The video technology hub | Pexip

What secrets do your call detail records reveal about your company? | Pexip

Written by Ian Mortimer, CTO at Pexip | Jan 28, 2023 6:21:52 AM

Protecting your confidential information is about more than just ensuring the meeting itself is secure. It’s about protecting all the data surrounding that meeting too, such as who is meeting whom and when.

 

Imagine for a minute that Company A is in talks to merge with Company B. Historically rivals, this merger will send ripples of shock across the industry. Both are listed companies, and no information about their intended joining of forces has been communicated. Prior to announcing, A and B will host regular video meetings to hammer out the final details and begin the regulatory approval process.

 

For Companies A and B, this merger is still highly confidential. And it is far from a certainty. The conversations held within the video meetings are well protected by both companies’ security protocols. But what about the call detail records (CDR)? This information would reveal to Hacker X that Company A and B have recently begun to meet frequently. It would offer identifying information about the people in the meetings, as well as the dates and times. It wouldn’t take much of a genius to ascertain the purpose of the meetings.

 

 

To truly secure your meetings, your call detail records must be protected

 

“The term CDR encompasses all the data produced during a telecommunications exchange, including phone and video calls or even text messages. The data shows a record of all the exchanges, including time, duration, source number and destination number. Typically, these records are collected and stored by the telecommunications provider, and certain employees will have access to it,” says Joel Bilheimer, Cyber Security Lead for Pexip. In a recent case between the U.S. Federal Trade Commission versus Kochava Inc., an online advertising company, Kochava was accused of selling geolocation data from many millions of mobile devices, in a supposed attempt to identify who had visited reproductive health clinics. The consumers themselves were left completely unaware of this use of their data.

 

“We often don’t think of the data trail that we leave behind as we go about our day. This information can reveal a great deal about who we are and what we are doing, and it should be protected just as rigorously as the actual conversation that took place,” adds Bilheimer. “And doing that means that even the telecommunications provider should not have access to the detailed information.”

 

 

Growing privacy regulation impacts use and protection of CDR data

 

Europe and the U.S. are both waking up to the risks associated with CDR data, introducing new legislative and regulatory requirements (think GDPR, Schrems II and the California Consumer Privacy Act). Companies must now ensure that the telecommunications vendors they are using are in full compliance with these laws and regulations.

“Organizations should be aware of every external location that may have access to CDR metadata and hold those service providers accountable. Make sure that your data, if it is located externally, is stored in a secured cloud environment, such as a FedRAMP-compliant cloud service. Validate that your service providers include metadata, including CDR data, in their data security policy, and ensure that said policies match your organizational risk profile,” says Bilheimer.

 

Learn more about Pexip Secure Meetings