Call centers have more tools than ever to make it easy for customers to look up information about themselves, whether by phone or on-line.
But what tools do they have to ensure the integrity of customers' information? That's a question for which call centers, including outsourcers that assist customers on behalf of other companies, are taking responsibility.
In this article, we outline what managers of American call centers should know about protecting and maintaining the privacy of information that these centers typically gather from customers. Our aim is to help you recognize how information security fits within the context of customer service.
What is information security? As Dan Swartwood, business-to-business privacy manager with HP, explains, "Information security is about how well information is collected, stored and transmitted."
Swartwood's colleague, Mark Albrecht, a consumer privacy manager with HP, adds, "The biggest thing to be aware of is the sensitivity of the data."
What makes data sensitive? The customer is the best judge. Rebecca Herold, a consultant on privacy and security, advises that companies ought to be vigilant in how they collect and disseminate information from customers to ensure that the information is "only used for purposes customers intended."
With the growing prevalence of on-line communication between companies and customers, there is a greater risk companies might inadvertently divulge to the general public information that customers consider to be private.
Herold cites the example of Eli Lilly, the pharmaceutical manufacturer. According to the U.S. Federal Trade Commission, Eli Lilly sent out an e-mail message in June 2001 to consumers who signed up for automated email reminders about when totake or refill their prescriptions for Prozac, an antidepressant. The message displayed the e-mail addresses of all 669 people who subscribed to these reminders, and revealed – accidentally – to each person who received the message the e-mail addresses of 668 others who had prescriptions for Prozac.
Another example Herold cites is a settlement in fall 2003 between Victoria's Secret and New York State's attorney general. As the Web site for the attorney general's office describes this settlement, between August and November of 2002, Victoria's Secret inadvertently enabled on-line visitors to find out names and billing addresses of some customers, as well as what they ordered. Given that Victoria's Secret is best known for selling women's lingerie and undergarments, the public disclosure of clothing orders, from customers' perspectives, amounted to more than a security breach. It was an intrusion on customers' privacy.
These examples illustrate Herold's point, which is that even if a company doesn't perceive information about customers to be private, the act of purchasing a product like an antidepressant or lingerie entails a private transaction between the company and its customers. The release of customers' data to an unintended audience is a violation of customers' privacy, regardless of whether a company categorizes certain data as personal.
What role do call centers have in maintaining customers' privacy? Call centers regularly communicate with customers, and call centers are heavily dependent on technology to verify that callers are the individuals they claim to be. Herold strongly recommends that during the course of conversations with customers, companies' call centers employ IVR or speech recognition systems, rather than agents, to gather certain pieces of information like passwords. And she extends this recommendation to other types of data. "Never have call center staff actually ask for personally identifiable information," says Herold.
The Power of Awareness
Just as companies have to be cognizant of why customers seek their help, they also have to pay attention to what information they circulate as a result of communicating with customers.
What companies don't always recognize is how tightly customer privacy and security are intertwined. Too many companies, in Herold's observation, "view privacy from a legal perspective and security from an IT perspective."
"They need to look at it from a business perspective," she says.
Increasingly, privacy and security are emerging as top priorities, even selling points, for call centers. For example, one outsourcer, Nashville, TN-based ClientLogic, employs a director of fraud prevention, Joel Bartow, who advises clients on how to protect their customers' personal information.
Bartow, who served for ten years as a special agent with the Federal Bureau of Investigation, concurs with Herold when he says that "all types of customer data are important to keep private."
Such data includes communication with customers, which is why Bartow advises call centers "to keep an audit tag" of who accesses recordings of agents' conversations with customers and screen captures of agents' actions on their computers.
Albrecht says that at HP, call center agents who serve English-speaking consumers, and agents who assist visitors to HP's on-line store for consumers, hpshopping.com, receive training on privacy. Part of what agents learn is what information they're meant to hold on to.
"We have strict requirement seven about taking notes," says Albrecht. If, for example, agents write information about customers on pieces of paper, they have to dispose of the paper in a confidential recycling bin. The bin is locked and, like a mailbox, has a one-way drawer.
Call centers reinforce privacy training in how they secure their locations. Albrecht points out that HP maintains its call center in a separate building with a guard at the only open entrance. HP employees who don't work at the call center have to call ahead of time before they visit.
ClientLogic, which communicates with customers for various companies, requires that employees use swipe cards to gain entry to different sections of its call centers, even within the same building.
Yet it takes more than a locked recycling bin or a security guard to ensure call centers are aware of the implications of how they handle customers' information. That's why awareness is an essential part of security and privacy.
In his role as business-to-business privacy manager, Swartwood trains, and serves as an internal consultant to, units of HP on how their operations, such as outsourcing, impact the privacy of the information HP gathers about its business customers. (Among these business customers are entities in the public sector like universities and state governments.) Swartwood says that HP encourages agents, upon answering a call from an employee or constituent of HP's business clients, to "get a privacy preference from that individual as quickly as possible." He adds that HP uses software from Siebel to track these preferences among its business customers.
As an IT auditor with Principal Financial Group, Rebecca Herold established an information protection awareness program; as a consultant, she offers a two-day course, Managing a Privacy Governance Program, which includes training on how to build an inventory of personally identifiable information, and how to factor considerations of customers' privacy into how companies conduct business. This course is available through the Computer Security Institute, a membership organization for IT and network security professionals.
Awareness extends beyond determining what information customers allow companies to share internally with other business units or externally with other companies. Ultimately, awareness starts with acknowledging to whom customers' information belongs. "We don't really own it," says HP's Swartwood. "We're just stewards. The customer is in control."
Does Security Influence Loyalty?
In our September issue, our Research Corner article summarized the findings of O'Connor & Associates' survey of 100 consumers, who shared how they feel about the service they receive from their banks, including whether they would recommend banks to others.
The aim of the survey was to find out how banks could improve their communication with customers who have maintained accounts with them for several years. In other words, the survey focused on how banks could continue to satisfy customers who are already loyal to them.
But what can banks do to assure customers remain loyal? As the 2005 EDS Financial Services Privacy and Customer Relationship Management Survey revealed, banks face greater risks of losing customers when they don't secure customers' personal information. The market research firm Ipsos Reid conducted this survey, which polled American and Canadian consumers, for EDS, a technology services provider, in May.
According to the survey, 93% of the 1,424 respondents indicated that, at the very least, they're somewhat confident that their personal information is safe among the financial companies with which they do business.
But, of the 610 American consumers who responded to the survey, 30% said that if there were security breaches at their banks, they would close all their accounts at their banks and move their assets elsewhere. As we'll point out when we elaborate on this research in an upcoming issue, respondents cited security breaches and misuse of their personal information as the primary risks of banking on-line.
Call centers have a lot of responsibility for securing customers' data. But customers can also do their part to control who receives information that personally identifies them. Perhaps the easiest way for customers to reduce risks of inadvertently giving out personal information is to choose where they place their calls.
"One big privacy risk is talking on cell phones out in public," says privacy and security consultant Rebecca Herold.