In Part 1 of this article, we provided an overview of considerations for secure data storage for call centres. These recommendations were based on specific compliance requirements from some of the main regulations and guidelines that companies need to adhere to, which include:
- The Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- The EU’s General Data Protection Regulation (GDPR)
- The California Consumer Privacy Act (CCPA)
But the fact is, depending on what kind of data you’re capturing, organisations may need to deal with juggling more than one set of requirements for compliance from multiple regulatory bodies. This adds an extra layer of management and complexity when considering your approach to storing call centre data securely. If you’re HIPAA compliant with a customer service call, for instance, you may not be out of the woods in terms of regulatory due diligence. Such a call might additionally need to adhere to rules for the other three sets of guidelines above and/or Personally Identifiable Information (PII).
A number of increasingly common security-related interactions and transactions have started to muddy the waters regarding responsibility for data protection from a compliance perspective. On-call services generally now require consumers to disclose personal information as part of the call centre’s authentication measures to help verify that the person calling is indeed the policyholder. Key identifiers that consumers or patients might be asked to provide include sensitive data such as their social security number, little-known personal details such as parent or other family members’ names, and the consumer’s home address. Occasionally, in medical call centres, the caller may even need to provide a credit card number for a co-payment to be able to continue the call. Organisations should seek legal counsel as to how these forms of personal data should be safely stored, retained, and disposed of—and what internal policies need to be put in place to ensure adherence.
Another challenge to data protection is posed by malware and ransomware since. If these sinister programs penetrate your network, customer data can be exposed—and as we saw in Part 1 of this series, companies that become the victims of such data breaches can be liable from a compliance perspective. The end result can be a trickle-down effect of negative outcomes for companies that are on the receiving end of a ransomware attack, starting with aggravations from downtime and lost data, escalating into lost business revenue and consumer trust, as well as potential fees from failure to comply with data protection regulations.
Strategies for Secure Storage
In light of the challenges above, the best way that an enterprise can safeguard customer data from a compliance perspective is to approach the task systematically, rather than in a piecemeal fashion. Investing in a compliant storage system ensures that all your bases are covered without needing to worry about managing the details. Companies should take the time to compare storage products head to head, as not every system is designed to comply with all required regulations.
As you begin your comparative process, use the following framework to guide you in asking the right questions:
- Who are your clients? Your product comparison should start by thinking about your specific clients. So ask: What are the compliance steps that are required in your clients’ industries? Your secure storage solution must be able to address those issues
- How flexible is the storage product? Given the regulatory realities discussed in this series, companies need the ability to both store data per compliance guidelines, and also be able to modify the storage system to address any new requirements that an agency adds over time. Configuration flexibility is key in both instances. So ask: what needs do we have for custom programming, in addition to what the storage system provides?
- Does the compliant storage system provide data protection? Traditionally, storing data has just been about backing the information up, not actually protecting the files. But with the advent of increased regulatory pressures on organisations, data has become much more precious. Think about how great the risk of data loss is now that IT must be concerned not just with ensuring that the data isn’t lost, but also being able to instantly offer proof that data has been stored in a compliant manner with proper procedures, revealing full audit trails to regulatory agencies on demand. So ask: does this storage system offer true data protection measures when it comes to integrity, silent data corruption, real-time audits, and immutability of the original files?
- Can the system preserve original call recordings? Ideally, you want your system to create a “digital fingerprint” for the original file as well as metadata. So ask: does your solution have a way to preserve original data and call recordings?
- Can data integrity be validated? Data is vulnerable to a wide range of prey, from viruses and tampering to silent data corruption. So ask: does the compliant storage system have a way to automatically validate archived data’s integrity?
- Can the system remove personal information? Many companies find it difficult to deal with meeting all of the new requirements for data retention under GDPR and CCPA. So ask: does the compliant storage system have the ability to ensure that after data has been approved for deletion, records are actually removed and forever destroyed? Ideally, your system will also have a feature to allow for postponement of optional deletion at the company’s discretion
- Does the system allow for encryption in flight and at rest? Whether being transferred between sites or archived, encryption is needed for ultimate security. So ask: are stored files encrypted with their own unique key, and can in-flight files use an encrypted tunnel for data protection?
By asking yourself the questions above as you conduct your evaluation of compliant storage systems, you will be positioning your call center for proper preparation to meet its full range of requirements for regulatory compliance.
Guest Blog by Charles Burger, Global Director of Assureon Solutions at Nexsan, a StorCentric company
Charles Burger is the Global Director of Assureon Solutions at Nexsan, A StorCentric Company. For over nine years he’s served as the architect for customers within the strictly regulated financial, medical, law enforcement, state/local and federal government markets. Nexsan channel partners and end customers value and depend upon his wealth of knowledge and hands-on expertise in enterprise storage and regulations compliance, especially those with ECM applications that are core to successful medical systems like PACS and patient history. Prior to Nexsan, Burger held senior sales and systems integrator positions with Sterling Computers; Sun Microsystems, where he designed, sold and integrated commercial and federal systems (SunFed); and Procom Technology. He holds a B.A. from the University of Wisconsin-Madison where he majored in Political Science, and minored in Criminal Law and History.
