Protecting Personal Information of Customers

“The practice of trying to trick or manipulate people into breaking normal security procedures is called ‘Social Engineering’. The principle behind social engineering and scams in general is that people are the weak link in security – that it can be easier to trick people than to hack into computing systems by force. Social engineers exploit people’s natural tendency to want to trust and be helpful. They also take advantage of our tendency to act quickly when faced with a crisis.” – University of California Santa Cruz Information Technology Services

If you have a business, you need customers. When you have customers, you would also have access to huge amounts of their sensitive and personal information. This information includes their name, credit card information, bank account details, social security number, home address, family information and other such highly classified data. This information is necessary and mandatory for companies to serve its customers (also employees) well but it is the prime duty of companies to protect the personal information of customers. If this personal information of customers or employees were to fall into the hands of unscrupulous individuals and malefactors, it could spell disaster. These people could commit fraud, rob identities and money and create all kinds of nuisance and difficulties. Protecting the personal information of customers is possibly the most critical and toughest job of any company.

When customers provide their personal information, they do so expecting and trusting that the company would protect it. In business, customer trust is an invaluable ‘commodity’ – very hard to earn and lost within a matter of seconds and breach of personal information of customers is an unforgivable offence. Safeguarding the personal information of customers takes a lot of effort, sound technological infrastructure and relentless commitment but all this is worth the trouble. Any breach of the personal information of customers would inevitably lead to litigious situations, loss of reputation and possibly the complete shutdown of the business. Irrespective of the size or nature of a business and the size of the customer database, it is essential to keep the personal information of customers safe and protected. As mentioned, taking care of customers is the responsibility of everyone in the organization and a large number of people would have access to the personal information of customers, making it even more essential to have safeguards and checks in place to protect this vital data.

A company must ensure that it emphasizes the importance of protecting the personal information of customers by creating a culture that supports security and safety. Regular training must be provided to employees to keep them aware of the consequences of losing personal data – both for the company and for them. The training should provide details of the latest risks, ‘phishing’ methods, weaknesses and threats, to ensure that every employee has the most updated information of how to protect the personal information of customers. Ensure that all employees, even temporary staff, undergo this training. Make it mandatory and link it to the performance appraisal to ensure that people understand the seriousness of protecting this valuable data.

It should be every employee’s responsibility to familiarise themselves with the privacy policies and procedures of the company. Everyone must strictly adhere to these policies and always report anything they believe to be amiss. This would help to mitigate the risks – even those that could happen due to human error and help to safeguard the personal information of customers. Every employee must read and sign the company’s privacy policy – this would place individual responsibility on each person to handle the personal information of customers with care and utmost safety. Customers too must receive a copy of the privacy policy – this will reflect your company’s commitment to handle their information carefully, leading them to trust your company. Many people refuse to do business with a company that is unable to assure them that the personal information they share would be safe and secure. In such a competitive environment, ill repute for any reason could lead to high customer churn and an inability to attract new customers.

While each person in the company should be equally responsible, there must be senior person with overall responsibility to ensure that everyone adheres to the privacy policy. This person would be responsible for the team with access to the personal information of customers and have ‘rights’ to correct, update and make other changes to the database. This is essential since the information of customers would require regular updating given that the situation, location and other details of a customer could change. Employees must immediately report any breaches, irregularities or suspicious activity to the senior person with overall responsibility. It is company’s responsibility to ensure that any changes, in the policy and or with the person in-charge, should be conveyed immediately to everyone in the organization. Sharing such information is the duty of the company and not doing so could potentially put the personal information of customers at risk of being exposed.

Given that protecting the personal information of customers is a huge responsibility, companies must limit the amount of data they collect from customers. The rule to follow is to collect only as much information as would be essential in the current time, to serve the customer well. With one-time or off and on customers, there is usually no need to collect personal information and should be avoided. Before using the personal information of customers or disclosing it to anyone, complete verification and due permission must be sought from the customer to do so. This would usually be the primary reason for which the personal information was collected to start with. As far as possible, conduct your business without using or minimal usage of the personal information of customers. Such discretion and care would keep the company safe too – litigations related to breach of personal information have been known to cause serious damage to a company by way of huge monetary compensation and an erosion of the respect and trust they may have earned over years.

With companies now going global, they would have customers from around the world. Maintaining and protecting their personal information would require a different set of policies and a thorough understanding of the laws pertaining to information breach. When entering into overseas business ‘relationships’, it is the company’s responsibility to inform the customers of its privacy policy and ensure that they execute a written agreement with the customer providing all the details, the extent of responsibility and the duty of the customer. Whatever the kind of customer base, handling and protecting the personal information of customers is a duty that must be held ‘sacred’. There can be no acceptable reason for misusing or allowing a breach of such information since other customers and prospective customers would always remain wary of your company, drastically reducing the number of customers your business would have.

Despite emphasizing the importance of protecting personal information of customers, there could be an unfortunate breach for any number of reasons. A company must have a plan of action in the event of a breach which, would involve a specialized IT team to fix the ‘hole’, inform the customer and block access to the database till the problem gets resolved. Swift action is absolutely essential to minimize any repercussions and would help to mitigate some of the legal implications and the damage to the company’s reputation. No company can afford to ignore the protection of the personal information of customers – there is too much at stake, especially the customer’s trust.

Learn about a new approach to better customer service!

Interactive Guides for Superior Customer Service

Develop interactive decision trees for troubleshooting, call flow scripts, medical appointments, or process automation. Enhance sales performance and customer retention across your call centers. Lower costs with customer self-service.

Interactive Decision Tree