PRIVACY DO’S AND DON’TS FOR CUSTOMER SERVICE REPRESENTATIVES

PRIVACY DO’S AND DON’TS FOR CUSTOMER SERVICE REPRESENTATIVES

Last month a major telecommunications company was hit with a $25 million fine for data protection violations that occurred in 2013 and 2014 in several of its outsourced contact centers in Mexico, Colombia, and the Philippines

The fine was part of a settlement that the telecommunication’s company reached with the Federal Communications Commission (FCC)

Several incidences where employees at the company’s contact centers reportedly passed the names, full or partial Social Security numbers, and other account information of about 280,000 U.S customers of the telecommunication company to illegal third parties who then used the information to unlock stolen cell phone

The $25 million fine is the largest data security enforcement action to date for consumer privacy breach

2

3

CONSUMER PRIVACY – EXTERNAL THEMATIC ISSUES

Safeguarding customer information is everyone's responsibility

Failure to safeguard customer information is expensive for companies

Civil, criminal, legal and regulatory costs are rising for companies

Social Security numbers, especially when paired with other personal information, such as names, addresses, email addresses, employment records and birth dates, a hacker can make between $250 and $400 each

Keeping valuable customer data out of the hands of cyber-thieves is a constant battle

4

THE TOTAL NUMBER OF DATA BREACHES HIT A RECORD HIGH OF 783 IN 2014

2010 2013 20140

100

200

300

400

500

600

700

800

Reported Data Breaches in the United States Since 2010

Years

Num

ber o

f Da

ta B

reac

hes

Source: Identity Theft Resource Center (ITRC)

5

CONSUMER DATA PROTECTION LAWS HAVE EVOLVED IN RECENT YEARS RESULTING IN HEIGHTENED COMPLIANCE AND RISK MANAGEMENT ISSUES

1. Health Insurance Portability and Accountability Act (HIPAA) applicable to the health care industry

2. Gramm-Leach Bliley Act (GLBA) "safeguards" regulations for financial institutions

3. State insurance law analogs to GLBA Safeguard Rule applicable for financial institutions

4. State laws governing businesses that maintain personal information of residents e.g. Massachusetts, Nevada and California)

5. Massachusetts "Written Information Security Program (WISP) is required if a company has personal information of Massachusetts residents even if the company itself is not present in the state.

1

2

3

4

5

6

DESPITE THE GROWING NUMBER OF ATTACKS COMPANIES ARE STILL NOT DOING ENOUGH TO PROTECT PERSONALLY IDENTIFIABLE INFORMATION (PII)

Data security

Downgrade risks - not assigning it the appropriate level of importance

Lack of resources and a critical disconnect" between chief information officers and senior leadership

Key Question - Is there a lack of resources and a critical disconnect between heads of customer service organizations and the people employed to serve customers across different channels like phone, email and chat?

7

COMPANIES MUST ADOPT REASONABLE DATA SECURITY MEASURES

SEC

ON

D L

INE

FIR

ST L

INE

THIR

D L

INEOperations and

Business Units (design and operation of

controls)

Management Assurance (ongoing

controls and monitoring)

Independent Assurance

(External Audit)

8

COMPANIES MUST ADOPT REASONABLE DATA SECURITY MEASURES

SEC

ON

D L

INE

FIR

ST L

INE

THIR

D L

INEOperations and

Business Units (design and operation of

controls)

Management Assurance (ongoing

controls and monitoring)

Independent Assurance

(External Audit)

9

COMPANIES MUST ADOPT REASONABLE DATA SECURITY MEASURES

SEC

ON

D L

INE

FIR

ST L

INE

THIR

D L

INEOperations and

Business Units (design and operation of

controls)

Management Assurance (ongoing

controls and monitoring)

Independent Assurance

(External Audit)

10

QUALITY ASSURANCE AND INTERNAL CONTROL REVIEWS ARE PROGRAMS TO ENSURE PROTECTION OF CONSUMER PRIVACY

SEC

ON

D L

INE

FIR

ST L

INE

THIR

D L

INEOperations and

Business Units (design and operation of

controls)

Management Assurance (ongoing

controls and monitoring)

Independent Assurance

(External Audit)

11

SO WHAT ARE THE PRIVACY DO’S AND DON’TS FOR CUSTOMER SERVICE REPRESENTATIVES?

Do’s Don’ts

• Routinely conduct quality assurance monitors across all of your channels e.g. voice, email and chat placing as much emphasis on internal conformance measures as you would on customer experience

• While your quality assurance program is robust and mature, don’t assume all of your customer service representatives are adhering to your internal conformance measures

• Establish an internal control review process to supplement your quality assurance program to ensure your customer service representatives are following policies and procedures

• No process in place to routinely sample end-to-end customer transactions to ensure your policies and procedures are being followed by your customer service representatives

• Create and enforce a clean desk policy • You don’t have a clean desk policy

• Ensure agents press ‘Ctrl-Alt-Delete’ on their desktop computers when they step away from their desks

• Allow customer service representatives to walk away from their cubes without properly securing sensitive customer informaion

12

BUILD A CULTURE OF PRIVACY WITHIN YOUR CUSTOMER SERVICE ORGANIZATION

Education

Compliance

Risk-based approach to customer transactions

Independent investigative regimes

Program for resolving issues that arise

13

LET’S KEEP IN TOUCH

Art HallAlvarez and Marsal3424 Peachtree Road Suite 1500Atlanta, Georgia 30326(404) 759-9158ahall@alvarezandmarsal.comTwitter: Art_Hall4LinkedIn: https://www.linkedin.com/in/arthall

14