Tag Archives: Legal Articles

Telemarketing Laws: An Auditors Perspective


By Rich Hamilton

Over the years, as a PACE Customer Engagement Compliance Professional (CECP), I have audited dozens of companies for their compliance with telemarketing laws. As you may be aware, the landscape of telemarketing laws can be very complex, with federal regulations written by the FCC and FTC along with considerations for state-specific requirements. 

Since these laws are ever-changing, keeping up can be a daunting task. I want to share some observations working with many different companies. Here’s the good, bad, and ugly with telemarketing laws.

The Good with Telemarketing Laws

DNC Telemarketing Laws

The good news is that most companies have a good handle with specific areas of telemarketing laws. One of those areas is Do Not Call (DNC) compliance. Since its inception in 2003, the Do Not Call Registry and the set of rules associated with it has been a big focus for most companies making outbound dials.

Calling a person on the DNC list is a quick way to generate a complaint to the FTC, which no company wants to have happen. As a result, most companies have spent the time to make sure the proper scrubbing takes place with Federal and State DNC lists.

Knowing how to place a person on a DNC list is essential, so companies also make sure they have a solid DNC policy and training that ensures all employees understand what to do and how to do it. 

Robocalls 

The other area that generates the most complaints to the FTC is robocalls. Consumers hate robocalls. Consumers don’t want to receive a random robocall, especially from a company they have never heard of, especially if the consumer can’t figure out how to get themselves removed from future dialing. 

The companies that I have audited have done a great job analyzing the telemarketing campaigns they will be dialing and only using robocalling technology when appropriate. In many cases, companies avoid robocalling because of the negative response that consumers could have and the complaints that could follow. 

The Bad with Telemarketing Laws

Prior Express Written Consent

There are a few areas that companies seem to struggle with regarding telemarketing laws. One of the first areas is gathering the proper level of consent from a lead/consumer.

To make a sales call to a wireless or VoIP phone number using an automatically determined dialing sequence (ATDS) requires prior express written consent (PEWC). However, what does the consent language need to contain, and how should it appear on the page?

Unfortunately, from my audits, it is apparent that many companies don’t know how to answer these questions fully. As a result, calling someone without the proper level of consent can be very risky. 

It’s also worth noting that consumers are expecting more these days to control what kinds of calls (as well as emails and texts) they receive from a company. Giving consumers options on how they can be communicated with for assorted reasons and capturing the right level of consent is vital to avoid complaints.

State Specific Telemarketing Laws

The other area that I have found that seems to be overlooked by companies I have audited is the state-specific requirements, from state registration to script disclosures to permissible call times. 

Most companies understand telemarketing laws from a federal level. Still, when asked about compliance at the state level, many have not taken the time to review the laws and exemptions for each state. This can be very time-consuming but also especially important to stay compliant. 

Compliance Auditing

The other area that surprises me the most is the lack of a robust compliance auditing program. Granted, this is not necessarily a telemarketing law but more like a best practice. 

With all the time and energy put into writing policies, procedures, and training around telemarketing laws, you would think that there would also be a method in place to make sure that everyone is following it. But unfortunately, this is not always the case. 

Setting up a reoccurring time to review all policies and procedures and to review exception reports often to adjust as needed can save your company from making mistakes that can cost some serious money in fines and litigation. 

The Ugly with Telemarketing Laws

Risky Business

This brings me to my last point: it can be risky if companies don’t take telemarketing laws seriously. The most significant risk, of course, is the loss of money due to fines or litigation. A quick Google search will show many instances where a company didn’t make calls with PEWC and received millions of dollars in fines.

For many companies, this would put them out of business. How frustrating it would be to have a great company providing an excellent product or service that then must close the company’s doors after overlooking important telemarketing laws.

Ask yourself if it is worth the risk? If you are unsure if you are following all the telemarketing laws or have a question, please reach out. We’d be happy to help.

Rich Hamiltonis the vice president of compliance and administrative services for Quality Contact Solutions, as a Customer Engagement Compliance Professional (CECP), Rich oversees the QCS telemarketing compliance consulting practice which conducts compliance assessments, reviews and audits for companies that require outside professional assistance. Contact Rich at rich.hamilton@qualitycontactsolutions.com or 516-656-5105.

7 Common TCPA Misconceptions

By Rich Hamilton

Does the Telephone Consumer Protection Act (TCPA) confuse you? If so, you are not alone.

This past July, the Federal Communications Commission (FCC) clarified TCPA through a Declaratory Ruling. Telemarketers have been scrambling to understand and implement updated policies, procedures, and technologies in order to continue to ensure compliance with the TCPA. The telemarketing regulations are complex. And with this complexity, there is some confusion.

Here are seven common TCPA misconceptions:

1) B2B Calls Do Not Need to Comply with the TCPA: Wrong. Business to business (B2B) calls are not exempt from all provisions of the TCPA. There are many aspects of the TCPA that need to be followed with B2B calls. Here are two areas:

  • Calling Wireless Numbers: Some level of consent is required in order to use an automatic telephone dialing system (ATDS) when calling any wireless telephone number, regardless if the call is B2B.
  • Call Abandonment: Call abandonment rules apply to all types of telemarketing calls, regardless if you are calling consumers or businesses. Telemarketers are not allowed to abandon more than 3 percent of live answered calls per campaign per thirty-day period. A call is considered abandoned if a live agent is not connected within two seconds of the person completing their greeting. If a call is abandoned, it is required that a recorded message play promptly. This recorded message must include the name and phone number of the seller, state that the call is for telemarketing purposes, and not contain any type of solicitation. The message must also allow the person being called to place their number on the DNC list. (See misconception #6.)

2) Non-Sales Calls Do Not Need to Comply with the TCPA: Wrong. Regardless of the reason for the call, if you dial a wireless number, you must have either Prior Express Consent or Prior Express Written Consent if calling using an automated telephone dialing system (ATDS). Some companies think information calls and surveys are exempt from the TCPA. This is not true when it comes to placing calls to wireless phone numbers.

