Switching from the public telephone network to voice over IP (VoIP) technology for your organization's voice communications, or incorporating VoIP into your existing voice/data communications strategy, can raise legal as well as technological issues.
In the United States, depending on the industry or field to which your business belongs, VoIP communications may be subject to the security and privacy requirements imposed by federal and/or state statutes. In Europe, your communications may be subject to the European Union's electronic communications regulations. You could also run into issues with liability in relation to enhanced emergency (E911) services.
Let's look at some of the most common legal issues you should consider when planning a new VoIP implementation.
The usual suspects: SOX, GLBA, and HIPAA
The three most high-profile sets of U.S. federal regulations that affect IT departments are the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA or GLB), and the Health Insurance Portability and Accountability Act (HIPAA). You're probably already familiar with these acts, but let's review the basics.
Congress passed the Sarbanes-Oxley Act (named after its sponsors in the U.S. Senate and House of Representatives) in 2002 in response to a tidal wave of corporate accounting scandals (e.g., Enron, Tyco, Worldcom, etc.). Its formal name is the Public Company Accounting Reform and Investor Protection Act of 2002. This legislation only applies to companies with publicly traded stock.
The most relevant section to IT is Section 404. This section requires management to establish and maintain an "adequate internal control structure, and issue an annual report on the effectiveness of such controls, which must be in turn reported on and attested to by an independent auditor."
Congress passed the Gramm-Leach-Bliley Act (also named after its sponsors) in 1999 to allow commercial banks to offer investment and insurance services. It also included provisions to protect the privacy of consumer information collected by companies in the financial sector.
Its formal name is the Financial Services Modernization Act. However, GLBA uses a broad definition of financial institution—it covers not just banks, credit unions, credit card companies, loan companies, and the like, but also insurance companies, securities brokers, real estate appraisers, retail establishments that issue their own credit cards, tax preparers, debt collectors, and any other organization "significantly involved in financial activities."
The most relevant section to IT is Section 501 of Subtitle A. It requires companies to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security and integrity of such records, and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
While Congress passed HIPAA in 1996, its most relevant section—the Privacy Rule—didn't go into effect until 2003. It applies to organizations that handle medical records or other personal health information. This includes hospitals, doctors' offices, nursing homes, HMOs, insurance companies, social service agencies that provide medical or mental health services, and employers that provide on-site health care for employees. All personal medical information that's stored or transmitted electronically is subject to HIPAA regulations.
HIPAA requires that organizations ensure the confidentiality, integrity, and availability of electronic protected health information, protect against reasonably anticipated threats and hazards, and protect against unauthorized uses or disclosures of the protected information.
What's VoIP got to do with it?
You'll notice that all of these regulations have one thing in common—the protection of the integrity and/or privacy of certain types of information. A SOX auditor, for example, would examine internal controls such as password strength, encryption, vulnerability testing, etc. Some areas of concern might be whether your VoIP implementation maintains usage logs, how you use these logs in the billing process, how you track administrative changes, etc. Do you have a strong authentication mechanism in place to prevent unauthorized use of the system?
A HIPAA or GLBA audit would focus more on data privacy:
- Do you have adequate encryption schemes in place to prevent the unauthorized interception of calls that discuss private financial or medical information?
- Do you use "soft phone" systems—those that run on a regular PC alongside other applications and thus are more susceptible to security threats—or dedicated "hard phones" and private branch exchange (PBX) systems running on a dedicated appliance or server with a hardened OS?
- Have you integrated your VoIP network with your data network, which exposes it to more security threats, or is it isolated on a dedicated VLAN?
- Do you transmit VoIP over wireless technology?
- If so, do you use strong wireless encryption such as Wi-Fi Protected Access (WPA) rather than weaker encryption methods such as Wired Equivalent Privacy (WEP)?
Making VoIP compliant
Remember that your VoIP network is an IP network and therefore subject to all of the same security threats as an IP data network. Here are some best practices for keeping your VoIP implementation compliant with common security requirements:
- Logical separation of the voice and data networks
- Strong authentication—complex passwords, password expiration policies, and good identity management
- Dedicated VoIP servers on hardened operating systems with all unnecessary services disabled
- Encryption of communications and control packets via IPSec, Transport Layer Security (TLS), WPA, and other encryption methods
- VoIP-aware firewalls
- Avoidance of soft phones where possible
- Security of calls stored on voice messaging systems
What about E911?
Enhanced 911 (E911) is a mechanism that automatically associates the physical addresses of callers to 911 emergency stations with the callers' phone numbers and displays those addresses to 911 operators. In 2005, the Federal Communications Commission adopted a rule that requires all VoIP providers to provide E911 service to their customers.
This is relatively easy to do with landlines—the line itself connects to a specific physical location. For mobile phones, you can establish location using GPS built into phones or through triangulation between radio towers.
It becomes more complicated with VoIP, however, because VoIP numbers and equipment are portable—you can move the equipment to a new location and continue to use the same telephone number, which may have an area code that's in a different city or state from the equipment's location. Thus VoIP customers are required to register their physical locations with the VoIP provider, which can transfer that information to the emergency services station if a user makes a 911 call.
If your company doesn't keep its E911 location information up to date and accurate, it could be legally liable for a delay in emergency response services if the 911 operator doesn't have the proper address information.
In addition to the technological issues, don't forget to consider legal issues when planning your VoIP deployment. It's a good idea to run them by an attorney who has experience with communications and business law before rolling VoIP out in your organization.
Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!
Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.