Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events

Posts Tagged :

GDPR

EU businesses fined over 830m euros for GDPR violations in 2022

 960 641 Stuart O'Brien
By:
0
As of December 2022 companies based in the EU paid a total of €2.83 billion in 1,401 cases for violating various data protection laws. Out of that, GDPR fines in 2022 total €832 million, which is 36% lower than the €1.3 billion paid in 2021.
However, according to the latest data analysed by Atlas VPN last year stands out not in the total sum fined, but in the severity of the charges imposed on a single entity — Meta.
The data for the analysis was extracted from Enforcementtracker, though not all cases are made public.
While the heftiest sum charged for violations was recorded in Q3 of 2021, the third quarter of 2022 was also significant, as businesses were penalized €430 million.
The Data Protection Commission (DPC), an authority for GDPR enforcement in Ireland, imposed a €405 million fine for Meta Platforms Ireland Limited (Instagram) on September 5th, 2022.
Two issues were found with the processing of personal data pertaining to child users of Instagram.

The children’s email addresses and phone numbers were publicly exposed when using the Instagram business account function, and Instagram profiles of kids were public-by-default.

Another hefty sum of €265 million was penalized to the same entity on November 25th, 2022, when the DPC declared that Meta had infringed two articles of the EU’s data protection laws after details of Facebook users from around the world were scraped from public profiles in 2018 and 2019.

Moreover, the DPC issued a “reprimand and an order” forcing Meta to “bring its processing into compliance by executing a range of specified remedial activities within a specific deadline”.
Meta complied and made the adjustments within the required timeframe. To date, Meta has paid around €1 billion for GDPR violations.

Cyber Security: Data ‘re’-assurance in the age of GDPR

 960 640 Stuart O'Brien
By:
0

How do organisations know their data is secure? And how can companies ensure that a network breach won’t result in a loss of sensitive data? The consequences of a data breach are potentially disastrous for any organisation, so companies need to be reassured that their data is secure at all times in line with any internal and external compliance needs – and that they have the tools and visibility to prove this, should a network breach occur.

With 78% of IT security leaders lacking confidence in their company’s cybersecurity posture, now is the time for organisations to focus on applying a ‘Zero Trust’ approach to their cybersecurity strategy. In doing so, security professionals acknowledge that they cannot trust the security of their underlying infrastructure and therefore implement controls from a data assurance perspective, placing emphasis on protecting their sensitive data, irrespective of where this data travels within the network. And for those CISO’s and CSO’s who are solely concerned with their network security, they need to reconsider and focus on their data security.

Security professionals should be taking a proactive approach to their organisation’s cybersecurity and should always be considering how they can better protect their most valuable asset – their data. With this in mind, Paul German, CEO, Certes Networks, outlines how data assurance is a mindset that security professionals need to adopt in order to be confident that their sensitive data is protected at all times…

Increasing Threats

Cyber attacks are increasing dramatically and by its very nature, sensitive data is an incredibly valuable asset and one that is frequently targeted. Last year, 37 billiondata records were leaked at a staggering 140% increase year on year. Surely there are measures that companies can take to prevent this growing breach of data.

However, on average only 5% of company files are properly protected – a surprising statistic considering the vast implications of a cyber attack. Furthermore, malicious hackers are now attacking computers, networks and applications at a rate of one attack every 39 seconds.

Clearly, cyber attacks and consequent data breaches are an epidemic and organisations need to put the appropriate measures in place in order to protect their data and their business. Ultimately, companies need to adopt a data assurance strategy aligned to business intent so they have the right tools and security posture in order to be in the best position when it comes to safeguarding their most valuable asset against cyber criminals.

The Consequences

When a cyber attack occurs and an organisation loses the sensitive data they have been trusted with, there are significant consequences. Of course, the obvious economic repercussions are enough to make any business concerned, with the average cost of a data breach being $3.86 million as of 2020.