3) Numbers Ported from Wireline to Wireless Are Not Considered Wireless Numbers: Wrong. Telemarketers must subscribe to Neustar to proactively identify numbers that have ported from landline to wireless. Lucky for the industry, there is a fifteen-day grace period to identify the ported numbers and update calling lists.

4) A Number Reassigned from One Wireless Subscriber to Another Is a Safe Harbor: Wrong. In the 2015 TCPA Declaratory Ruling, the FCC made it clear that if a wireless number is reassigned, it is the company’s responsibility to identify that and remove the wireless number from its calling list. A limited safe harbor was provided that protects only the first call to a reassigned number, no matter the outcome of the call. Also note that those who receive phone calls from telemarketers have no duty to tell the telemarketer that the phone numbers have been reassigned.

Are you getting the feeling that the FCC doesn’t like us?

5) A Company Using a Third Party to Make Calls Doesn’t Need to Worry About TCPA: Wrong. The FCC made it clear in the Declaratory Ruling that sellers using an outsourced telemarketing company may be vicariously liable under federal common law agency-related principles. Therefore, ultimately it is the responsibility of every organization to monitor and enforce the compliance of companies that call on their behalf. This can be done in many ways, including conducting audits of call detail records, listening to call recordings, and on-site visits.

6) A seller or telemarketer can offer the option to press “X” for the next available agent during the abandon call message in order to process DNC requests: Wrong. Abandon call messages must have an automated interactive voice or a key-press-activated opt-out mechanism that enables a DNC request before terminating the call. This process must automatically add the phone number to the internal DNC list and end the call immediately. Offering to transfer the person to the next available agent is not allowed.

7) TCPA Does Not Apply to Text Messages: Wrong. The FCC has stated that a text (or SMS) is considered the same as a phone call under the TCPA.

Is your call center or outsourced telemarketing company fully compliant with the TCPA? If you are not sure, now is the time to find out. Take the steps necessary to reduce your risk by becoming compliant as soon as possible.

Rich Hamilton is the director of implementation and team improvement leader for Quality Contact Solutions. Rich is responsible for implementing new programs and managing the continuous improvement process of existing programs. Prior to joining QCS, Rich spent nine years working in and managing a variety of small and large call centers.

[From Connection MagazineMay/June 2016]

HIPAA Contact Center Essentials

By Donna Fluss

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its impacts are felt by Americans almost daily. From the HIPAA privacy notifications we receive from hospitals, doctors, dentists, and others to the lines we stand behind at the pharmacy counter to allow privacy for the person ahead of us, we frequently encounter HIPAA-initiated situations. While these are relatively minor inconveniences, HIPAA can have more significant implications for contact centers that routinely interact with protected health information (PHI).

Contact Centers Impacted by HIPAA: Any contact center, regardless of size, that has access to PHI must adhere to HIPAA regulations. This includes “covered entities” (health plans, healthcare clearinghouses, and healthcare providers) such as hospital business offices as well as “business associates” (persons or organizations contracted by covered entities), like outsourced third-party debt collectors. It also includes benefit management companies, one- or two-person doctor’s office “contact centers,” and many others. The good news is that the Act recognizes that “one size does not fit all” when it comes to volume of PHI or risk of exposure from one organization to another. To allow for these differences, the Act includes “flexible” and “scalable” standards; however, it does not mean that no standards apply.

HIPAA Guidelines: Contact centers working with or considering working with PHI should take time to understand applicable HIPAA requirements. Start with the two primary building blocks: the privacy rule (protecting personally identifiable health information) and the security rule (operationalizing the privacy rule by keeping PHI safe electronically, on paper, and verbally). A summary of both rules can be found at www.hhs.gov/ocr/privacy/hipaa/understanding.

Here are some of the essentials from the privacy rule and security rule that contact center leaders should know:

  • Ensure responsibility for HIPAA compliance within your company. The Act requires that a Privacy Official and Security Official be designated; however, depending on the size of the organization, they may be the same person.
  • Address the three HIPAA areas of concern: administrative safeguards, physical safeguards and technical safeguards. Administrative safeguards include managing access to PHI, HIPAA-compliance training (for new employees and ongoing) and regularly evaluating all HIPAA security measures. Physical safeguards cover access controls to facilities, workstations, and electronic media. Technical safeguards audit the organization’s controls, ensuring that PHI is secure and not altered.
  • When it comes to PHI, it is all about “minimum necessary.” PHI includes virtually all information, from patient names to medical procedures. The Act requires usage of the least amount of PHI to accomplish a task. Minimum necessary compliance should be monitored in the quality assurance (QA) process and modeled in conversations within the contact center.
  • HIPAA does not include a certification process. It is up to each organization to understand which HIPAA requirements apply to them and to be in compliance with those standards.

HIPAA compliance should not be taken lightly. Failure to adhere to HIPAA regulations can result in fines and, if violated with malicious intent, prison sentences.

Donna Fluss is the founder of DMG, a vendor-independent research and consulting firm that analyzes contact center and back-office technology and best practices. Contact her at donna.fluss@dmgconsult.com with any questions you may have and to learn how to make today’s innovative and powerful technologies and best practices work for your organization.

If your contact center is looking for assistance in becoming HIPAA-compliant, please contact Jana Benetti at Jana.Benetti@DMGConsult.com or 623-935-4111.

[From Connection Magazine Sep/Oct 2015]

Three Steps for Taking the Stress Out of Managing Contact Center Compliance

By Rob Schneider

The contact center industry is inundated with regulatory requirements, yet maintaining compliance is critical for business success. Ensuring compliance isn’t easy with constant regulatory changes; the main hurdles include how to staff correctly, stay on top of change, and manage the business through various stages of compliance.

