Pick up an article in information technology, records management or electronic discovery trade press, and you will see that information is moving to the "cloud." What is the cloud? Perhaps the simplest definition is information stored remotely on a service provider's equipment, typically accessed over the Internet on a browser. This is a trend we are witnessing at an amazing pace and one not just limited to a corporation's own information, but also the transactional information of the corporation and its customers.

    A degree of care is required when outsourcing transactional information to ensure the protection of both your and your customers' information. Set forth below are considerations to the extent you are going to outsource transactional processing.

    • Privacy policy: Establish a written policy regarding the protection of your and your customer's information. Publish that policy not only to your organization but also to your outsourced providers and customers, and make it available on your public website to your customers.
    • Choosing the appropriate vendor: It is important to understand who is your provider. You should also understand who works for your provider, including how they screen their employees and whether they do a criminal background and reference checks with respect to employees that will have access to your data.
    • Contractual provisions regarding data security: Set forth in detail your service provider's obligations regarding the protection of your transactional records, including the specific data security precautions that will be undertaken by the provider.
    • Confidentiality agreement: Your provider and each of its employees who will have access to your data should execute an agreement regarding the confidential nature of your and your customers' information.
    • Reviewing your provider's data security protections and practices: Conduct an audit of your provider's data security practice. Visit the provider and its data center. Determine what physical security is in place over the information, including whether there is 24/7 security at the location and how access is granted to the facility, as well as the equipment. Examine also the network typology, data security precautions, firewall security and procedures for handling customer data.
    • Access control: Access control rights to the system are important. Determine how appropriate levels of access control are granted, including whether you will reply on basic password protection (e.g. user ID and password) or more sophisticated protection, such as a digital certificate, biometrics or a security token. Ensure that there is a policy for periodic changing of passwords and the use of complex passwords (e.g. including numbers, letters, symbols and character length).
    • Customer identification and access: Many transactional systems allow for customer access. Ensure that your provider has a process in place to monitor and maintain customer identifications, passwords and clearances.
    • Encryption: Ensure that any data that is transmitted over the Internet is appropriately encrypted or protected through a virtual private network connection. Also ensure that data stored on local machines are appropriately encrypted.
    • Monitoring: Ensure that either your provider or your IT staff are monitoring the transactional system so that there is no unauthorized access.
    • Audit trail: Create an appropriate real time audit trail that tracks transactional details in an understandable and agreeable format.
    • Contingency plan in the event of a breach: At some point, there may be a data security breach. Ensure that you have a contingency plan in place, including notifications by your provider of any breaches as well as agreed-upon action points to remedy those instances.

    Like anything else in the IT realm, prior planning prevents poor performance. With careful planning and addressing the points set forth above, you can outsource your transactional records to an appropriate third-party provider and ensure that your data and that of your customers will be appropriately protected.

    JOHN ROSENTHAL is a partner at the law firm of Winston & Strawn LLP (www.winston.com). Mr. Rosenthal is the Chairman of the firms Electronic Discovery & Information Management Practice Group. Mr. Rosenthal advises companies on e-discovery and records management risk mitigation and best practices.

    Be the "Tails"
    Post your responses to Mr. Rosenthal's statements at our LinkedIn Discussion here>>

     
    • balance
      A recent article on Chiefmartec asked an interesting question about automation in marketing: Is automation making things more efficient for the company or the customer? The example they gave is someth
    • GettyImages-2193247029
      Seamless and personalized customer interactions are no longer just a competitive advantage — they’re an expectation. Whether a customer is applying for a credit card, opening a bank account, or on
    • ai-generated-7962522_1280
      Change is the only constant when it comes to IT applications. Specifically for Enterprise Content Management (ECM) and Robotic Process Automation (RPA), proper knowledge is a necessity before inevitab
    • top read
      Remember the last time you filled out a mortgage application? If you're like most people, you probably spent hours wrestling with confusing forms, deciphering legal jargon and hunting down supporting
    • trends
      As we reach the midpoint of the decade, it’s clear that the 2020s are testing business leaders with a drive to leverage emerging technologies, evolving customer expectations and a more complex regulatory environment

    Most Read  

    This section does not contain Content.
    0