Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Bulletin website includes the following: Rulemakings by State agencies; Proposed Rulemakings by State agencies; State agency notices; the Governor’s Proclamations and Executive Orders; Actions by the General Assembly; and Statewide and local court rules.

PA Bulletin, Doc. No. 97-1622

PROPOSED RULEMAKING

[52 PA. CODE CH. 63]

[L-970123]

Electronic Transaction Auditing of Telephone Customer Proprietary Information

[27 Pa.B. 5269]

   The Pennsylvania Public Utility Commission (Commission) adopted an order to promulgate a proposed amendment regarding confidentiality of telephone customer information. The purpose is to require telephone companies to maintain an electronic audit trail of all accesses to private customer information by the telephone company security department, outside persons and governmental agencies. A permanent electronic record of the information must be maintained. The contact person is John A. Levin, Assistant Counsel, Law Bureau, (717) 787-5978.

Regulatory Review

   Under section 5(a) of the Regulatory Review Act (71 P. S. § 745.5(a)), the Commission submitted a copy of these proposed amendments on September 30, 1997, to the Independent Regulatory Review Commission (IRRC) and the Chairpersons of the House Committee on Consumer Affairs and the Senate Committee on Consumer Protection and Professional Licensure. In addition to submitting the proposed amendments, the Commission has provided IRRC and the Committees with a copy of a detailed Regulatory Analysis Form prepared by the Commission in compliance with Executive Order 1996-1. A copy of this material is available to the public upon request.

   If the Legislative committees have objection to any portion of the proposed amendments, they will notify the Commission within 20 days of the close of the public comment period. If IRRC has objections to any portion of the proposed amendments, it will notify the Commission within 10 days of the close of the Committees' review period. The notification shall specify the regulatory review criteria which have not been met by that portion. The Regulatory Review Act specifies detailed procedures for review, prior to final publication of the regulations, by the Commission, the General Assembly and the Governor of any objections raised.

Commissioners Present: John M. Quain, Chairperson; Robert K. Bloom, Vice Chairperson; John Hanger; David W. Rolka; Nora Mead Brownell

Public Meeting held
July 10, 1997

Proposed Rulemaking Order

By the Commission:

   As a result of several incidents involving disclosure or improper use of private or proprietary telephone customer information, the Commission herewith initiates this proposed rulemaking to require the maintenance of electronic transaction auditing records with respect to data processing records and the maintenance of detailed records in any instance in which customer information is disclosed to persons outside the telephone company, any government entity or the telephone company security department.

   The Commission is generally aware that data processing and information transaction technology has been improving with respect to availability of adequate data security, transaction auditing and safeguards. The Commission believes that it is now practicable from the standpoint of both operations and cost to require telephone utilities to implement electronic auditing safeguards and maintain permanent electronic records of the auditing in order to protect the public interest. The Commission also believes that it is desireable and cost effective to require that any disclosure of customer information to outside persons, telephone security officers or governmental agencies be permanently recorded in the event of a later allegation of improper access or disclosure by or to those persons.

   In order to enable the Commission to carry out its responsibilities under the Public Utility Code to ensure that telephone service is rendered in accordance with the provisions of the Public Utility Code's requirements that service be rendered in a safe, adequate and reliable fashion, the Commission is considering the amendment of its regulation as described above, to read as set forth in Annex A.

   Accordingly, under 66 Pa.C.S. §§ 1501--1505 , and the act of July 31, 1968 (P. L. 769, No. 240) (45 P. S. §§ 1201--1208), and the regulations promulgated thereunder at 1 Pa.Code §§ 7.1--7.4, we are considering amending the regulations at 52 Pa. Code § 63.135, as noted above and in the manner set forth in Annex A; Therefore,

It Is Ordered That:

   1.  A rulemaking proceeding shall be initiated to consider the proposed amendment as set forth in Annex A hereto.

   2.  This order shall be published in the Pennsylvania Bulletin. Interested persons may submit written comments, an original and 15 copies, to Prothonotary, Pennsylvania Public Utility Commission, P. O. Box 3265, Harrisburg, PA 17105-3265, and shall have 45 days from the date the order is published in the Pennsylvania Bulletin to submit the comments. Commentators are strongly encouraged, if suggesting changes or additions to the proposed amendment, to supply alternative regulatory language. Commentators suggesting changes or nonadoption of the proposed draft amendment on the basis of allegations of financial or technical hardship are directed to disclose in detail the basis of the allegations, including all cost studies or technical analyses upon which the allegations are based.