Changes in regulations often trigger compliance failures, which can lead to data exposure, fines and fees, security breaches, loss of customers, impact to reputation, and civil action.

“With all the new regulations, we are seeing a tremendous increase in breaches,” said Jeff Brown, director of business development for Compliance Point. “We see multiple breaches every week from the finance, retail, healthcare, and other industries.”

Here are three steps to reduce the stress of managing contact center compliance.

1. Agree That Compliance Is Not a One-Time Deal. Brown believes that the increase in non-compliance often happens because organizations take a “point in time” approach to managing change. With this approach, organizations become compliant once but then fail to maintain updates to stay compliant over time.

“Many organizations think of compliance as an annual fire drill of scrambling to get auditors the information they require,” said Brown. “This can mean that companies are creating documents on the fly for auditors, which isn’t an effective practice.”

This also creates uncertainty around how to properly complete the audit because the type of information requested changes from year to year. Turnover in organizations also creates knowledge vacuums around how compliance requirements are implemented.

Ultimately, as more advanced regulations are added, compliance costs rise, and the time it takes to understand and implement regulations can become too overwhelming for contact centers that take a reactive approach. A better way to remain compliant, manage costs, and create a viable program is a proactive approach where compliance changes are automated and updated continuously.

Real-time compliance monitoring is also key. Consider investing in an automation or platform tool to automate compliance activities, such as assignment of tasks, notifications, and escalations. This way, any tasks that are not handled will be automatically flagged in the system as a non-compliant activity and can be addressed immediately.

“Compliance should be part of the daily process,” said Brown. “It should include a defined framework that everyone understands and follows. This helps engrain the compliance mentality within the culture of the organization and helps everyone understand their role in regard to compliance.”

2. Pay Special Attention to TCPA Compliance Regulations. Updated TCPA legislation started to be enforced in October 2013, but many contact centers have struggled to understand the rules and apply the resources to remain compliant. The volume of class action TCPA cases continues to rise, and the FCC is becoming more aggressive in its lawsuits. On average, there are four to five new lawsuits every day. The common legal issues include, but are not limited to, calling or texting cell phones, prerecorded messages, and DNC violations.

“In many cases, the scope of consent that companies have is not sufficient for the type of calls they are making,” said Nick Whisler, an attorney and legislative chair for PACE. “Other common practical issues are the use of automatic telephone dialing systems (ATDS) to call cell phones, calling re-assigned numbers, and the confusion across telemarketing versus non-telemarketing legislation.”

Calls to cell phones remain a primary area of conflict. The general rule is that organizations cannot use an ATDS or a prerecorded message to call a cell phone without the called party’s prior consent. The current interpretation of an ATDS is any equipment with the capacity to dial telephone numbers without human intervention. There are also stricter specifications if the call being made is for telemarketing purposes. Even if the call has mixed purposes, it is treated as a telemarketing call.

For companies that handle any outbound activities, maintaining TCPA compliance can seem like a full-time job. It is important to strengthen policies and procedures involving high-risk areas such as cell phones and prerecorded messages. In most cases, a specific contact center platform designed for TCPA compliance can assist in maintaining a compliant system.

However, the staff still needs be aware of regulatory changes and work with partners to understand any impact to the system. “It’s critical to have good policies and procedures in place, as well as a fail-safe mechanism to prevent unintended violations,” Whisler added.

3. Build a Network of Trusted Experts. Call centers should not feel pressured to create compliance processes on their own. In fact, many other organizations have been working on best practices and can be essential in creating the right compliance landscape.

For example, some TCPA best practices include consulting with a corporate attorney, honoring the DNC registry, drafting a DNC list policy and procedures document, reviewing compliance of outbound solutions, and implementing TCPA-compliance training programs.

“TCPA is very complex. Most individuals without a legal background have a difficult time interpreting the legislation and how it will affect their call center,” said Geoff Mina, CEO of Connect First. “Working with a team of experts can help mitigate the risk and create a path for contact centers to remain compliant.”

The importance of training programs for employees should not be overlooked. “Contact centers can have the best technology, the most compliant vendors and partners, and management teams that understand the regulations,” said Mina. “But if agents don’t understand the compliance requirements, the company could inadvertently fall outside of procedures and end up in a court battle.” An agent who doesn’t understand what they need to do and what questions they should ask can cause a call center a great deal of trouble, regardless of the tools and systems they have in place.

The same can be said for PCI compliance. Some best practices for PCI compliance include using the tools and resources available on the PCI Security Standards Council website, engaging with contact center technology vendors that understand PCI, taking into account physical layout issues, and evaluating security around work-at-home agents.

“Most importantly, remember to engage your network of experts early in the process,” added Mina. “With the ever-changing world of compliance, building a team before you get into trouble is a good rule of thumb.”

Rob Schneider is vice president of customer service at Connect First, a contact center platform technology provider.

[From Connection Magazine – May/June 2015]

Pay Attention to TCPA – or Pay the Fines

By Donna Fluss

Recent changes in outbound dialing legislation and consumer protection regulations – specifically changes to the Telephone Consumer Protection Act (TCPA) – have the outbound dialing sector scrambling. Companies of all sizes in most verticals (with exception of fund-raising and political campaigns), including outsourcers who use outbound technology, are struggling to interpret and understand exactly what these new rules mean, their potential impact, and how to apply them.

