer information from persons outside the telecommunications company and the recording of use and disclosure of customer information.

   (1)  Access to and use of customer information. Access to and use of customer information shall be limited to employees, agents or independent contractors who have a legitimate need to use the information in the performance of their work duties and, because of the nature of their duties, need to examine the data to accomplish the legitimate and lawful activities necessarily incident to the rendition of service by the telecommunications company. An employee, agent or independent contractor shall be prohibited from using customer information for personal benefit or the benefit of another person not authorized to receive the information.

   (2)  Requests from the public. Customer information that is not subject to public availability may not be disclosed to persons outside the telecommunications company or to subsidiaries or affiliates of the telecommunications company, except in limited instances which are a necessary incident to:

     (i)   The provision of service.

     (ii)   The protection of the legal rights or property of the telecommunications company where the action is taken in the normal course of an employee’s, agent’s or independent contractor’s activities.

     (iii)   The protection of the telecommunications company, an interconnecting carrier, a customer or a user of service from fraudulent, unlawful or abusive use of service.

     (iv)   A disclosure that is required by a valid subpoena, search warrant, court order or other lawful process.

     (v)   A disclosure that is requested or consented to by the customer or the customer’s attorney, agent, employee or other authorized representative.

     (vi)   A disclosure request that is required or permitted by law, including the regulations, decisions or orders of a regulatory agency.

     (vii)   A disclosure to governmental entities if the customer has consented to the disclosure, the disclosure is required by a subpoena, warrant or court order or disclosure is made as part of telecommunications company service.

   (3)  Limitation on disclosures to agents, contractors, subsidiaries or affiliates. To comply with this subchapter, a telecommunications company may not allow disclosure of customer information to an agent, contractor, subsidiary or affiliate it has entered in a direct contractual relationship with or to the agents, independent contractors, subsidiaries or affiliates of a party it has entered into a contract with absent the prior establishment of terms and conditions for the disclosure pursuant to a written agreement that requires:

     (i)   Treatment of the information as confidential.

     (ii)   Use of the information by the contracting party or any of its respective employees, agents or independent contractors for only those purposes specified in the contract or agreement. The contract shall require the contracting party to establish a confidentiality statement which provides confidentiality protections which are no less than those required of the telecommunications company by this subchapter and to maintain the same commitment to the protections in §  63.134 (relating to commitment to confidentiality of customer communications and customer information). The contract may not allow the interception or use of the customer information or customer communications in a manner not authorized with respect to a telecommunications company’s employee, agent or independent contractor. The contracting party shall also be subject to the operational restrictions specified in this subchapter with regard to the handling of customer communications and customer information as would otherwise apply to a telecommunications company’s employee, agent or independent contractor.

     (iii)   Nondisclosure of the customer information and customer communications to third parties except as required by law.

   (4)  Requests from law enforcement agencies and civil litigation. Government administrative, regulatory and law enforcement agencies and parties in civil litigation may be able to compel the telecommunications company to disclose customer information by serving upon the utility a subpoena, search warrant, court order or other lawful process.

     (i)   In response to legal process requiring the disclosure of customer information, the security department shall make the necessary arrangements with the government agency or attorney who caused the legal process to be issued regarding the information to be produced and the identity of the employee, agent or independent contractor or other telecommunications company representative who will produce the information. The employee, agent or independent contractor assigned to produce this information shall secure the information, including applicable records, from the department having possession of the information and records and shall ascertain the meaning of a code word or letters or nomenclature which may appear on the records, to explain the meaning, if requested to do so. The employee, agent or independent contractor shall then comply with the legal process.

     (ii)   If information, including applicable records, is unavailable, the employee, agent or independent contractor selected to respond to the legal process shall be prepared to explain the unavailability of the information requested.

     (iii)   When a request for customer information is presented by a law enforcement agency, but that request is not accompanied by legal process, the request shall be referred to the security department. Absent legal process, the security department may not make disclosure of customer information to a law enforcement agency, except as required or permitted by law. Written, oral or other communication to law enforcement officials to indicate whether obtaining legal process would be worthwhile is prohibited by the Commission.

   (5)  Safeguarding customer information. A telecommunications company is responsible for implementing appropriate procedures to safeguard customer information and prevent access to it by unauthorized persons. Tangible customer records such as paper or microfiche records and electromagnetic media shall be stored in secure buildings, rooms and cabinets, as appropriate, to protect them from unauthorized access. Data processing and other electronic systems shall contain safeguards, such as codes and passwords, preventing access to customer information by unauthorized persons.

     (i)   Transmission of customer information. Customer information shall be transmitted in a manner which will reasonably assure that the information will not be disclosed to persons who are not authorized to have access to it.

     (ii)   Reproduction. Customer records may not be reproduced unless there is a business need for the reproduction. Only sufficient copies shall be made to satisfy the business purpose for the reproduction.

     (iii)   Destruction of customer records. Customer records shall be disposed of by the most advantageous method available at each location when retention of the records is no longer required by applicable Federal Communications Commission (FCC) regulations, other legal requirements, contract provisions such as government contract requirements or appropriate document retention guidelines.

   (6)  Recording use and disclosure of customer information. Because of the frequency with which customer information is used and disclosed in the ordinary course of business, it is neither practical nor desirable to record each instance in which customer information is used or disclosed by an employee, agent or independent contractor. However, the importance of some forms of customer information and the circumstances under which the information may be used or disclosed dictate that a record is required of the use or disclosure of customer information, as follows:

     (i)   Each instance in which customer information is used or disclosed for purposes other than to furnish service to the customer, to collect charges due from the customer or to accomplish other ordinary and legitimate business purposes.

     (ii)   Each instance in which information is disclosed to persons outside of the telecommunications company, subject to subparagraph (i).

     (iii)   Each instance in which customer information is disclosed to a governmental entity or the telecommunications company security department.

     (iv)   Each instance in which a record is required by other telecommunications company practices or procedures.

   (7)  Annual notice of Customer Proprietary Network Information (CPNI) rights. The telecommunications company shall provide an annual written notice of CPNI rights, as defined by the FCC, to customers with less than 20 access lines. The notice shall be submitted to the Commission’s Bureau of Consumer Services for plain language review prior to issuance.

Authority

   The provisions of this §  63.135 amended under 66 Pa.C.S. §  3019(b)(2) and (3).

Source

   The provisions of this §  63.135 amended August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial pages (332468) to (332469), (232285) to (232286) and (361655).

Cross References

   This section cited in 52 Pa. Code §  63.143 (relating to code of conduct).

§ 63.136. [Reserved].


Authority

   The provisions of this §  63.136 deleted under 66 Pa.C.S. §  3019(b)(2) and (3).

Source

   The provisions of this §  63.136 deleted August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial page (361655).

§ 63.137. [Reserved].


Authority

   The provisions of this §  63.137 deleted under 66 Pa.C.S. §  3019(b)(2) and (3).

Source

   The provisions of this §  63.137 amended June 29, 2012, effective June 30, 2012, 42 Pa.B. 3728; deleted August 12, 2022, effective August 13, 2022, 52 Pa.B. 5049. Immediately preceding text appears at serial pages (361655) to (361657).



No part of the information on this site may be reproduced for profit or sold for profit.


This material has been drawn directly from the official Pennsylvania Code full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.