The Department of Justice (DOJ) has formally asked the Federal Communications Commission to "include a mechanism of delay" in any rules requiring phone companies to notify consumers that their records have been "pretexted"—that is, stolen. The delay would last at least a week, and could go on indefinitely.

"Allowing for delayed consumer notification in appropriate cases enhances our ability to investigate the circumstances surrounding the loss of the data and, thereby, advances consumer protection," Deputy Attorney General Paul McNulty wrote to the FCC on December 28th, 2006.

The DOJ request comes in the context of an FCC proceeding to establish security measures against "pretexters" - con artists who trick phone companies into disclosing customer records, then sell those records to others.

In February of 2006, the FCC opened a new rulemaking proceeding on pretexting, requested by the Electronic Privacy Information Center (EPIC). The proceeding asked the public to comment on five security measures proposed by EPIC to protect customer phone data: passwords set by customers, better tracking of customer records, encryption of records, limits to how long companies can keep customer data, and letting customers know if the security of their records has been compromised.

During the course of this comment cycle the DOJ, Federal Bureau of Investigation, and Department of Homeland Security have repeatedly asked the FCC to include rules that delay letting customers know if the security of their records has been breached. The December 28th DOJ filing includes suggested language to effect such a delay.

McNulty proposes that if a phone company discovers that consumer records have been pretexted:

• The carrier will not notify the consumer of the security breach until seven days after it has notified the FBI and the United States Secret Service, unless
• the company believes that there is an "extraordinarily urgent need" to notify customers in order to avoid "irreparable harm," but
• if the "relevant investigating agency" decides that letting consumers know that their data has been stolen could compromise an investigation, the agency could tell the carrier not to disclose the breach for "an initial period" of 30 days. "Such period may be extended by the agency as reasonably necessary in the judgment of the agency."
• The agency will then let the carrier know when it is permissible to let the consumer or consumers know that their data has been stolen, or, as the DOJ puts it, "when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security."

The DOJ argues that immediately letting customers know that their calling records have been obtained by pretexters could tip off the culprits, "causing them, among other things, to destroy evidence, change their behavior, and accelerate their illegal use of any data before consumers or company victims can act." Delaying notification could allow law enforcement to conduct an ongoing undercover investigation, McNulty's filing contends.

In late September an FCC official told the House Commerce Committee that the Commission would soon vote on new rules to combat pretexting, but such a decision may have been delayed by controversial questions such as the AT&T/BellSouth merger, now approved by the agency.