What Is TCPA? The TCPA, enacted by Congress in 1991, was the first federal law to establish regulations for telemarketing and commercial sales. Intended to safeguard consumers from uninvited sales and telemarketing calls and faxes, the TCPA regulates how, when, and to whom commercial solicitation calls or faxes can be made. In the original TCPA legislation, companies that had an “established a business relationship” with a consumer could bypass the requirement to obtain written consent from the customer to receive solicitation calls. However, they still had to comply with four other principal requirements that addressed:

1) Proper caller identification requirements

2) Calling hour restrictions

3) Compliance with Do Not Call (DNC) policies and restrictions

4) Adherence to auto-dialer and automatic dialing recorded message player (ADRMP) regulations

TCPA Enforcement: The FCC and the FTC are responsible for TCPA enforcement. TCPA claims are increasing, in part due to increased diligence in enforcement by these agencies. Individuals, states, and the FCC can initiate claims, with high-visibility class-action suits fueling the rise in TCPA claims. Companies can face steep fines if they are found to be in violation of TCPA regulations.

Tips to Help Contact Centers Comply with TCPA Requirements: The best approach to reduce the risk of litigation and fines resulting from TCPA violations is to first gain a thorough understanding of its requirements. Next, develop and issue written policies and procedures in order to ensure that all business operations and practices are fully compliant. Current TCPA requirements apply to landlines, cell numbers, faxes, and text (SMS) messages. Here are some suggestions to help companies adhere to TCPA requirements:

  • Draft DNC list policy and procedures.
  • Keep the DNC list current, and ensure that there is an automated process to “scrub” all outbound calling lists.
  • Honor the National Do Not Call Registry; set up audit logs and documentation to prove adherence.
  • Review dialers and notification solutions (“robocallers”) to ensure they comply with the TCPA.
  • Do not use automated dialing technology of any kind when calling cell phones.
  • Implement TCPA-compliance training programs for all customer-facing employees.
  • Set up a formal, documented process to obtain written permission from anyone with whom you want to conduct business.
  • Provide an easy mechanism to allow customers or prospects to opt out of future communications.
  • Require all third-party vendors (outsourcers) to be in compliance with TCPA requirements; using a non-compliant vendor is an unacceptable risk.
  • Establish a troubleshooting procedure so that employees have a place or person to go to for help when they are in doubt about a TCPA-related matter.

Final Thoughts: Too many companies are ignoring TCPA, believing they won’t be caught. This is a mistake, as the government is encouraging consumers to report consumer abuse. If you’re abusing the regulations, you are at risk. All companies must gain a complete understanding of the requirements and follow the law.

Donna Fluss is the president of DMG Consulting and author of The Real Time Contact Center. To see the complete TCPA Guide, go to www.dmgconsult.com.

[DMG Consulting LLC provides technical and operational guidance. The materials and recommendations contained herein are for informational purposes only and do not constitute legal advice. We urge you to discuss your particular situation with your legal counsel before taking any action.]

[From Connection Magazine November 2013]

FLSA and the Call Center

By Abena Sanders Horton

The Fair Labor Standards Act (FLSA) of 1938 is a federal wage and hour statute that transformed the American workplace from Upton Sinclair’s The Jungle to the relatively comfortable existence we know today. The FLSA established a national minimum wage, guaranteed time-and-a-half pay for overtime, and forbade oppressive child labor. Altogether, the FLSA is a statute with its heart in the right place. However, that doesn’t mean there aren’t administrative hassles involved for employers.

Enforcement of the FLSA is governed by the US Department of Labor, which has become exponentially more aggressive in pursuing FLSA matters. Recently, President Obama expanded funding to the Department of Labor for the specific purpose of hiring at least 250 more wage-and-hour investigators. To give you a sense of how popular FLSA proceedings and lawsuits have become, nearly 8,000 lawsuits involving the FLSA have been filed so far in 2013. It should be your goal to avoid becoming a part of these statistics.

Does the FLSA Apply to My Company’s Employees? The FLSA applies to you if the annual dollar volume of your call center’s business is $500,000 or more and your company has at least two employees. If this is the case, company employees may be covered by the FLSA on an “enterprise” basis. An enterprise may consist of one or several establishments.

Alternatively, if the dollar volume of the call center does not meet the $500,000 annual threshold, employees still may be covered if they engage in “interstate commerce,” which includes activities such as transacting business through interstate telephone calls, the Internet or the U.S. Postal Service, or ordering goods from an out-of-state supplier. This means that if a call center representative fields a single call from an out-of-state customer, the FLSA could be invoked. The Department of Labor has taken a very expansive view of what it considers to be interstate commerce.

How Do I Classify My Employees? Even if an employee is technically covered by the FLSA, he or she must be classified as “non-exempt” or “exempt” from its provisions for wage-and-hour purposes. The FLSA was conceived to protect the most vulnerable type of worker – those in low-wage, hourly, non-managerial jobs. Covered, non-exempt employees must be paid at least the federal minimum wage, as well as overtime at time-and-a-half their regular rate of pay for all hours worked over forty hours in a particular workweek.

In a simpler world, classifying an employee’s status would also be simple. Hourly employees would be governed by the FLSA (non-exempt) and salaried employees would not (exempt). However, the reality is far more difficult. The mere fact that an employee draws a salary does not exempt the employee from the minimum wage or overtime provisions of the FLSA. Whether employees are exempt from the FLSA depends on their specific job duties and responsibilities, as well as their salary. In call centers, even certain salaried employees do not meet all the requirements specified by FLSA regulations to be considered exempt. For example, many salaried employees who make under $455 per week will not be exempt, particularly if they are not executive, administrative, or professional employees (such as computer professionals).

Assume that the FLSA applies to your employees unless you can establish otherwise and pay employees at appropriate rates. As an employer, it is your responsibility to justify your employee classification. If you have a difficult case of a low-salaried employee with non-traditional job duties, consider consulting an attorney to assist you with the classification. Such action would likely be less expensive than paying back pay to the employee later.

Common Problems to Avoid: One of the most popular types of FLSA lawsuits relates to time allegedly worked “off the clock.” The FLSA provides that covered employees must be paid for all hours worked in a workweek. Hours worked include all time an employee is obligated to be on duty (or on the employer’s premises) from the beginning of the first principal activity of the workday to the end of the last principal activity.

