Pick
up an article in information technology, records management
or
electronic discovery trade press, and you will see that
information
is moving to the "cloud." What is the cloud? Perhaps
the
simplest definition is information stored remotely on a service
provider's
equipment, typically accessed over the Internet on a
browser.
This is a trend we are witnessing at an amazing pace and
one
not just limited to a corporation's own information, but also
the
transactional information of the corporation and its customers.
A
degree of care is required when outsourcing transactional
information
to ensure the protection of both your and your customers'
information.
Set forth below are considerations to the extent
you
are going to outsource transactional processing.
-
Privacy
policy: Establish a written policy regarding the protection
of
your and your customer's information. Publish that
policy
not only to your organization but also to your outsourced
providers
and customers, and make it available on your public
website
to your customers.
-
Choosing
the appropriate vendor: It is important to understand
who is
your provider. You should also understand who works for
your
provider, including how they screen their employees and
whether
they do a criminal background and reference checks
with
respect to employees that will have access to your data.
-
Contractual
provisions regarding data security: Set forth in detail
your
service provider's obligations regarding the protection of
your
transactional records, including the specific data security
precautions
that will be undertaken by the provider.
-
Confidentiality
agreement: Your provider and each of its employees
who
will have access to your data should execute an
agreement
regarding the confidential nature of your and your
customers'
information.
-
Reviewing
your provider's data security protections and practices: Conduct
an audit of your provider's data security practice. Visit
the
provider and its data center. Determine what physical security
is in
place over the information, including whether there is
24/7
security at the location and how access is granted to the
facility,
as well as the equipment. Examine also the network
typology,
data security precautions, firewall security and procedures
for
handling customer data.
-
Access
control: Access control rights to the system are important.
Determine
how appropriate levels of access control are
granted,
including whether you will reply on basic password
protection
(e.g. user ID and password) or more sophisticated
protection,
such as a digital certificate, biometrics or a security
token.
Ensure that there is a policy for periodic changing of
passwords
and the use of complex passwords (e.g. including
numbers,
letters, symbols and character length).
-
Customer
identification and access: Many transactional systems
allow
for customer access. Ensure that your provider has a process
in
place to monitor and maintain customer identifications,
passwords
and clearances.
-
Encryption:
Ensure that any data that is transmitted over the
Internet
is appropriately encrypted or protected through a virtual
private
network connection. Also ensure that data stored
on
local machines are appropriately encrypted.
-
Monitoring:
Ensure that either your provider or your IT staff are
monitoring
the transactional system so that there is no unauthorized
access.
-
Audit
trail: Create an appropriate real time audit trail that
tracks
transactional
details in an understandable and agreeable format.
-
Contingency
plan in the event of a breach: At some point, there
may be
a data security breach. Ensure that you have a contingency
plan
in place, including notifications by your provider of
any
breaches as well as agreed-upon action points to remedy
those
instances.
Like
anything else in the IT realm, prior planning prevents poor
performance.
With careful planning and addressing the points set
forth
above, you can outsource your transactional records to an appropriate
third-party
provider and ensure that your data and that of
your
customers will be appropriately protected.
JOHN
ROSENTHAL is a partner at the law firm of Winston & Strawn
LLP
(www.winston.com). Mr. Rosenthal is the Chairman of the firms
Electronic
Discovery & Information Management Practice Group. Mr.
Rosenthal
advises companies on e-discovery and records management
risk
mitigation and best practices.
Be
the "Tails"
Post
your responses to Mr. Rosenthal's statements at our LinkedIn
Discussion here>>
|