When organizations invest in call recording and quality management systems, it is important that they understand the impact this technology has on their current compliance processes. Most companies are required to be compliant with government or industry regulations and likely have processes in place to protect sensitive data captured in desktop applications. Sensitive data includes credit card information, patient health information and other personally identifiable information. Recording conversations where this data is being captured creates a new multimedia file that also needs to be protected. These multimedia files contain both audio (call recording) and video (screen recording) representations of the sensitive data. It is important that your recording solution has the tools to protect the information in these audio and video files, and maintain compliance.
The following elements need to be included in the recording and quality management system:
Secure Sockets Layer (SSL) – SSL is a cryptographic protocol used with web-based applications. The ability to use SSL to communicate with the recording application will further enhance a solution’s ability to protect the multimedia data.
Access Control Lists – Access Control Lists are used to establish individual and group rights to the application, features and data in the Call Recording system. The multiple permission layers typically leverage a unique user ID and strong password issued by directory service, such as Microsoft Active Directory.
Scrubbing – Scrubbing is the act of permanently removing information from an audio or video file. Scrubbing tools are an important part of protecting the organization from having to retain and maintain sensitive information.
Pausing – Pausing is very similar to Scrubbing. However, instead of removing the sensitive audio or video segments from the recording, the recording is simply paused during the part of the call where protected information is shared and then resumes the recording when notified.
Encryption – Encryption is another method for protecting recorded data. With full or partial encryption the privileged content is encoded (256-bit, AES) so that only users with the passcode can view and listen to the recorded interaction.
Audit Logs – Audit logs are required by PCI, HIPAA and other regulatory organizations. Audit Logs capture all administrative and user activity within the system including who accessed a file and what actions were taken.
Recording Archival – Retention policies of the recordings may vary in different businesses and industries and these are often changed over time. An optimum solution allows for multiple recording and retention programs. For instance, an agent quality management program may only require a recording be kept for 1 year, while laws requiring retention of “verbal consents” or Telephonic Signatures may need to be kept for up to 7 years.