For example, the first principal activity of the day for many representatives working in call centers includes starting the computer to download work instructions, replying to emails, skip tracing, or accessing computer applications. In 2008, a collective action brought by employees of IBM’s Atlanta facility alleged that call center representatives were not paid for time spent booting up their computers at the start of their shifts. Employers should be aware that many courts consider these types of activities to be compensable work time.

Another area of concern involves employee rest and meal periods. Most call center employers permit short rest periods (usually under twenty minutes) to promote good workplace morale and efficiency. Such rest periods should typically be counted as hours worked. However, bona fide meal periods generally should not be compensated as work time as long as the employee is released from duty so that he or she can eat a regular meal.

Conclusion: Whether you know it or not, the FLSA likely applies to your workplace. For example, you may have salaried employees who are actually entitled to the federal minimum wage and to time-and-a-half for overtime work. The Department of Labor is increasingly interested in FLSA cases, and defending such cases has become expensive for all employers, including call centers. Being aware of the issues specific to your industry is an important step in protecting yourself from future lawsuits.

Abena Sanders Horton is an attorney with Fisher & Phillips, LLP, one of the nation’s leading labor and employment law firms representing employers. You may reach Abena at 404-231-1400 or asanders@laborlawyers.com.

[From Connection Magazine September 2013]

Call Recording: What You Need to Know to Meet Regulatory Compliance

By Bill Johnson

It’s a fact of business life: Every company and organization must meet regulatory compliance with governmental and other trade organizations. And they better do it right. After all, regulatory agencies aren’t sitting around waiting for offenders to fall in their laps. They are aggressively looking for companies that do not comply and slapping them with hefty fines.

Capital One was hit with a $210 million fine in July 2012 by the Consumer Financial Protection Bureau to settle charges of deceptive marketing of credit card “add-on” products such as payment processing and credit monitoring, reported Bloomberg. Of the fine, $140 million was returned to Capital One customers who were pressured or misled into buying credit card products they did not understand or couldn’t even use. Founded in July 2011 to increase oversight of consumer financial products as a result of the Dodd-Frank Act, this was the bureau’s first case.

Beyond the Dodd-Frank Act, financial organizations must also comply with a variety of other regulations, including the Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes Oxley Act, Financial Services Authority regulations, Gramm-Leach-Bliley Financial Services Modernization Act, Fair Debt Collection Practices, and the Social Security Act.

Healthcare is likewise challenged with complying with a variety of regulations, and it’s not always easy. For example, SC Magazine noted that Blue Cross was fined $1.5 million by the US Department of Health and Human Service’s Office for Civil Rights (OCR) for a 2009 security breach that affected more than a million members. In the fall of 2009, 576 unencrypted computer hard drives were stolen from a data storage closet in Chattanooga, Tennessee, during a move to a new facility. The data included audio recordings of customer support calls and screenshots of what the call center staff saw when handling the calls.

Healthcare’s Health Insurance Portability and Accountability Act (HIPAA), enacted in 2003, tightened regulations on healthcare organizations, and those that do not comply pay big time. For example, Cignet Health was fined $4.3 million in February 2011 for not complying with HIPAA’s privacy regulations. Even though fewer than sixty records were breached, the fact that it did not cooperate with the Office for Civil Rights resulted in this hefty fine, according to Health Data Management.

Financial and healthcare organizations are not the only ones challenged with meeting regulatory guidelines. In fact, regardless of industry, regulations affect every organization with a contact center. For example, the Do-Not-Call Implementation Act and the Telemarketing Sales Rule affect every contact center, whether inbound or outbound. Violators pay fines up to $16,000 per incident.

Contact centers that accept payment cards must comply with regulations set forth by the Payment Card Industry Data Security Standard (PCI-DSS), which was developed and is regulated by American Express, Visa, MasterCard, Discover, and JCB International. These financial institutions have enacted their own fines for violators. For example, PCI Security Standards Council and PCI Standard note that MasterCard and Visa fine merchants as much as $25,000 for the first violation.

Because most contact centers record their calls and screenshots associated with the calls, they are also required to adhere to the various regulations. And if they are accepting payment cards, there’s even more compliance. Simply put, to comply, contact centers must ensure that all their data is securely stored, and they must strictly control usage of the recorded conversations and interactions. With PCI-DSS, they must also adhere to regulations regarding the storage of payment card data so that it is not easily accessible to agents or others.

For compliance of both written and recorded data, there are five key areas to consider:

1) Storage security: How secure is your data storage? Is your security up to date?

2) Access: Who has access to the information? How is access controlled?

3) Type of data: What type of data will be stored? Is it only call recordings or also screenshots associated with the calls? Are written documents or other documentation stored?

4) Length of data storage: How long will the data need to be stored? What is required to meet compliance? What is needed for the health of the organization?

5) Compliance in an investigation: What is the procedure to quickly and accurately access and produce data in the case of an investigation?

For call recordings, there are ten key ways to help ensure regulatory compliance.

1) Have call recordings stored, organized, and preserved in a secure central repository, whether it is on-site, remote, in the cloud, or a hybrid of these.

2) Provide the ability for authorized users to easily access, search, and save call recordings using a familiar file management system, similar to email organization in Microsoft Outlook.

3) Provide access via encrypted streaming for the highest level of security.

4) Share only through link distribution, which is more secure than file sharing.

5) Restrict information access by using a combination of call data, account code, and other criteria.

6) Utilize digital watermarking, which provides the ability to verify and prove that files have not been altered. This is essential in legal situations.

7) Take advantage of variable data lifecycle management, which allows the user to tailor how call recordings are stored, staged, and purged based on a variety of criteria, such as account code, extension, and caller ID.

8) Implement automatic storage and purging based on unique individual criteria to ensure uniform practices, rather than requiring tedious and inefficient manual review.

