Original Publication: Call Center Magazine - November 2006
Having been a victim of identity theft, I know firsthand the frustration and anxiety that comes with the crime. To me it was akin to having someone walk into my home and take whatever they wanted while I stood there and helplessly watched.
As a consumer the experience prompted me to do two things. First, I got in touch with the credit bureaus to see just what dire straights I was in. Once I understood the extent of the damage and remedied it, I imposed limits on how my credit can be issued (hint: this is something everyone should do). Second, I committed myself to never do business with either the financial services company that compromised my personal information or the credit card company that so easily allowed someone masquerading as me to exploit the information.
That was over five years ago. Although I don't do business with these two very large companies that failed to protect my information, I'm sorry to say that things have only gotten worse in the world of identity theft. Rarely does a day go by that a high profile company is not noted in the press for having "lost" sensitive customer information. This has resulted in the rapid erosion of consumer confidence in the industry's ability to effectively address the problem.
In a recent survey conducted by Ventana Research, the author, Richard Snow, notes that in the United Kingdom, "nearly 50 percent of companies aren't doing enough to control the use of customer data."1. It is not difficult to extrapolate this to other regions including North America, EMEA and the Far East as companies push their contact center operations offshore or enable alternative means of providing service, such as home-sourcing, in an effort to control costs.
The extent of abuse defined in the Ventana Research report is hard to imagine when you consider existing industry and government regulations like the Visa sponsored Payment Card Industry, Data Security Standard (PCI DSS) and the European Data Protection Act (DPA) that are becoming increasingly punitive for privacy violations. Beyond the multitude of existing regulations there are no less than six bills, including the Identity Theft Protection Act and the Financial Data Protection Act, currently making their way though the US Congress with the goal of fixing the problem by imposing severe consequences for misusing private consumer information.
What Does This Have To Do With Contact Centers?
Everyone agrees that contact centers are at the tip of the spear when it comes to defining the need for safeguarding sensitive customer information. However, contact center executives are faced with a dichotomy. On one hand, their agents must have all the information required to expeditiously deliver quality service to customers. Without it customer satisfaction suffers as does agent productivity. On the other hand, they must provide an environment that ensures the proper handling of sensitive or private information to mitigate risk.
Historically, the best that most contact centers could do to thwart efforts to intentionally or inadvertently abuse information was through the implementation of physical security measures like security cameras as well as the restriction of pen and paper or electronic objects (i.e., personal cameras, mobile phones, etc.) in the workplace.
Beyond physical security measures, contact centers need to be careful not to lull themselves into believing that digital security measures such as having end-to-end encryption and password protection will effectively mitigate their risk or satisfy the requirements set forth in the various regulations. Once the information is presented on an agent's console, every digital security measure put in place to get the information there becomes moot because it's at that point where it is most prone to be abused.
Take Steps Today
When considering options to safeguard sensitive or private customer information like Social Security Number (SSN), credit card numbers, address, date of birth, drivers license number, etc. contact centers need to do three things:
1. Assemble a cross-functional team
2. Determine your needs
3. Create and implement a plan
When preparing to discuss your needs and available options, be sure that all the stakeholders are involved. Having representatives from executive management, risk/audit, operations and IT involved from the beginning will help ensure that whatever solution you choose to implement will have the best chance of realizing your objectives.
In determining your needs, be prepared to explore questions like:
1. What can be done to safely remove information from my terminals that is not required by my agents to adequately perform their job? For example, determine if they need to see the entire SSN to verify an identity or if just the last four digits provide enough detail.
2. What reports can be created to help us stay aware of how customer information is being accessed and used? Understanding this will not only help determine where information vulnerabilities exist, but it can also be used to gauge and improve agent productivity.
3. How can the removal of sensitive data and the creation of reports be used to demonstrate compliance with government and industry regulations? Virtually every existing and pending regulation requires proof that the appropriate measures are implemented.
4. How can I be alerted if an agent is acting suspiciously when accessing applications or data? As busy as everyone is today, we need ways to quickly drill down on behavioral anomalies. For example, what does it mean if an agent accesses 100 customer records in a given shift when he or she normally only accesses 20? It could be something totally harmless like an unusually productive day, but it is certainly worth exploring.
5. How can I incorporate all essential safeguards without adversely impacting the productivity and quality of my agents? Any solution you implement must pass the litmus test of not having a negative impact on agent productivity or morale.
Document your findings into an actionable plan with specific milestones for completion. With a long term view, your plan should reflect anticipated gains in security measures, level of compliance and risk mitigation. Make sure that the plan identifies the potential impact to agent productivity with tangible costs as well as any expected savings.
Understanding the financial impact of implementing a robust security solution will help build the basis to create a return on investment (ROI) model and serve to facilitate funding of any solution. Include "what if" scenarios to validate planned strategies by creating a snapshot of the potential upside and downside associated with each one. Finally, be sure to include a communications plan that regularly informs and educates all contact center employees of the importance and urgency of safeguarding information.
Conclusion
Ventana Research states, "this [information security] is a universal problem and companies should do more to implement processes that limit agents' access only to data they really need, ensure proper procedures are followed, and support them with technology that can highlight instances in which the processes are not fully adhered to." 2
Data breaches are a fact of life. In a report issued by Alinean, a leading ROI company, the author states, "based on historical data, the most costly breaches are data destruction or damage and information theft and disclosure. On average, responding to and resolving this type of breach will take 120 hours or more of IT staff time, with a cost estimated at $350,000. Then there is the cost associated with having to reconstruct or face the loss of the company's intellectual property contained in the corrupted data, which has been estimated at $250,000 per incident. These types of breaches occur on average once for every thousand users, creating the potential for large companies to spend millions each year." 3
By focusing on and putting best practices in place today, you stand the best chance to prevent the embarrassment, loss of goodwill and hard dollar expense associated with misuse of information. Be dogged and proactive by staying in front of the challenge because -- as sad as it sounds -- every day new techniques are being invented to compromise your data. Nobody wants to wake up one morning to see their company's name headlining a newspaper article tied to information loss or abuse.
1. Snow, Richard.
Is Your Customer Data At Risk? Ventana Research. 2006.
2.
Ibid.
3. Pisello, Tom.
Is There a Business Case for IT Security? Alinean, 2004.
About the Author
Gary Davis is Vice President of Marketing for Cerebit. He has over 16 years of experience crafting solutions to solve complex security, integration and application management challenges for companies. You can e-mail Gary at gdavis@cerebit.com. You can find out more about Cerebit by going to www.cerebit.com.
