The mystery is solved: the contact center can be one of the most vulnerable areas for data breaches in most utility companies. In Part 1 of this two-part article, we discussed some commonly-found risks in the typical contact center, such as unsecured notebooks, printed reports, lack of accessible shredders, and fax machines run amok. Appropriate Personal Identifying Information ("PII") handling is core to reducing the overall risk to your utility. Now that you have walked through your organization and taken note of your particular risks, what's the next step? The development of your data security plan.
Similar to any IT or business process project your organization implements, developing a practical use data protection policy requires a holistic approach -- one that does not use your IT department as the catch-all. When designing a plan that works best for your utility, the approach should address some of the following elements:
NDA: While a number of utilities do have Non-Disclosure Agreements with their employees, the NDA should be developed to ensure a joint responsibility for security breaches caused by a mismanagement of information by the individual user. Protecting your utility's assets means protecting yourself from potential costly litigation suits by customers with security breaches and making sure that your employees put the same financial value on that information as your executive management does. This may include working with your bargaining unit to develop a suitable plan for joint responsibility. Vendors: Assess your level of risk posed by vendors' exposure to customer sensitive information, and ensure that your data security as well as customer service information policies are clearly outlined and agreed to by your service providers as a form of contract or expected service level. If you won't let your employees keep customer reports in unsecured vehicles, then your service providers should agree to the same. Working with your vendors to implement PII security policies that can be enforced will benefit all parties. Mini-Audits: Perform regular mini-audits of your customer service organization to guarantee that PII protection isn't a policy-du-jour but rather an ongoing collaborative effort, protects the rights of your customers as well as your utility and employees, and is in the best interest of all stakeholders. How frequently, who participates, and what the follow-up steps are should be customized to the needs of your utility and should be evaluated on an ongoing basis. Legislation: Working with your legal department, HR, IT and customer service departments will keep all key individuals informed on legislation that may impact the utility's liability and new regulations that may affect existing business processes that utilize PII.
- Customer Awareness: Ensure that your customers are aware of the information that is needed to establish service and how that information will be handled/utilized within your organization. Disclosure of your privacy policies should be in a clear, readable format easily understood by your customer base. Customers should be given an opportunity to opt-out of providing PII as an option for service. It is important to recognize that your customers may have reasonable privacy concerns that require special treatment and handling, and a long-winded message that is rife with legal terms may not be the best method of communicating with your base.
How will a comprehensive data security plan that addresses PII data handling help your utility?
Southwest Gas attorney Meridith Strand describes it well: when working with her company to develop a comprehensive plan, there were several results:
Protecting the customer base Minimizing customer disputes Provide a mechanism for a low-cost method of tracking information Reduce losses
- Minimizing the financial impact of identify theft
With careful planning, thorough review, and consistent follow-through, your utility can rest easier knowing that your customer base AND your business is protected. A seamless data protection policy should be transparent to your business; an embedded thought that meets your operational needs while protecting your customer base -- so that you can return to focusing on the business of providing quality and reliable utility services to your customers.