9) Utilize an archival database to enable authorized users to instantly search and access recordings.

10) Create custom archiving rules based on call data and implement a media management functionality that allows users to further restrict and control information in individual call recordings on an as-needed basis to ensure instance-by-instance regulatory compliance, such as call slicing, merging and redacting, and call-segment exporting.

Although not required by regulations, additional search and mobility features can help support compliance and improve the ease of proving compliance in the case of an investigation. For example, speech search provides the ability to quickly search for specified key words and phrases within call recordings. Additionally, mobile access via a secure Web-based application makes it fast, easy, and secure for authorized users to access documents when they are away from their desks.

In addition to meeting important regulatory compliance requirements, call recordings can help organizations monitor the quality of agent calls, provide agent training and agent self-evaluations, and help resolve disputes by providing part or all of a call recording to the other party.

While stiff fines and bad publicity are strong motivators to stay compliant, the best motivation for regulatory compliance is the peace of mind knowing that you are protecting your organization, customers, partners, and vendors.

Bill Johnson is the director of client services and channel programs at Oaisys Inc.

[From Connection Magazine Jul/Aug 2013]

PCI DSS Compliance: The Promise and The Peril of Data-Rich Call Centers

By Kristyn Emenecker

Today’s call centers hold great promise. This data intensive environment has the potential to yield insights for differentiated service, customer loyalty, and customer acquisition. But this information-rich environment must be carefully guarded to avoid potentially serious breaches.

Call centers must comply with a myriad of data security regulations and requirements. One such set of requirements is the Payment Card Industry Data Security Standards, known as PCI DSS.

PCI DSS Overview: Although introduced in 2006, some organizations may just be learning of PCI DSS requirements. PCI DSS is a mandatory data security compliance program that applies to all entities that process, store, or transmit credit, debit, or other payment cards, at any volume. Entities affected include merchants and third-party providers and applies to card business transacted over all payment channels.

Compliance with current PCI DSS requirements (now version 2.0) can be a challenge. Fairly straightforward standards are issued every three years, but guidance for requirements are updated often and can be lengthy as well as subjective, and PCI DSS-certified entities are held accountable to the latest guidance.

Compliance is not a “one-and-done” endeavor, either. Merchants and third-party providers must file a compliance certificate annually, and certification must be on file at the merchant bank.

Call Center Issues with PCI DSS Compliance: A call center’s data intensive environment – including digital call recording, combined with employee turnover, open physical environments, and potential off-site staff – means that data security requires constant vigilance. There are three issues that call center managers need to be aware of.

First, digital call recording can present challenges when it comes to complying with PCI DSS’s data storage requirements. Call recording is a valuable tool for quality control and fraud prevention, but presents a double-edged compliance sword when, by nature of containing sensitive data, it could itself be used as a data source for fraud, as was the case in a well-cited UK investigative report.

PCI DSS: Data Storage Requirements

  • PCI DSS allows data to be stored, but it must be protected: primary account number (PAN), cardholder name, expiration date on card, and service code.
  • PCI does not allow other data to be stored, even if encrypted: full magnetic stripe, PIN/PIN block, and CAV2/CID/CVC2/CVV2 (3-digit code on back of card); CID code (4-digits on front of AMEX card).

Suggested Protection Mechanisms for Call Recordings

  • Use end-to-end encryption: encrypt audio and screens at acquisition and decrypt only at playback.
  • If CVV2/CID is taken, then pause and mute or tone-over audio recording while caller speaks the code.
  • Alternatively, have the consumer provide credit card data via self-service/IVR to avoid agent handling and recording.

Second, a call center’s open physical layout may put data security at risk. The traditional open floor plan and low dividing walls that facilitate easy supervisor intervention on a call center floor can also allow for “shoulder surfing,” the act of viewing sensitive data on a co-worker’s computer screen without authorization to do so. Some call centers locate approved workers who process sensitive data in separate areas.

Third, regarding at-home agents, PCI DSS requires two-factor authentication for those workers who have access to the cardholder data environment. In addition, remote agents should work on a separate segment of the company data network, protected by an internal firewall.

Cost of Non-Compliance: While cost of compliance can be high, the cost of non-compliance and a potential security breach can be even higher from both a monetary and reputation perspective. Non-compliant merchants and third-party providers face stiff penalties from the card issuer including a fine per incident, increased fees and restrictions, and removal of processing privileges, should there be a breach.

Security breach costs also extend beyond PCI penalties. Costs may include irate customers, lawsuits, heavy regulatory oversight, lost goodwill, and lost business. According to the Ponemon Institute’s 2011 Cost of Data Breach Study: United States, the average security breach cost in 2011 was $5.5 million, and the average cost per record was $194.

Five Tips for PCI DSS Compliance

1) Know How PCI DSS Requirements Affects Your Business: The PCI DSS Quick Reference Guide outlines the twelve requirements of PCI DSS v2.0.

2) Take Key Steps Toward PCI DSS Compliance

  • Contact your acquirer or card issuer
  • Conduct a scoping exercise
  • Engage a QSA (qualified security assessor)
  • Engage an ASV (approved scanning vendor)
  • Continuously engage in proactive maintenance and re-evaluation

3) Develop a Prioritized Approach: The PCI Security Standards Council has provided a prioritized approach for pursing PCI DSS compliance (version 2.0), aligning the twelve PCI DSS requirements with six key milestones.

4) Keep Current: Because guidance for PCI Compliance is regularly updated, make sure to stay informed, particularly on guidance related to your business type. For contact centers, the supplemental guide for protecting telephone-based data will be especially relevant.

5) Work with the Right Partners: Consider a cloud solution for your contact center infrastructure, and let someone else handle the headaches. Cloud solutions are often run by sophisticated IT experts. Bob Kendall of Hitachi reports, “We moved to the cloud because we found that cloud solutions adhere to the highest security standards.”