However, it is not just a data breach, but a breach of trust. Additionally, losing a client’s sensitive data damages a company’s reputation and organisations could even be facing legal action, especially if they breach regulations such as GDPR, HIPAA or CJIS. The fact is that businesses are fined for a loss of data because they are not compliant with specific laws over the use of sensitive information – not for a network breach.

By looking at cybersecurity from a data assurance perspective, security professionals have the capacity to bypass these damages by protecting their data from the outset, rather than waiting for an inevitable breach to happen before implementing data security measures. There is no reason for businesses to put themselves in a vulnerable position when they have the ability to effectively avoid the consequences of a data breach altogether.

Data Assurance

When businesses consider their cybersecurity strategy from a data assurance perspective, they are directly focusing on their data security and ensuring that they have the necessary outputs in place in order to prove at all times that their sensitive data is protected according to their business intent.

Through understanding their business intent, organisations adhere to specific objectives that they have defined in order to protect their data and mitigate associated risks. By adopting a Zero Trust approach to their cybersecurity posture, companies can achieve the separation of duties that cannot be met when security protocols are tied into the network infrastructure. With a secure overlay that is agnostic to the underlying network infrastructure, security teams can have total control of their security posture. This means that should an incident occur, the required controls are in place and functioning and security professionals can easily prove that their main priority, which is their sensitive data, is safe.

Additionally, with regulations over how organisations can handle data continuing to evolve and change, companies need the mechanisms in place to be able to proactively react to any developments in regulatory compliance requirements. By implementing policies that match evolving compliance requirements and by putting data at the forefront of any cybersecurity strategy, organisations can be secure in the knowledge they are observing these rules and regulations and won’t fall victim to their data being compromised.

Companies need to seriously consider implementing the right controls in order to make sure their data is protected and by focusing on their cyber security strategy from a data assurance perspective, they can ensure that they are emphasising the protection of their most valuable asset.

GUEST BLOG: Demystifying Data Subject Access Requests

 960 640 Guest Post
By:
0

One year on from the introduction of the General Data Protection Regulation (GDPR) and it is becoming clear that when it comes to Data Subject Access Requests (DSAR), organisations are confused regarding a desire to balance the rights of an individual with the needs of an organisation, John Potts (Head of DPO DSAR and Breach Support) GRCI Law, outlines the essential processes that companies must put in place to avoid falling foul of DSAR breach.

GDPR Misunderstanding

While subject access requests were in place under the Data Protection Act 1998 (DPA), growing personal data awareness has resulted in a significant spike in DSAR activity – and there is a degree of resentment regarding the way individuals are now using these new data rights. However, whether a business feels the DSAR is justified is in the main irrelevant: it is the law. Companies have a legal requirement to comply with a DSAR within one month – or face the wrath of the Information Commissioner’s Office (ICO), and a potential enforcement action which could mean a fine, it will always impact on the reputation of the organisation.

This deadline applies for any DSAR, whether it is created internally or externally. Indeed, a significant proportion of the rise in DSARs is in support of employee grievance and tribunals. Many employment lawyers will now typically file a DSAR for the relevant period(s), as part of any case – whether it is an employee fighting dismissal or filing a complaint against a colleague. Companies, therefore, need to recognise that in such cases these individuals know exactly what information the DSAR should include, whether that is an email trail or meeting notes. Don’t fall into the trap of overlooking the DSAR simply because a tribunal is underway: the right process must be in place to respond to every DSAR irrespective of who makes the request or why.

As such, it is essential to put in place a process for immediately recognising a DSAR. Individuals can make requests via any medium, from Twitter to email and letter. Fail to respond within the deadline, for whatever reason, and the individual can raise a complaint with the ICO, which will then investigate. In addition to ensuring DSARs are not overlooked for any reason, a company also needs a smooth escalation process and at least one individual trained to respond to the DSAR.

