This article describes various Certificates and compliances, Bill and Acts on data privacy, security and prevention of Robocalls as adopted by countries around the world pertaining to Interconnected VoIP providers, telecommunications services, wireless telephone companies etc
Compliance certificates by Industry types
HIPAA (Health Insurance Portability and Accountability Act)
Deals with privacy and security of personal medical records and electronic health care transaction
Applicability: If VoIP company handles medical information
- Not allowed Voice mail transcription
- Should have End-to-End Encryption
- Restrict using unsecured WiFi networks to prevent Snooping
- User security, strong password rules and mandatory monthly change
- Secure Firmware on VoIP phones
- Maintaining Call and Access Logs
SOX( Sarbanes Oxley Act of 2002)
Also known as SOX, SarbOX or Public Company Accounting Reform and Investor Protection Act
Applicability: if managing the communications operations of a regulated, publicly-traded company
- Retain records which include financial and other sensitive data
- ways employees are provided or denied access to records or data based on their roles and responsibilities
- do an information audit by a trusted third party.
- Retention and deletion of files such as audio files like voicemails, text messages, video clips, declared paper records, storage, and logs of communications activities
- Physical and digital security controls around cloud-based VoIP applications and the networks
Privacy Related Compliance certificates
COPPA (Children’s Online Privacy Protection Act ) of 1998
prohibits deceptive marketing to children under the age of 13, or collect personal information without disclosure to their parents.
Any information is to be passed on to a third party, must be easy for the child’s guardian to review and/or protect
A 2011 amendment requires that the data collected was erased after a period of time.
2014 FTC issued guidelines that apps and app stores require “verifiable parental consent.”
CPNI (Customer Proprietary Network Information) 2007
CPNI (Customer Proprietary Network Information) in united states is the information that communication providers acquire about their subscribers. This Individually identifiable information that is created by a customer’s relationship with a provider, such as data about the frequency, duration, and timing of calls, the information on a customer’s bill, and call identifying information. This processing information is governed strictly by FCC and certification should be renewed on an annual basis
The provider can pass along that information to marketers to sell other services, as long as the customer is notified
Communications Assistance for Law Enforcement Act (CALEA) conducts electronic surveillance by imposing specific obligations on “telecommunications carriers” for assisting law enforcement, including delivering call interception and call identification functionality to the government with a minimum of interference to customer service and privacy.
GDPR (General Data Protection Regulation) in European Union 2018
Supersedes the 1995 Data Protection Directive
Establishes requirements of organizations that process data, defines the rights of individuals to manage their data, and outlines penalties for those who violate these rights.
No personal data may be processed unless this processing is done under one of six lawful bases specified by the regulation ( consent, contract, public task, vital interest, legitimate interest or legal requirement). When the processing is based on consent the data subject has the right to revoke it at any time.
Controllers must notify Supervising Authorities (SA)s of a personal data breach within 72 hours of learning of the breach.
California Consumer Privacy Act (CCPA) 2019
Consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
Allows consumers to know whether their personal data is sold or disclosed, to whom.
Allows opt-out right for sales of personal information
Right to deletion — to request a business to delete any personal information about a consumer collected from that consumer
Personal Data Protection Bill (PDP) — India 2018
This bill introduces various private and sensitive protection frameworks like restriction on retention of personal data, Right to correction and erasure (such as the right to be forgotten) , Prohibition and transparency of the processing of personal data. It also classifies data fiduciaries including certain social media intermediaries.
The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Other data privacy acts similar to GDPR
- South Korea’s Personal Information Protection Act 2011
- Brazil’s Lei Geral de Proteçao de Dados (LGPD) 2020
- Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act 2018
- Japan’s Act on Protection of Personal Information 2017
- Thailand Personal Data Protection Act (PDPA) 2020
Features offered by VOIP companies for Data privacy
- Access Control & Logging
- Auto Data Redaction / Account Deletion policy
- SIEM (Security information and event management) alerts
- Information security, Encrypted Storage For Recordings & Transcripts
- Disclosing all third-party services that are involved in data processing too
- Role-Based Access Control and 2 Factor Authentication
- Data Security Audits and appointing data protection officer to oversee GDPR compliance
Against Robocalls and SPIT ( SPAM over Internet Telephony)
2009 Truth in Caller ID Act
Telephone Consumer Protection Act of 1991
Implementation of Do not call registry against the use of robocalls, automatic dialers, and other methods of communication
Do-Not-Call Implementation Act of 2003
if a business has an established relationship with a customer, it can continue to call them for up to 18 months. If a consumer calls the company, say, to ask for information about the product or service, the company has three months to get back to him.
if the customer asks to not receive calls, the company must stop calling, or be subject to fines.
Exemptions — Calls from a not-for-profit B organisation, informational messages as flight cancellations, Calls from sales and debt collectors etc
Personal Data Privacy and Security Act 2009
Implemented to curb identity theft and computer hacking. Sensitive personally identifiable information includes the victim’s name, social security number, home address, fingerprint/biometrics data, date of birth, and bank account numbers.
Any company that is breached must notify the affected individuals by mail, telephone, or email, and the message must include information on the company and how to get in touch with credit reporting agencies
If the breach involves government or national security, the company must also contact the Secret Service within fourteen days
TRACED Act (Telephone Robocall Abuse Criminal Enforcement and Deterrence) 2019
Canadian Radio-television and Telecommunications Commission (CRTC) 2018 -32
A solution mechanism has already been standardised and active in adoption called STIR / SHAKEN ( Secure Telephony Identity Revisited / Signature-based Handling of Asserted information using toKENs) described in another article here.
FCC E911 E911 / VoIP E911 rules
Unlike traditional telephone connections, which are tied to a physical location, VOIP’s packet-switched technology allows a particular number to be anywhere making it more difficult for it to reach localised services like emergency numbers of Public Safety Answering Points (PSAPs) . Thus FCC regulations as well as the New and Emerging Technologies 911 Improvement Act of 2008 (NET 911 Act), interconnected VoIP providers are required to provide 911 and E911 service.
Originally published at http://telecom.altanai.com on January 20, 2020.