When asked why he robbed banks, the notorious thief Willie Sutton reportedly replied: “That’s where the money is.” Cybercriminals have a similarly simple motivation for targeting contact center operations — they have the best data.
Contact centers capture, store and process huge amounts of sensitive customer data such as Social Security numbers, payment card data, account numbers and purchase histories. That data helps contact centers deliver a more personalized customer experience and optimize overall operations, but it also makes them an enticing target. Research from Gartner indicates that 75 percent of customer-facing organizations have experienced a sustained, cross-channel fraud attack in which the contact center was the primary point of compromise.
Security and data privacy in the contact center are uniquely challenging because the threats come from all directions. While outside hackers employ waves of fraudulent schemes to get at customer data, contact centers are also unusually vulnerable to a variety of internal threats. You may recall that AT&T was fined $25 million a few years ago after contact center employees confessed to accessing customer data and reselling it to outsiders.
The risks have become more pronounced during the ongoing public health crisis. With contact centers transitioning to remote operations, organizations have had to sacrifice direct oversight of their agents’ activities. That increases the chance that agents could expose customer data, whether by accident or with malicious intent.
To mitigate these risks and improve their security posture, organizations should take steps to ensure their contact centers comply with data privacy regulations such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). Even if these regulations don’t apply to your organization directly, they provide meaningful guidance for anyone charged with protecting customer data.
The following suggestions can improve your ability to safeguard customer data:
Establish a data protection officer. Establishing a DPO is mandatory under the GDPR, but it is a good idea even if that regulation doesn’t apply to your company. With a DPO, you have a central authority who is responsible for ensuring that the organization is meeting relevant data privacy obligations. The DPO should conduct regular audits to ensure compliance and address any potential issues.
Conduct regular training. Contact center agents must understand how to handle customer data safely. They should receive training on what types of data must be protected, how to organize and protect it, how to access it securely and how to dispose of it when it is no longer needed. Agents also need training on how to identify social engineering and other types of exploits. Given the high annual turnover rates in contact centers, training programs must be delivered consistently and repeated frequently.
Update your privacy policy. The CCPA and some other regulations require organizations to publish a privacy policy that provides consumers with a comprehensive description of your organization’s online and offline practices. It should describe how you collect, use, disclose or sell personal data, and it should outline consumer rights regarding their information.
Implement data loss prevention. DLP solutions reduce the risk of insider threats by examining outbound communications such as email and file transfers, as well as host-based activities such as copying files to removable media. DLP scans will generate alerts if any of these activities violate company policies.
Data breaches that compromise private information have a host of negative consequences, but the worst is may be the loss of customer confidence. Studies show that nearly a quarter of consumers say they will never return to a business that exposes their personal data. Contact us to learn more about boosting your security posture and improving data privacy practices in your contact center.