Exemptions and Third Party Data

While the majority of DSARs are simple, organisations will face some that raise questions. The way third party data is handled, for example, can be a minefield. Many companies believe it is simply a case of going through all the relevant data and redacting any names other than that of the individual that has made the request. That is not the case.  

For example, if ten people were in a meeting and one of those makes a DSAR, there is no point redacting the names of those other nine individuals – everyone knows they were in the meeting. However, this approach cannot be applied to CCTV records, for example. An individual may accept the existence of CCTV in a nightclub, but that does not provide implicit agreement that their presence can be shared in a response to someone’s DSAR. Or take a police custody suite: even if faces are redacted, background conversations could infringe individual rights. When it comes to third party data, DSARs will have to be considered on a case by case basis, there is no blanket response.

Furthermore, there are a number of exemptions that can be applied to DSAR, including Legal Professional Privilege (LPP) for information exchanged between an individual and legal representative, as well as information relating to company finances or national security. The ICO will look at each exemption on a case by case basis and it is therefore essential to ensure each DSAR is annotated with the relevant exemption.

Conclusion

Failure to respond quickly to a DSAR is not going to automatically incur the huge fines associated with data theft. However, it is still a breach of GDPR and the ICO is not going to go easy on organisations that fail to put in place the right processes. DSARs are becoming a fact of life for every organisation; individuals know their rights and, as the rise in employee grievance inspired DSARs reveals, they are actively looking to use the new legislation to support their cause. 

For any organisation process is key: monitor all incoming communication channels for DSARs and escalate quickly, the clock starts when the company receives the request. Put in place good professional support for any complex cases that may require exemption or redaction. And, critically, think hard about data retention strategies. The whole aim of GDPR is to make companies consider their data resources and move away from storing data for the sake of it. Only retain data that is relevant and you have a lawful reason for processing put in a place a retention policy with strong methods for recording, extracting and redacting if needed. 

Image by fancycrave1 from Pixabay

GUEST BLOG: Whose data is it anyway? GDPR and the problem of data ownership

 960 640 Guest Post
By:
0

By Tony Pepper, CEO, Egress Software

“GDPR is the new Y2K” was a phrase I heard multiple times during the first 12 months since its implementation. As the ICO continued to work through historical breaches under the Data Protection Act, there was certainly a sense that GDPR was all bark and no bite.

Then its first anniversary was quickly followed by the ICO issuing intentions to fine British Airways an incredible £183.39m and Marriot nearly £100m. With this move, the ICO reminded CISOs and their boards that they are indeed operating in a new era of data protection and compliance, and GDPR moved back up the agenda once more. 

Yet despite this, we don’t go a day without a new breach hitting the headlines – and the impacts are only getting more significant. The latest ‘Cost of a Data Breach’ report from Ponemon and IBM shows the average cost has increased 1.5 per cent to $3.92m. 

Stemming this tide is the problem all CISOs are working to solve – but if measures to date have had limited impact, where should they look next to achieve this? A clear understanding of why data breaches are happening is the logical place to start, however when employees are involved, this is never a straightforward issue. 

Understanding the ‘why’ around data breaches 

Much analysis has been carried out into the types and frequency of data breaches, but there has been little focus on why they are happening. When considering cyberattacks and malicious data breaches, we can quickly attribute motivations to factors such as financial gain (including ransom), political affiliations, competition and sabotage, or emotions (for example, anger). To most people, the link between these motivations and subsequent actions make sense, much in the same way that physical theft might do. 

When we consider non-malicious insider data breaches caused by staff, the problem becomes layered with complexity that’s difficult to untangle and resolve. Yet only when we understand more clearly the why behind these breaches, can we reduce their likelihood and impact. 

At Egress, we looked into this topic with independent research company Opinion Matters. Our survey of over 500 CIOs and IT leaders in the US and UK found that nearly all of them (95 per cent) are concerned by insider threat and most believe employees have put data at risk in the last 12 months either accidentally (79 per cent) or maliciously (61 per cent).

