Enterprise Customers: Verizon Wants to Exploit Your Confidential Information
By Justin Castillo and Ellen Block
May 30, 2012
A confidentiality landmine is lurking in pending changes to Verizon’s online terms and conditions.
Verizon issued a notice on May 17 regarding the changes, and close examination reveals that effective June 1, 2012, customers who agree – knowingly or otherwise – to Verizon’s Online Master Terms will have allowed Verizon to share not just their customer proprietary network information (CPNI) but also their “Confidential Information” with a vastly expanded group of recipients, including another carrier, Vodafone.
While Verizon has been trying to foist similar language on individual customers for years, this latest step represents one of the carrier’s boldest and most sweeping attempts to gain access to critical customer information for its own marketing purposes.
If you think you are protected because you have a Verizon master service agreement and do not buy under the master terms in the Verizon Price Guide, think again: Verizon routinely tries (often successfully) to induce existing customers to execute a seemingly innocuous one-page “Addendum” or “Consent to Use” document that looks just like the online terms.
Because Verizon’s revised CPNI/Confidential Information language – whether on the Verizon website or in stand-alone consent forms – is so broad, customers who accept the revised terms could, by consenting to widespread dissemination of confidential information to third parties, unwittingly expose themselves to substantial legal and financial risk.
Why CPNI is Valuable
Before we get into the details, a bit of background is in order.
Section 222 of the Communications Act of 1934 states that “Customer Proprietary Network Information” – basically call detail, circuit inventory and other information that appears on a customer’s bills – belongs to the customer. [See sidebar: Fine Print: What the Communications Act Says About CPNI] In a nutshell, §222 says that CPNI cannot be used or disclosed by the service provider for any purpose other than to provide service to the customer unless the customer gives its consent.
CPNI is valuable to carriers because it gives a detailed view into a customer’s actual usage patterns, and that information can help them to sell other services to that customer. It’s like online advertisers targeting you with custom ads based on your search history.
Many carriers – and especially Verizon – devote substantial time and effort to inducing customers to agree to allow the carrier to use CPNI for marketing purposes.
Some enterprise customers object to this, while others see no harm in allowing a carrier to use their CPNI to propose new or improved service offerings. However, it’s important to note that savvy customers who allow such use of their CPNI make sure to place strict limits on who gets access to it. They also demand continued acknowledgement from the carrier that the CPNI remains the customer’s confidential information.
These Revisions Threaten Your Enterprise
Verizon’s proposed revisions are dangerous for several reasons.
Most importantly, the revised terms cover not just CPNI (a relatively discrete set of information), but any customer confidential information. That is an enormous expansion in scope that on its face encompasses trade secrets, business plans, even third-party information (such as information about your customers).
The new provisions allow “Verizon Companies” (defined as Verizon, Verizon Wireless and their affiliates) to share a customer’s CPNI and confidential information not just with each other, but also with Vodafone and its agents, contractors and “partners.”
While these two items are bad enough, they are exacerbated by an even more serious problem: even as Verizon expanded the scope and reach of this provision, it failed to address the issues that inevitably will arise if Verizon gets access to a customer’s confidential information – such as liability on the part of the customer.
For example, there are no limits on the nature and type of the confidential information that the Verizon Companies can use or disclose to others. Nor is there any language that permits the customer to find out what information was disclosed and to whom, or requires the Verizon Companies to require the recipients of a customer’s confidential information to safeguard the information and dispose of it securely.
The Threat to Existing Verizon Customers
Verizon is putting customers on notice that it may try – if it has not already -- to get them to agree to the revised terms
The tip-off comes from new language (in bold) in the online terms that mentions a customer’s “signing […] this Agreement …” (emphasis added). The carrier’s CPNI/Confidential Information gambit could come in any of several forms: it could be a section in a routine amendment to an existing agreement, or it could be a stand-alone Consent form.
Whatever the form of the approach, Customers may find their account teams giving them a “hard sell” on the issue, suggesting that there is a government mandate behind it or that Verizon recently changed its policies and the customer needs to make a corresponding change to its agreement.
If you are presented with a stand-alone Consent or similar form, you should be aware of an important issue: customers often sign such forms without doing an appropriate review.
The forms are also dangerous from a contract administration point of view because, as drafted by Verizon, they apply to all contracts that the customer or its affiliates has with Verizon Business, Verizon Wireless, any other Verizon or Vodafone company. Because the forms don’t identify specific contracts, they may not be stored with all of the contracts to which they pertain. If this happens to you, your company’s records may not accurately reflect your rights and obligations with respect to your own confidential information.
What to Do to Protect Your Company
Take steps internally to ensure that all amendments and other documents provided to you by Verizon are carefully reviewed before they are executed. You may want to restrict the number of people authorized to sign on behalf of your company – and if you do, be sure to tell Verizon about this policy in order to avoid “apparent authority” problems.
If you are negotiating new agreements with Verizon, scrutinize the CPNI provisions. Be careful to protect your CPNI and confidential information from unnecessary disclosure. Consider structuring your agreements to make it more difficult to change confidentiality and other key provisions by, for example, requiring a contract amendment rather than just a blanket consent form. If contract amendments are administratively burdensome, consider including a contract term limiting the individuals who have authority to grant consents for use of CPNI and confidential information.
If you decide to grant some type of CPNI/Confidential Information authorization, be clear and specific about what you’re doing. Grant authorization only for project(s) where information sharing will generate a benefit for your company and then tailor the consent appropriately. That can be done by specifying the affected contracts, the kinds of information that can be shared, the identity of authorized recipients, and the specific purpose for which information can be used. You also should document an expiration date for the consent and the vendor’s liability for unauthorized use or disclosure by recipients, etc.
If you think you may have authorized Verizon to disclose CPNI or other information and want to revoke that authorization, notify Verizon at the email address listed in the language found here and consider seeking legal advice.
Justin G. Castillo and Ellen G. Block are partners in the law firm of Levine, Blaszak, Block & Boothby, LLP, which represents enterprise customers in negotiating and drafting complex IT and telecom services agreements with Verizon, AT&T, and other major service providers. Justin’s email is firstname.lastname@example.org. Follow Justin on Twitter @telecomattorney. Ellen’s email is email@example.com.