Hyperion Research

Global E-Billing: Global Access and Data Privacy

Written by Eyal Iffergan | Mar 30, 2015 3:00:43 PM

Every step of the e-billing process, regardless of region, must be controlled through a combination of transport-level technologies and process-level controls. E-Billing programs must provide security against data vulnerabilities, including between physical and logical processing process steps. Suitable security related measures must be employed to ensure that trusted processes cannot be compromised.

 

Web-Based E-Billing Systems

Current legal e-billing systems rely on the use of Web-based collaboration portals to facilitate the exchange of electronic invoice data and information.  While the process may be fully electronic, it nonetheless requires a manual, human interaction.  The manual aspects of the process raise special control considerations for the e-billing system.

The controls necessary for authenticating the Web portal and the person in these scenarios depend heavily on the functionality available in the portal after logging in to the system. For example, an invoicing portal that allows ad hoc creation and sending of electronic invoices would require more stringent controls than a portal that only allows a purchase order to be turned into an e-invoice (a so-called purchase-order flip or PO-flip) without freedom to change data.

Differing classes of access should be provided to portal applications. Read-only access may be granted to auditors or service-desk personnel, neither of whom should be able to create, amend or delete any E-Invoices. For portals that only allow purchase order flip, basic authentication of the Web portal based on server-side SSL / TLS (8) and authentication of the individual based on username and password should be satisfactory. It should however be noted that such a web portal would still require a very high degree of security in general and in particular in the process relating to the purchase order upload.

For portals allowing more freedom in the process of creating or changing E-Invoices, additional measures should be considered. These measures should focus on increased user authentication based on client-side certificates—or at least two-factor authentication—as well as increased Web portal authentication using for example Extended Validation (EV) certificates.

A portal application should make clear distinction between invoices that are rejected because of technical reason and those rejected because of business reasons. These rejections or failures may occur at any time between initial data entry and delivery to the customer. A regular reconciliation report, or an automatic process, should be constructed so that supplier and customer are able to check that manual portal output reconciles completely with their internal systems.

 

Data Privacy Considerations

Data privacy regulations have important implications for both corporations and law firms pursuing an e-Billing program.  Core principles of these regulations address:

  • Limiting data to what is adequate, relevant, and not excessive
  • Collect data only for specific, explicit and legitimate purposes
  • Data processing methods that are fair and lawful
  • Ensure data accuracy
  • Limit storage and retention of data only as long as necessary for the purpose

Any direct or indirect information about an individual is within scope of the Data Privacy regime.  The collection or processing of personal data requires either consent or compliance with a specific (and limited) interest as enumerated in the Directive and enacting laws.  In addition to collection and processing, controllers of personal data must also comply with strict regulations about ensuring the security of information.

The cross-border transfer of personal data- creates particular complexity.  A number of data privacy governing bodies help develop compliant protocols.  Generally, there is consistency amongst European countries.  However, it is important for organizations to develop data privacy controls that meet the rules of every jurisdiction in which they transact business involving personal data.