We also surveyed over 4,000 employees and found that they paint a very different picture: 92 per cent said they have not accidentally leaked data in the last year, while 91 per cent said they had not intentionally leaked data. 

Such a contrast clearly demonstrates that to some degree, employees are either unwilling to admit to causing data breaches or unaware that they have caused one.  

The issue of unknowingly causing data breaches is a nuanced discussion. It’s not simply a case of, say, never becoming aware that they’ve emailed sensitive data to the wrong person; it also includes whether employees feel like they have a right to the data in the first place, and therefore by removing it from a secure environment, they don’t realise that they’ve caused a breach – for example, exfiltrating customer lists when moving onto a new company. 

Our research found that almost one-in-three employees (29 per cent) believe they have ownership over the data they have worked on for a company and that 60 per cent don’t believe the organisation has exclusive ownership over the data.  Interestingly, those aged 16 – 24 were actually less likely to think the organisation has exclusive ownership (33 per cent), while those aged over 65 were more likely to think so (51 per cent).

The problem of ethics and ownership

Awareness and education are a favourite starting point for tackling non-malicious insider breaches. A solid foundation of cybersecurity awareness does help to reduce negligent or inadvertent instances by championing good practices. Employees can also be challenged and re-educated on the subject of data ownership, for example explaining what needs to remain with the organisation when they leave. These educational measures should also be highly targeted to the current workforce age ranges within individual organisations. In a time where digital natives, such as millennials and Generation Z, have grown up with prevalent sharing on social media and a sense of ownership around what they produce, this problem is likely to be exacerbated in these employees. 

Yet education alone won’t turn the tide of data breaches, as it can’t prevent reckless behaviour or be able to stop all inadvertent breaches – after all, people are always going to make mistakes!

How technology can reduce breaches

When respondents who acknowledged to causing a data breach were asked how this happened, our research found that accidental leaks were caused by: rushing and making mistakes (48 per cent), working in a high-pressure environment (30 per cent), and tiredness (29 per cent). Two of the top causes of intentional breaches were not having the tools required to share data securely (55 per cent) and taking data to a new job (23 per cent).

This insight helps us to understand the role technology needs to play in preventing data breaches. Advances in machine learning and graph data base technologies have made it possible to identify when people are about to accidentally or intentionally leak data – warning users and administrators in real-time that a breach is occurring, and even preventing the release of certain data altogether.

The use of this technology can not only reduce the likelihood of a data breach but also significantly reduce the impacts should a breach occur. The ‘Cost of a Data Breach’ study shows that use of security technologies such as encryption and DLP were associated with lower-than-average data breach costs. In particular, encryption had the greatest impact, lowering the cost by $360,000 on average. What’s more, security automation that leveraged technologies like machine learning and analytics on average reduced the cost of a data breach by an impressive $2.5m.

Not another Y2K

For those of us operating in cybersecurity on a daily basis, it’s impossible to be ignorant of GDPR and its impacts. This awareness inevitably dilutes the further we get from CISOs and their Security Teams, but GDPR doesn’t make this distinction: good data protection practices are non-negotiable.

As research has shown, there’s no one silver bullet to turning the tide of data breaches, particularly those caused by employees and the complexities they bring to this problem. But GDPR has emphatically proven it is not another Y2K – and CISOs need to keep educating and equipping employees to prevent non-compliance. To do this, CISOs need to address the motivations and problems staff have when sharing data – and when they don’t have confidence that people will make the right decisions, they need to look to the latest technologies to do this on their behalf.

12 point guide for contact centres struggling with GDPR

 960 640 Stuart O'Brien
By:
0

Semafone has created a guide for contact centres to help them comply with the EU General Data Protection Regulation (GDPR).

The guide was compiled with the help of four industry experts specialising in data security, GDPR, and contact centre technology and offers practical advice summarised in a 12 step path to compliance.

