Keep Your Call Center from Suffering a Privacy Incident



By Sachin Kothari

Call center managers have plenty to worry about. Just recruiting and keeping staff, watching margins, and managing stakeholders (external or internal) can keep you busy.

In addition, you know privacy and data protection are rapidly becoming major issues for any organization gathering or using customer data. The last thing you need is a privacy incident to mar your organization’s reputation or lead to aggrieved customers.

You might even be pitching breach remediation work as part of your business plan. That pretty much becomes moot if you have an embarrassing breach yourself. Therefore it’s vital to know where a call center’s vulnerabilities are and how to prevent them. The breach experts all say the same thing: Speed matters. Click To Tweet

Social Engineering: Terms like phishing, spear phishing, and whaling all refer to the practice of criminals misrepresenting themselves to employees—even high-level employees (the whales)—and convincing them to give away important information of their own accord. While movies and television might make hackers into scheming geniuses behind souped-up laptops, a simple phone call is almost all they need to get some unsuspecting employee to hand over a username and password or other compromising information.

Luckily the solution is relatively simple: Train, train, train. Employees must understand how important it is to stick to your policies about how information is handled and think critically about what it is they’re being asked to do for a customer. Most phishing techniques are apparent once you know what to look and listen for.

In truth, it’s likely some of the good training you’ve given your employees—designed to help them deliver great customer service—has created good intentions that can have bad results.

Consider the case of an important client calling a frontline call center employee and explaining that he wants to make some adjustments to his account. Suddenly, right in the middle of verifying his identity, this big fish says that he must take an important call and explains that his assistant will finish up.

Of course, this woman doesn’t know her boss’s credentials. That’s silly. He was just there on the phone, right? This shouldn’t be a problem. No one would fault that call center employee’s instinct to be helpful and make sure this assistant gets the important changes accomplished. This is an important client, and the assistant sounds nice and seems harried.

Of course, the call center employee has just found herself victim to a data breach.

Teach your employees about these scenarios and emphasize the importance of verifying identity according to your policy, without exception. Hackers are smart. Give them even the tiniest bit of personal information, and they can exploit it.

Who Can See What?: Even in today’s digital world, people need to write things down when working with customers. It’s a part of the call center job that will likely never go away. Make sure there’s a policy in place for destroying that piece of paper. How handy is your shredder?

Unless the shredder is in steady use, the janitorial staff could be selling client info to the highest bidder. Ideally your cleaning personnel has training and knows to destroy compromising information pronto, but custodial staff are often third-party vendors. Does your contract with them require training in information handling?

You should also make sure that your call center employees don’t have keys to every digital door. Invest in software that redacts information based on role and scenario. That way employees only see the information necessary for the call they’re handling.

Procedures for Escalation: Perhaps the most common issue is a lack of proper plans for what to do should something bad happen. What does your employee do if she gets a call from a customer saying someone has accessed their account? Does that employee know where to go for help?

The breach experts all say the same thing: Speed matters. The faster your security team knows that something is amiss, the faster they can act.

Just a single sign of improper access could mean a typhoon is coming. Maybe your security team recognizes a hot new piece of malware and knows how to quickly contain it. It’s vital that all employees, from frontline staff and shift managers right up to the chief information officer, know what the response plan is. 

Conclusion: Unfortunately, this is just the start. There are books that address this issue in detail. I hope you have auditing capabilities and smart procedures in place for screening potential employees to make sure they are who they say they are. If not, you should start by addressing this.

Regardless, the simple message is this: People make mistakes. They make more mistakes, however, when they don’t have any training to help them avoid making them.

Privacy and data security should be standard at call centers, no matter where you’re operating. Otherwise you might find you’re not operating at all.

Sachin Kothari is CIPP/US and director of online privacy and compliance at AT&T.