If you choose a hosted or cloud-based solution:

  • Choose a partner that is PCI DSS-certified. This is an absolute must if they will come in contact with your customer’s payment card data. No exceptions.
  • Choose a member of the Cloud Security Alliance (CSA). The CSA is a group of elite companies that have demonstrated their knowledge of the cloud and how to secure it.

Work with security experts who are familiar with technologies that offer PCI DSS scope reduction, such as point-to-point encryption and tokenization. And finally, ensure your payment application is PA-DSS-certified. The list of approved vendors can be found online.

Create Tomorrow’s Contact Center Today: It is possible to create tomorrow’s contact center today by harnessing the power and promise of data to meet strategic business objectives while ensuring data security and compliance. Organizations can and should strive to provide security and quality at every touch point in the contact center, while staying focused on their main goal: creating great customer experiences.

Kristyn Emenecker, vice president of product marketing for inContact, has eighteen years of experience in the contact center industry, serving in a variety of operational, consultant, and senior leadership roles. She is active in a number of industry groups, published in multiple trade journals, and a regular on the industry speaking circuit. Follow Kristyn on Twitter: @LIVinEden.

[From Connection Magazine May 2013]

Ten Years of Do Not Call

An Interview with Dean Garfinkel

It’s hard to believe that it’s already been a decade since the National Do Not Call (DNC) Registry was established. In fact, on June 27, 2013, it will be ten years exactly. The FTC has been busy fulfilling all those online and IVR requests. In the first year alone, 62 million phone numbers were added to the National DNC Registry. Today the list includes more than 200 million phone numbers.

Coinciding with this, the USA DNC Regulatory Guide also celebrates its tenth anniversary. Created in March of 2003, it is touted as the “industry bible” for compliance officers and operations management alike. The online guide was developed by Dean Garfinkel. As the tenth anniversary of the FTC’s Telemarketing Sales Rule’s Federal DNC list implementation approaches, Dean shares his thoughts on call center regulatory compliance and best practices.

Connections Magazine: You’ve become a highly recognized leader in Do Not Call compliance. Take our readers back in time. How did it begin?

Dean: Florida started everything. The Florida Department of Agriculture created the first Do Not Call list in the country. It amassed 24,000 registrants. Three other states had the same idea.

In late 2001, a company I founded, Call Compliance Inc., got one of twenty-one coveted invitations to a seat at the table with the FTC as they explored options around the creation of a National DNC Registry. I was there on day one. I was asked to participate in the discussion because, as the inventor of a telephone carrier-based Do Not Call solution called TeleBlock, we were one of the few companies to enter this new cottage industry, which is now known as DNC compliance.

I had many customers who relied on our DNC solution to ensure compliance with the then twenty-seven states that had their own Do Not Call lists. We hired an in-house counsel just to keep us up-to-date with all the new regulations. Technological solutions are great, but we knew we had to stay on top of these new regulations in order for our technology to keep our clients 100 percent compliant. New rules were hitting our industry from every direction. Politicians were being elected on the sole promise to stop telemarketing calls at the dinner table. Both the FTC and FCC agreed that they each needed their own aligned set of rules to ensure coverage of all businesses nationally, as the FTC and FCC have different jurisdiction over different businesses. In concept there would be one registry, one set of regulations.

The FTC and FCC got their way, and we ended up with a National DNC Registry. Of course, neither could agree on the rules they promulgated, so we ended up with two new sets of rules. To make matters worse, it became clear that the federal government was not declaring jurisdiction over the myriad of state regulations on DNC. To this day the FCC remains silent on this issue.

Connections Magazine: Yes, it certainly made compliance much more complicated for anyone conducting telemarketing – both sellers and telemarketing service bureaus. What was your solution for simplifying the maze of DNC and telemarketing regulations?

Dean: With thirty-four states with different telemarketing laws and two federal agencies regulating telemarketing, complexity took on a whole new meaning. Companies quickly responded by creating a new position: compliance officer. Not only did they have to keep up with these new laws in real time, but they also had to create and integrate new processes to keep their companies compliant. To make matters even more difficult, the newly minted compliance officers were besieged with Civil Investigative Demands, subpoenas, and the like.

We realized we had what everyone needed. We had been tracking and summarizing the FTC, FCC, and all of the State DNC laws. We built an internal system so we could provide guidance to our customers. I decided an online tool that could be updated in near real time by expert legal counsel and provide time-sensitive alerts to its subscribers would be a much better resource. We developed a simple and intuitive way to present an extremely complex set of regulations. In March 2003 the DNC Regulatory Guide was launched. Only after Canada launched a DNC registry of its own did we update the name to USA DNC Regulatory Guide to make room for our Canadian DNC Regulatory Guide (which has been reviewed by the Canadian regulatory agency).

Ten years of updates and the adjusting of summary definitions based on actual consent decrees make the USA DNC Regulatory Guide the best of its kind. Some of the biggest brands, law firms, and Attorneys General offices use the USA DNC Regulatory Guide as their go-to resource, and they count on receiving time-sensitive alerts to subscribers whenever a regulatory body changes a law or regulation. I am proud to be a part of this product and this ten-year milestone.

Connection Magazine: Thinking back, what is the biggest change you’ve seen in the ten years since the FTC implemented the national Do Not Call list?

Dean: Calling has become strategic. Companies can no longer load large files and dial for dollars. The costs and the risks are too high.

Connections Magazine: The National DNC Registry now contains more than 200 million phone numbers. What is your biggest concern today as it relates to the size of the DNC list?

Dean: My biggest concern is the migration of landlines to wireless. When the DNC list was created, this rapid migration wasn’t accounted for. No one expected their twelve-year-olds to have PDAs with faster Internet speeds than DSL. State after state is modifying its laws to define TXT as a call under their existing DNC rules. As landlines become a thing of the past, we will end up with no options to communicate with via phone.

