Voice recording is commonplace, especially in highly regulated sectors of the economy where, for example, credit card payments are taken and organisations must adhere to PCI-DSS and the rules of the Financial Services Authority (FSA).
Just like any other data, voice recordings must be retained for compliance purposes. So, what voice data must be stored and how? And how should compliance for voice recording fit into a wider storage, backup and security strategy?
In this podcast, ComputerWeekly.com storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about the implication for voice recording of legal and regulatory compliance and how this affects the storage and backup of voice recordings.
Antony Adshead: To what compliance requirements are voice recordings subject?
Mathieu Gorge: Firstly, let’s have a look at voice systems and voice recording. If you look at voice recording, what we mean by that is details of the caller, the caller ID, potentially the call duration and the call content, ie what was discussed on the call.
All of them are typically subject to regulations like those from the FSA, which mandates that some types of calls need to be kept and recorded for compliance purposes, but also the Data Protection Act, the Freedom of Information Act and if you’re taking credit card payments over the phone, PCI-DSS.
So, it’s important to understand what can go wrong with voice systems and voice recordings. There are issues such as toll fraud, where somebody uses a premium line and repatriates all of the phones into their account by making fake calls. There are also phishing attacks, eavesdropping, and there is also telephone denial of service where someone sends a lot of requests onto your system and prevents genuine calls from coming through.
There are also issues with interactive voice response (IVR) systems as well as issues with call recording systems which may or may not be as secure as they should be and despite all that still record the voice message and voice conversations.
All this creates a fairly unique challenge in terms of storage and security.
Adshead: What are the storage and backup implications of voice recording technology?
Mathieu Gorge: So, if we look at the two main challenges surrounding storage and backup for voice recording technology the first one is to store the right information securely and the second one is storing the logs pertaining to the voice information that you have stored.
So, if you look at storing the right information securely you obviously need to know what information to store, how to identify it, what not to store, how long you need to store it and how you dispose of it when you have finished with it and no longer have a legal requirement to keep it.
More on legal and regulatory compliance
- Principles of compliance in the financial services industry
- Podcast: Demystifying big data storage for the board
- Podcast: What’s new in PCI-DSS and PA-DSS version 3.0?
- Big data security: getting a grip on multiple data sources
- Data classification policy: What it is and how to do it
- Podcast: Why HIPAA compliance provides a storage template for all
- Podcast: Why you need a cloud storage compliance audit
From the technology perspective the advice is to work with a supplier that will allow you to identify automatically some type of information during the voice recording or potentially would allow agents to stop the recording when, for example, a payment is carried out by credit card.
It’s not necessarily very easy to do. You may need to integrate with other solutions that would be hardware- or software-based and that will integrate with your communications systems.
The second thing is to look at solutions that allow you to secure access to the stored information. So, the same way as you would have a firewall to protect a server you would need to have a specific type of firewalling for your voice system. There are some very innovative new technologies, such as Pbxwall, that will allow you to do that type of stuff.
The second aspect is storing the logs and access to the logs. If something goes wrong and for legal purposes you need to go back and produce the voice recording you need to make sure the recording has not been tampered with, that the tracking information is accurate, that the integrity of the voice recording is beyond any doubt. And the same applies for e-discovery.
So, again it’s important to work with technology that allows you to tag the information, access the information in the right way and to make sure that information is kept completely secure and the integrity of the information is not questionable.
In summary, the moral of the story here is that your voice strategy in terms of storage and backup needs to be part of a wider backup and storage strategy and it also needs to link in very closely with your security strategy because otherwise you will not meet the compliance requirements of the FSA, the Data Protection Act, PCI and Freedom of Information Act.
This was first published in June 2014