Downtime is contingent on shifting labor from one task to yours. Inquire about the number of employees at each site to ensure they have the bodies to cover business continuity situations.
Obviously, you want the least amount of downtime possible. However, you need to ensure that the protocols in place for your communications are carried out to the second location. Quicker doesn’t always mean better. When looking at downtime estimates, be sure that every necessary precaution is taken.
Where: Geography and Security
Every customer communications vendor must have multiple locations. In the case of a disaster, power outage, or any other potential risk, you’ll want to ensure that your vendor’s additional locations are in different areas.
Having locations within the same state or even region could be risky, especially if tornadoes, hurricanes or blizzards are the disaster. These weather conditions have the possibility of disrupting operations across a broad path. A good rule is for locations to be in different regions of the country. Make sure to ask and confirm which location is the primary one for your customer communications and which is the secondary.
Security of the second location should also be scrutinized. Just because it’s a backup solution doesn’t mean it shouldn’t have the same security protocols as main sites, including restricted access and surveillance.
With customer communications come the need for adherence to numerous regulations. From invoices to explanation of benefits (EOBs) to payments, all these communications include sensitive information that must be protected. While you may have knowledge of the compliance measures of your vendor at their main operations, you still need to know that other locations mirror these.
Do your due diligence here to mitigate any compliance risks or possible breaches. If a breach occurs, you’re just as responsible as your vendor. Along with a hit to your brand’s credibility, there is a monetary cost, which on average is $4 million per breach.
First, you need to protect any personally identifiable information (PII), which is everything from names to Social Security numbers to account numbers. Then there are industry-specific guidelines like the Health Insurance Portability and Accountability Act (HIPAA), which regulates how private healthcare information is used. Another is the Gramm-Leach-Bliley Act (GLBA) which dictates how financial institutions disclose and safeguard private financial details.
Compliance requirements don’t change if operations are disrupted. No regulating agency is going to overlook non-compliance even in the face of disaster. Feel confident in your vendor’s ability to comply with federal, state and industry regulations.
Disaster Recovery: Does Your Vendor Make the Grade?
After reviewing all the possible areas of weakness, what grade would you give your current vendor? Ideally, the vendor’s disaster recovery plan should be multi-tiered focusing on protection, sustainment and recovery. You should experience little to no downtime, as if nothing occurred. Systems in each location should be redundant and ready to take over should something occur to the main location. Choose a vendor with a scalable, secure and compliant cloud infrastructure.
If you aren’t sure about your vendor’s business continuity plan or don’t feel confident in their ability, it may be time to change your provider. At PCI Group, our business continuity plan is transparent and free of vulnerabilities. Learn more about how we can help by seeing a demo of our solution.