   3.  A copy of this order and Annex A shall be served upon the Office of Consumer Advocate, the Office of Small Business Advocate, the Office of Trial Staff, all telephone utilities and the Pennsylvania Telephone Association.

   4.  The Secretary shall submit this order and Annex A to the Office of Attorney General for approval as to legality, and to the Governor's Budget Office for review of fiscal impact.

   5.  The Secretary shall submit this order and Annex A for review by the designated standing committees of both Houses of the General Assembly, and for review by the Independent Regulatory Review Commission.

   6.  The contact person is John Levin, Assistant Counsel, Pennsylvania Public Utility Commission, P. O. Box 3265, Harrisburg, PA 17105-3265, (717) 787-5978.

JAMES J. MCNULTY,   
Acting Secretary

   Fiscal Note: 57-186. No fiscal impact; (8) recommends adoption.

Annex A

TITLE 52.  PUBLIC UTILITIES

PART I.  PUBLIC UTILITY COMMISSION

Subpart C.  FIXED SERVICE UTILITIES

CHAPTER 63.  TELEPHONE SERVICE

Subchapter J.  CONFIDENTIALITY OF CUSTOMER COMMUNICATIONS AND INFORMATION

§ 63.135.  Customer information

   This section describes procedures for determining employe access to customer information and the purposes for which this information may be used by employes responding to requests for customer information from persons outside the telephone company and the recording of use and disclosure of customer information.

*      *      *      *      *

   (5)  Safeguarding customer information. A telephone company is responsible for implementing appropriate procedures to safeguard customer information and prevent access to it by unauthorized persons. Tangible customer records such as paper or microfiche records and electromagnetic media shall be stored in secure buildings, rooms and cabinets, as appropriate, to protect them from unauthorized access. Data processing and other electronic systems shall contain safeguards, such as codes and passwords, preventing access to customer information by unauthorized persons and shall be accompanied by electronic transaction auditing which shall create audit data sufficient to establish a permanent record of each instance in which customer data is accessed, copied, printed, changed, deleted or added. Electronic transaction audit data shall be retained indefinitely, and shall be kept in a manner which permits access and retrieval of audit information by time of access, date of access, accessing individual, accessing individual's position, accessing individual's affiliation, the customer's name, the customer's account number, the portion of customer information accessed and the reason for access. Storage of the audit data may be made in any media format determined to be appropriate by the utility, but shall be promptly and properly maintained and transferred to a more current media format if the original or any successor medium becomes technologically obsolete or is in danger of becoming technologically obsolete.

*      *      *      *      *

   (6)  [Recording use and disclosure] Disclosure of customer information. [Because of the frequency with which customer information is used and disclosed in the ordinary course of business, it is neither practical nor desirable to record each instance in which customer information is used or disclosed by an employe. However, the importance of some forms of customer information and the circumstances under which the information may be used or disclosed dictate that a record is required of the use or disclosure of customer information, as follows:

   (i)  Each instance in which customer information is used or disclosed for purposes other than to furnish service to the customer, to collect charges due from the customer or to accomplish other ordinary and legitimate business purposes.

   (ii)  Each instance in which information is disclosed to persons outside of the telephone company, subject to subparagraph (i).

   (iii)  Each instance in which customer information is disclosed to a government entity or the telephone company security department.

   (iv)  Each instance in which a record is required by other telephone company practices or procedures.]

   The utility shall maintain a permanent record of each instance in which customer information in any form is disclosed to the telephone security department or security personnel, any governmental agency or any other person outside of the telephone company for purposes other than to furnish service to the customer or to collect charges due from the customer. The record shall be maintained in electronic database format and shall list the time of access, the date of access, the accessing individual, the accessing individual's position, the accessing individual's affiliation, the name, address, telephone number and affiliation of the person to whom the information was disclosed, the customer's name, the customer's account number, the portion of customer information accessed and the reason for access. Storage of the data may be made in any media format determined to be appropriate by the utility, but shall be promptly and properly maintained and transferred to a more current media format if the original or any successor medium becomes technologically obsolete or is in danger of becoming technologically obsolete.

*      *      *      *      *

[Pa.B. Doc. No. 97-1622. Filed for public inspection October 10, 1997, 9:00 a.m.]



No part of the information on this site may be reproduced for profit or sold for profit.

This material has been drawn directly from the official Pennsylvania Bulletin full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.