Connections Magazine: In your opinion, what’s the next big thing on the horizon?

Dean: The biggest challenge is that we all face rapid changes in technology. Technology is changing more rapidly than regulators can keep up with. Also, consumer preference management needs to be a priority. But again, here we need the regulators to buy in to this, not just those in the industry. The reality is that businesses have to be able to talk to their customers.

I’ll give you an example. This weekend I needed to purchase a new refrigerator. I contacted a local appliance store, and we called back and forth six times on my wireless phone number to confirm the purchase and delivery. Not once did the store clerk ask for express written permission to call me. In the future, with the set of rules we’re dealing with, that transaction would have been very difficult.

Connections Magazine: What are the top ten compliance problems you see in the industry?

Dean: Here is my top ten list:

1) Lack of a clear customer contact strategy: different parts of an organization contacting customers without a coordinated plan, causing customer frustration and leading to more DNC requests and complaints

2) Lack of preference management

3) Do Not Call failures

4) Lack of understanding regarding proper consent for calling wireless numbers

5) Caller ID failures: failure to properly answer consumer callbacks, creating extreme frustration and complaints

6) Abandoned call rates exceeding 3 percent

7) Abandoned call messages that are not compliant with the Amended Telephone Consumer Protection Act (FCC)

8) Inadequate employee training

9) Lack of compliance monitoring and testing: Processes get broken and companies don’t realize a problem exists until many complaints have been filed against the company.

10) Lack of time: Compliance management is burdensome and time-consuming, and because of this, is often pushed to the back burner behind urgent operational issues.

Dean Garfinkel is chief operating officer of Quality Contact Solutions and can be reached at dean@qualitycontactsolutions.com.

[From Connection Magazine May 2013]

Protecting Patient Information in the Cloud

By Rich Sadowski

Companies across the healthcare industry have started collaborating with virtual contact centers in an attempt to operate more efficiently while still offering the highest quality customer care. Known as “homeshoring,” using home-based customer care professionals has already helped many healthcare organizations remain competitive in the current economic climate. These virtual companies have shown they can deliver better service than traditional brick-and-mortar centers, resulting in higher customer satisfaction, faster issue resolution, and greater patient empathy. Yet information privacy concerns and strict security regulations are still preventing some executives from exploring the use of home-based employees.

Preventing Unauthorized Access: Misuse of patient information is one of the most dreaded threats for any healthcare organization. For this reason, any virtual contact center that works with healthcare clients must be extra diligent when implementing security systems and processes to help prevent unauthorized access to sensitive data. The following are a few recommendations for network security within a virtual environment:

  • Firewalls: A firewall configuration, known as the firewall sandwich, is used by many virtual contact centers to protect both Web application servers and back-end systems. This configuration is particularly important when back-to-back firewalls exist at the boundaries of the service provider and enterprise network infrastructures.
  • Authentication: Multi-factor authentication processes are used to ensure that users are who they say they are. It is advisable for any log-on process to require the user to input something he or she knows, like a password, along with inserting something unique that the user has, such as a onetime token code from a security device. Additionally, contextual information can also be used to help confirm a user’s identity (for example, if the employee is scheduled to work during the period of the log-on attempt).
  • Authorization: Once users are authenticated, they should then be authorized to access only certain resources. Handling the authorization controls is the job of a triple-A (authentication, authorization, and accounting) server using policy-based management rules.
  • Virtual Private Networks: To reduce the risk of hackers attempting to “tap” into sessions or pretending to be legitimate users, cloud-based contact centers should utilize a virtual private network (VPN). VPNs establish encrypted “tunnels” through the public network by encapsulating traffic in special packets. The use of strong encryption, such as that afforded by the 256-bit Advanced Encryption Standard (AES), makes it practically impossible for hackers to snoop or hijack virtual private network traffic.

Preventing Information Misuse: The other security factor that must be considered when outsourcing to a virtual call center is the procedures in place to help prevent the misuse of information. After employees are approved, securing their home-office environment requires applying comparable layers of security found in a physical call center—but in different ways. Below are some best practices for making the work at-home arrangement as secure as possible:

  • Virtual Agents: Efforts to prevent the misuse of confidential information should begin with hiring the right people. Before an employee attempts to access an organization’s network, he or she should be thoroughly vetted prior to hire. At a minimum, this process should include background and criminal checks.
  • Computer Controls: It is strongly recommended that an at-home agent’s home computer be “locked” when in use for work. This can be accomplished using a special security application and typically prevents any information from being copied, logged, transmitted, or otherwise retained.
  • Software Updates: A best practice is to have a patch cycle that regularly installs system and security software patches and updates. This helps ensure the security software used is up-to-date with the latest version.
  • Host Integrity Checks: When working in a cloud-based environment, it is important to make sure all operating systems, applications, and security software are installed correctly and operating properly. This is done by through an endpoint HIC (host integrity check) performed every time an employee logs on. The HIC also validates the registry settings, confirms that no unauthorized application is currently installed, and verifies that the agent is attempting access at a scheduled time and via an authorized network.
  • Telephone Keypad Entry: Another best practice is to protect personally identifiable data by having customers enter sensitive information directly via the telephone keypad. “At the tone, please enter your credit card number.” The identifying information is then associated with the caller’s entire session, but it is masked on every screen so as not to be visible to the agent.

By following these security provisions, a cloud-based contact center can be made just as secure as a physical brick-and-mortar facility. To help select the right at-home contact center partners, it is strongly recommended that companies work with an organization that has been able to achieve third-party validated compliance of HIPAA, HI TECH Act, and Payment Card Industry Data Security Standards (PCI- DSS) Level 1 certification.

Rich Sadowski is vice president of Solutions Engineering for Alpine Access, Inc., a provider of employee-based virtual contact center solutions and services.

[From Connection Magazine April 2013]