2. PRIVACY DO’S AND DON’TS FOR CUSTOMER SERVICE REPRESENTATIVES
Last month a major telecommunications company was hit with a $25 million fine for data protection
violations that occurred in 2013 and 2014 in several of its outsourced contact centers in Mexico,
Colombia, and the Philippines
The fine was part of a settlement that the telecommunication’s company reached with the Federal
Communications Commission (FCC)
Several incidences where employees at the company’s contact centers reportedly passed the names,
full or partial Social Security numbers, and other account information of about 280,000 U.S
customers of the telecommunication company to illegal third parties who then used the information to
unlock stolen cell phone
The $25 million fine is the largest data security enforcement action to date for consumer privacy breach
2
3. CONSUMER PRIVACY – EXTERNAL THEMATIC ISSUES
Safeguarding customer information is everyone's responsibility
Failure to safeguard customer information is expensive for companies
Civil, criminal, legal and regulatory costs are rising for companies
Social Security numbers, especially when paired with other personal information, such as names,
addresses, email addresses, employment records and birth dates, a hacker can make between $250 and
$400 each
Keeping valuable customer data out of the hands of cyber-thieves is a constant battle
3
4. THE TOTAL NUMBER OF DATA BREACHES HIT A RECORD HIGH OF 783 IN 2014
4
0
100
200
300
400
500
600
700
800
2010 2011 2012 2013 2014
NumberofDataBreaches
Years
Reported Data Breaches in the United States Since 2010
Source: Identity Theft Resource Center (ITRC)
5. CONSUMER DATA PROTECTION LAWS HAVE EVOLVED IN RECENT YEARS RESULTING
IN HEIGHTENED COMPLIANCE AND RISK MANAGEMENT ISSUES
1. Health Insurance Portability and Accountability Act (HIPAA) applicable to the health care industry
2. Gramm-Leach Bliley Act (GLBA) "safeguards" regulations for financial institutions
3. State insurance law analogs to GLBA Safeguard Rule applicable for financial institutions
4. State laws governing businesses that maintain personal information of residents e.g. Massachusetts,
Nevada and California)
5. Massachusetts "Written Information Security Program (WISP) is required if a company has personal
information of Massachusetts residents even if the company itself is not present in the state.
5
1
2
3
4
5
6. DESPITE THE GROWING NUMBER OF ATTACKS COMPANIES ARE STILL NOT DOING
ENOUGH TO PROTECT PERSONALLY IDENTIFIABLE INFORMATION (PII)
Data security
Downgrade risks - not assigning it the appropriate level of importance
Lack of resources and a critical disconnect" between chief information officers and senior leadership
Key Question - Is there a lack of resources and a critical disconnect between heads of customer
service organizations and the people employed to serve customers across different channels like
phone, email and chat?
6
7. COMPANIES MUST ADOPT REASONABLE DATA SECURITY MEASURES
7
SECONDLINE
FIRSTLINE
THIRDLINE
Operations and
Business Units
(design and
operation of
controls)
Management
Assurance
(ongoing
controls and
monitoring)
Independent
Assurance
(External Audit)
8. COMPANIES MUST ADOPT REASONABLE DATA SECURITY MEASURES
8
SECONDLINE
FIRSTLINE
THIRDLINE
Operations and
Business Units
(design and
operation of
controls)
Management
Assurance
(ongoing
controls and
monitoring)
Independent
Assurance
(External Audit)
9. COMPANIES MUST ADOPT REASONABLE DATA SECURITY MEASURES
9
SECONDLINE
FIRSTLINE
THIRDLINE
Operations and
Business Units
(design and
operation of
controls)
Management
Assurance
(ongoing
controls and
monitoring)
Independent
Assurance
(External Audit)
10. QUALITY ASSURANCE AND INTERNAL CONTROL REVIEWS ARE PROGRAMS TO
ENSURE PROTECTION OF CONSUMER PRIVACY
10
SECONDLINE
FIRSTLINE
THIRDLINE
Operations and
Business Units
(design and
operation of
controls)
Management
Assurance
(ongoing
controls and
monitoring)
Independent
Assurance
(External Audit)
11. SO WHAT ARE THE PRIVACY DO’S AND DON’TS FOR CUSTOMER SERVICE
REPRESENTATIVES?
Do’s Don’ts
• Routinely conduct quality assurance monitors
across all of your channels e.g. voice, email
and chat placing as much emphasis on internal
conformance measures as you would on
customer experience
• While your quality assurance program is robust
and mature, don’t assume all of your customer
service representatives are adhering to your
internal conformance measures
• Establish an internal control review process to
supplement your quality assurance program to
ensure your customer service representatives
are following policies and procedures
• No process in place to routinely sample end-
to-end customer transactions to ensure your
policies and procedures are being followed by
your customer service representatives
• Create and enforce a clean desk policy • You don’t have a clean desk policy
• Ensure agents press ‘Ctrl-Alt-Delete’ on their
desktop computers when they step away from
their desks
• Allow customer service representatives to walk
away from their cubes without properly
securing sensitive customer informaion
11
12. BUILD A CULTURE OF PRIVACY WITHIN YOUR CUSTOMER SERVICE ORGANIZATION
Education
Compliance
Risk-based approach to customer transactions
Independent investigative regimes
Program for resolving issues that arise
12
13. LET’S KEEP IN TOUCH
13
Art Hall
Alvarez and Marsal
3424 Peachtree Road Suite 1500
Atlanta, Georgia 30326
(404) 759-9158
ahall@alvarezandmarsal.com
Twitter: Art_Hall4
LinkedIn: https://www.linkedin.com/in/arthall