Jan. 28 2010 12:00 AM

Pick up an article in information technology, records management or electronic discovery trade press, and you will see that information is moving to the "cloud." What is the cloud? Perhaps the simplest definition is information stored remotely on a service provider's equipment, typically accessed over the Internet on a browser. This is a trend we are witnessing at an amazing pace and one not just limited to a corporation's own information, but also the transactional information of the corporation and its customers.

A degree of care is required when outsourcing transactional information to ensure the protection of both your and your customers' information. Set forth below are considerations to the extent you are going to outsource transactional processing.

  • Privacy policy: Establish a written policy regarding the protection of your and your customer's information. Publish that policy not only to your organization but also to your outsourced providers and customers, and make it available on your public website to your customers.
  • Choosing the appropriate vendor: It is important to understand who is your provider. You should also understand who works for your provider, including how they screen their employees and whether they do a criminal background and reference checks with respect to employees that will have access to your data.
  • Contractual provisions regarding data security: Set forth in detail your service provider's obligations regarding the protection of your transactional records, including the specific data security precautions that will be undertaken by the provider.
  • Confidentiality agreement: Your provider and each of its employees who will have access to your data should execute an agreement regarding the confidential nature of your and your customers' information.
  • Reviewing your provider's data security protections and practices: Conduct an audit of your provider's data security practice. Visit the provider and its data center. Determine what physical security is in place over the information, including whether there is 24/7 security at the location and how access is granted to the facility, as well as the equipment. Examine also the network typology, data security precautions, firewall security and procedures for handling customer data.
  • Access control: Access control rights to the system are important. Determine how appropriate levels of access control are granted, including whether you will reply on basic password protection (e.g. user ID and password) or more sophisticated protection, such as a digital certificate, biometrics or a security token. Ensure that there is a policy for periodic changing of passwords and the use of complex passwords (e.g. including numbers, letters, symbols and character length).
  • Customer identification and access: Many transactional systems allow for customer access. Ensure that your provider has a process in place to monitor and maintain customer identifications, passwords and clearances.
  • Encryption: Ensure that any data that is transmitted over the Internet is appropriately encrypted or protected through a virtual private network connection. Also ensure that data stored on local machines are appropriately encrypted.
  • Monitoring: Ensure that either your provider or your IT staff are monitoring the transactional system so that there is no unauthorized access.
  • Audit trail: Create an appropriate real time audit trail that tracks transactional details in an understandable and agreeable format.
  • Contingency plan in the event of a breach: At some point, there may be a data security breach. Ensure that you have a contingency plan in place, including notifications by your provider of any breaches as well as agreed-upon action points to remedy those instances.

Like anything else in the IT realm, prior planning prevents poor performance. With careful planning and addressing the points set forth above, you can outsource your transactional records to an appropriate third-party provider and ensure that your data and that of your customers will be appropriately protected.

JOHN ROSENTHAL is a partner at the law firm of Winston & Strawn LLP (www.winston.com). Mr. Rosenthal is the Chairman of the firms Electronic Discovery & Information Management Practice Group. Mr. Rosenthal advises companies on e-discovery and records management risk mitigation and best practices.

Be the "Tails"
Post your responses to Mr. Rosenthal's statements at our LinkedIn Discussion here>>