Call centres have a responsibility to safely store customer data. Yet in a highly regulated industry, call centres face special challenges with secure data storage. In addition to figuring out how to safeguard sensitive information that is stored, some of these challenges include:
- Adhering to an alphabet soup of regulatory guidelines and industry requirements such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), the European Union’s General Data Protection Regulation (GDPR), the new California Consumer Privacy Act (CCPA) plus many others
- Keeping on top of changes to these compliance regulations (which occur frequently) and understanding/meeting new compliance requirements as they are added
- Ensuring the integrity of other stored data when removing personal data.
- Assessing the call centre’s level of preparedness to handle new customers in relation to evolving requirements
- Determining if the call centre is agile enough to manoeuvre within current compliance frameworks
- Dealing with the possibility of being fined or receiving a penalty for non-compliance
The fact is that research has proven that non-compliance is costly, and problems stemming from audits are more common than you might think. A 2017 Ponemon Institute study on “The True Cost of Compliance with Data Regulations” found that companies with issues for non-compliance pay $14.82 million on average—a figure that increased 45 percent over a six-year period. This is why secure and compliant storage of customer data is so vital.
Sorting Out Storage Needs by Compliance Realities
Going back to the challenge of “alphabet soup” above, each set of regulations and guidelines necessitates a unique and targeted approach to ensuring compliance, which affects how an organization should store its data compliantly. Below is a run-down of key storage considerations to keep in mind for each type of regulation:
HIPAA compliance. Any company that stores/manages healthcare-related data—which includes call centers and telemedicine as well as insurance organizations—must be compliant with HIPAA regulations. The key here is outlined by Health and Human Services (HHS) 45 CFR § 164.304, which defines a security incident as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
In relation to storage procedures, this means any type of electronic personal health information (ePHI) must remain completely unmodified. Traditional storage area network (SAN) and network-attached storage (NAS) isn’t quite up to this task, despite its common usage. A 2018 report from Verizon revealed that the majority of data breaches—68 percent—remained undiscovered for months or years. This helps explain why any regulated body such as a call center must be able to instantly retrieve their audit logs and complete audit trail to prove who accessed the data at any given point in time. The inability to identify full access history, including the origin of unauthorized modification—or even attempted unapproved access—to ePHI via access logs, can result in non-compliance. While HIPAA doesn’t mandate monitoring frequency to ensure data authenticity, monitoring data in real-time can help provide data protection against ransomware and other types of hacking.
PCI DSS requirements. These guidelines are designed to safeguard cardholder data, particularly in relation to public-network transmission of encrypted information. A thorough examination of these requirements reveals the tall order that enterprises face in ensuring proper data storage to stay fully compliant.
PCI DSS 3.1 to 4.1 are particularly relevant to these storage requirements, and specify that organisations must follow policies for data retention—as well as data disposal—to minimise the amount of cardholder data that remains stored in company systems. These guidelines also focus on operational/security processes and procedures to boost cardholder data protection. Encryption is also covered in 3.1 to 4.1, including encrypting data at rest as well as during transmission, and procedures to manage/protect encryption keys.
GDPR’s accountability principle. “The right to be forgotten,” as GDPR’s new accountability principle is often referred to, requires that companies exhibit high accountability for managing and handling customer data. A significant component of this mandate relates to creating documented policies to give staff clear instructions on these data protection requirements, and being ready to address any concerns that regulators might have.
When preparing your data protection policy, the following areas should be considered to stay GDPR compliant:
- Identification of specific data categories covered by the policy
- Identifying responsible parties for each category, and those with specific per-policy obligations
- Additional rules/practices/codes to consider in addition to data protection laws
- Circumstances in which to retain and delete data
- Circumstances in which specific data may be exempt from general deletion/retention principles
California Consumer Privacy Act regulations. The clock is ticking for organisations to prepare for CCPA, which is poised to take effect on January 1, 2020. CCPA helps protect consumers by putting limits on the information companies can gather about them, and also by mandating that organisations neither sell nor share a consumer’s personal information to other entities. Additionally, the regulations stipulate that firms must gather personal data take sufficient precautions to keep this sensitive information secure.
Individuals gain a slew of new rights under CCPA, which means organisations must be prepared to grant these rights from a compliance perspective, or else may be deemed liable for breaching consumer data security. Once the new regulations take effect, people are entitled to find out (free of charge) about any and all information that a company has collected about them—and they can do this two times each calendar year. If an individual’s personal information ends up compromised in a data breach, consumers will also have the right to sue the business that collected—and then didn’t adequately protect—their data. So companies must ensure that they’re not only encrypting data properly, but that they have clearly delineated security procedures and can quickly reveal them in the event of a breach.
The CCPA lists many different types of personal information that are protected under the new regulations, including not only obvious data such as backup files, payroll/benefits info, employment contracts, performance reviews, and job applications but also search/browsing history, ID photos, video/audio surveillance systems, and data obtained from biometrics or geolocation.
In Part 2 of this article, we explore some additional security challenges that call centres must handle—including management of multiple compliance requirements and protecting data from ransomware attacks. We’ll also discuss strategies organizations can take to ensure their data stays securely protected, while still remaining fully compliant with the full panoply of constantly changing data regulations.
Guest Blog by Charles Burger, Global Director of Assureon Solutions at Nexsan, a StorCentric company
Charles Burger is the Global Director of Assureon Solutions at Nexsan, A StorCentric Company. For over nine years he’s served as the architect for customers within the strictly regulated financial, medical, law enforcement, state/local and federal government markets. Nexsan channel partners and end customers value and depend upon his wealth of knowledge and hands-on expertise in enterprise storage and regulations compliance, especially those with ECM applications that are core to successful medical systems like PACS and patient history. Prior to Nexsan, Burger held senior sales and systems integrator positions with Sterling Computers; Sun Microsystems, where he designed, sold and integrated commercial and federal systems (SunFed); and Procom Technology. He holds a B.A. from the University of Wisconsin-Madison where he majored in Political Science, and minored in Criminal Law and History.
