Yes, your call center folks.

And how much information security and privacy training do you provide to those folks? Is it targeted training, based upon the access that call centers have to personally identifiable information (PII)? Is it targeted training letting your call center folks know how to communicate your organization's privacy practices to callers? How to communicate to customers the procedures that are in place to allow them access to view the PII your organization has about them? How to communicate to callers the procedures to request corrections to their PII? How to verify the identities of callers before giving them confidential customer information?

And there are so many more important information security and privacy topics that call centers must know about.

Here is the first part of the third article, "Providing Call Centers with Information Security and Privacy Education," in my July issue of IT Compliance in Realtime...

-----------------------------------

A typical call center staff member has direct contact with many types of individuals: customers, potential customers, business partners, vendors, regulators, personnel, and so on. Think about all the types of information the call center staff provide to the folks calling them. They often answer

• Requests for account information and details
• Questions about the organization's policies and procedures
• Questions regarding the accounts of family members and even friends
• Complaints regarding services and products
• Employment inquiries
• And more

Call Center Staff Are Often Involved in Privacy Breaches

Many privacy breaches and other bad things have already happened through the mistakes, lack of knowledge, or malicious intent of call center personnel. This is not a new phenomenon. Just a few examples of incidents throughout recent years:

• January 22, 2008--The Target company notified the New Hampshire Department of Justice that its fraud detection unit discovered that three employees of the company that provided call center support services to Target National Bank (which issues Target Visa credit cards) had accessed customer Visa account information including names, addresses, account numbers, Social Security numbers, and telephone numbers to make fraudulent purchases.
• June 27, 2006--An employee of a customer service center operated by the Hong Kong and Shanghai Banking Corporation (HSBC) was charged with illegally accessing information that reportedly led to the theft of more than £200,000 (US $362,091) from the accounts of the bank's customers in Britain.
• June 30, 2005--It was widely reported that a call center employee at Infinity eSearch sold personally identifiable information (PII), including phone numbers, names, addresses and pass codes, about 1000 British customers for $5.40 per customer record.

The majority of call center staff is responsible and want to do the best job possible, but they cannot if they do not know how to effectively safeguard information. Organizations must provide call center personnel with the knowledge necessary to do their work in the most secure way possible and to maintain the privacy of customer and employee information. In addition, there will always be a very small percentage of personnel who will perform malicious actions if they see an opportunity. Educating all call center personnel significantly helps to reduce the risks of mistakes, actions taken because of lack of knowledge, and actions taken with malicious intent.