8 Microsoft Teams Call Recording Questions About Compliance & Security

Microsoft Teams provides your organization with a dynamic unified communications platform. However, you’ll need to select a compliance recording platform in order to protect and benefit from all of the data that MS Teams delivers. The following 8 questions will help you to understand your primary concerns regarding security, data ownership, and compliance for your Microsoft Teams call recording platform.

1. Does the solution support multiple geographic locations & storage?

As a law, GDPR alone forces an enormous number of businesses to restrict where their call recordings are stored. This is because of something called data sovereignty, which requires that customer data be stored in the territory it was captured. This gets even more complicated when those same calls need to be shared in a secure and compliant way outside their origin territory. Ah, but it’s not so complicated if your recording solution was built by a compliance-aware group of developers. The bottom line is that laws like GDPR have made handling customer data a challenge. A well built cloud-based recorder can address both the data sovereignty and compliance sharing issues. The company that provides your solution should have a worldwide storage network that can satisfy the sovereignty regulation. If you don’t see anything about data sovereignty or compliant call sharing on their website, you’re taking a risk. 

2. Does the solution support different user roles & granular security?

Imagine a company where every employee had access to the call recording platform. That means they can see all the incoming and outgoing numbers, they can listen back to the calls, see agent notes and scores. They can delete or send any data they want at will.  Now imagine what would happen when one of those employees turned out to have malicious or criminal intent. Your call recording platform is there to keep your business compliant, but if it doesn’t let you dictate strict user access privileges, you risk exposing the data, thereby breaking compliance. Your Microsoft Teams recorder must know who can access what in your company. 

3. Does the solution support manual or automatics PCI compliance? 

If your business takes credit cards over the phone, that means your call recordings contain vulnerable customer credit card numbers. The Payment Card Industry Data Security Standard (PCI DSS) requires those numbers to be removed, not only from your audio recordings but also from any place they exist, including screen recordings and transcripts.  Does your platform give you an option to remove these numbers manually? Better yet, does it give you an option to remove these numbers from your recordings automatically? A feature like that will save you time and money for years to come. 

4. How much control over recorded calls does the solution offer?

Data sovereignty is not the only storage issue that may arise with compliant call recording. But what happens when you need to isolate specific calls that are part of an audit or dispute? Perhaps your plan in that scenario would be to simply download the call files locally, but removing that data from its encrypted storage may be a compliance violation. It’s a tricky situation, but there is a solution. Ask your solution provider if they have a “legal hold” function that suspends the standard storage retention indefinitely? 

5. Does the solution have audit trails & history for all features?

Part of the answer to this question is another question: why do we even record these calls in the first place? Yes, laws compel us to, but there has to be a use associated with compliance laws. Call recordings help us trace disputes and issues back to the source through an audit process. However, just having a bunch of call recordings without external data about the call makes an audit nearly impossible. Your solution should extract the maximum amount of data, including timestamps, call duration, incoming and outgoing numbers, caller ID, PBX metadata, internal extension numbers, and agent ID. 

6. Does the solution support enhanced security controls?

It goes without saying; security is a paramount compliance issue. You should treat your call recording platform like you would a bank account. It’s filled with precious data about your customers and your company that must be protected at all times. Ask your solution provider if their platform supports multi-factor authentication, IP restrictions, and support for multiple authentication vendors like Azure AD, on-prem AD and OKTA. 

7. Does the vendor perform annual 3rd-party security reviews & audits?

Your calls are only as secure as the company that records and stores them. It should be standard to ask any vendor you’re evaluating if they perform penetration tests and audits on their platform and its storage Network. If they say they don’t, walk away. If they say they do, ask him when the last penetration test was. This is not a “nice-to-have” feature; this is an absolute necessity. 

8. Can you compliantly share audio & video without downloading calls?

The sharing of recorded call audio and video is a compliance minefield for companies. Customer data exposure is the subject of many lawsuits. Find out if your vendor leverages the power of the cloud for fully encrypted and compliant sharing of recorded customer interactions. If the vendor only allows calls to be downloaded, that’s a compliance violation right there. Your platform should allow you to share audio, video, and screen recordings without any downloading. This is done by using an encrypted link that allows only the recipient to view the data at its source. 

We’re always here to help you with any of your call recording questions. Reach out to us today.