Semafone cites research from TrustArc that says only 21% of UK organisations believe they are GDPR compliant, despite the regulation coming into effect in May. Other EU countries are further ahead with 27% of businesses stating they are GDPR compliant, but the numbers are even lower in the US (12%), where companies may not have realised the regulation can apply to them as well.

Tim Critchley, CEO of Semafone, said: “Contact centres are under extreme scrutiny when it comes to GDPR. Not only do they handle huge amounts of personal information, but they also have to take into account factors such as call recording and payment handling, which can present serious and complex challenges when it comes to data protection. In addition, contact centres are staffed by agents who themselves need to be protected under the terms of GDPR. This guide helps contact centres to better understand and meet these challenges.”

The full guide can be downloaded here.

Contributors to the report include:

Simon Martindill, Marketing Director, 360 Solutions

Patrick Cooper, Independent Consultant specialising in data and EU GDPR.

Ben Rafferty, Global Solutions Director, Semafone

Shane Lewis, Information Security Manager, Semafone

Data is not enough for better customer experiences: Use workflows to channel it where it’s needed

 960 640 Stuart O'Brien
By:
0

By Geoff Land, MD, Infinity CCS

A few weeks ago, we looked at how important it is to develop a ‘Single Customer View’ of your data if you are to deliver a great customer experience. We saw how the arrival of GDPR gives companies an opportunity to catalogue their data to create such a view. But once you’ve done that, exactly how do you use that data to improve customer experience? The answer is to get it into agents’ hands exactly at the moment during each interaction that they need it…

Failure to let data flow is behind most bad customer experiences

There are many ways to design great customer experiences, but most of them have one thing in common: efficiency. It is the efficient flow of information from customer to company, and company to customer, that ultimately makes for a happy customer.

Whether a customer is querying a bill, placing an order, cancelling an order, setting up a payment method, reporting a problem, or chasing a delivery, what they want is their issue dealt with quickly, ideally in a single, short interaction.

Customers find it frustrating when they get transferred between departments, need a call back, or have to wait on hold. The reasons these things happen are nearly always due to complex internal processes that even well-trained agents find difficult to follow; data siloes between different departments; and agents having to log in to and use multiple IT systems to access information or data input forms.

Having a “Single Customer View” of your data streamlines the process by eliminating all your data siloes. It essentially allows an agent or system to access in one place all the information about a given customer (at least, all that is relevant to their own role and appropriate for their security level).

But even if all that data is now sitting in a single system or knowledge base, it still doesn’t streamline interactions very much if agents still have to access multiple other interfaces to actually get things done.

What’s needed is an interface that pulls everything together – data, processes, and systems – into a single view for the agent.

Agents need the right tools as well as the right data

In recent studies, such as Dimension Data’s Benchmarking Report, companies say they are struggling to deliver exceptional customer experience for a number of reasons including limited technology budgets, complex internal processes, lack of multichannel, insufficient or incomplete customer data, and overly complicated IT systems.

To deliver what customers want it is important that the appropriate technology system, business process, and customer transaction data are all immediately available to an agent (or automated system) at the right time during a customer interaction.

Most processes can be broken down into simple steps, which means that with the right software agents can be guided through these steps one at a time in a flexible manner. Instead of logging in to multiple systems all the information and input screens the agent needs are presented to them in a single user interface.

This type of robust workflow results in faster, more accurate customer interactions, less hold time, fewer call backs, and no need to transfer customers between different teams (unless your internal structure demands it – and if it does you should consider changing that where possible).

In our experience companies deploying workflow solutions in their contact centres on average see a 20% boost in productivity. Which is why we’re even seeing this type of technology deployed in emergency command centres (i.e. 999 and 911 centres) where just improving call response by seconds can make the difference between life and death.

Behind the scenes is where all the magic happens

The above benefits can be applied to any channel and with little capital investment as no existing hardware or software needs to be replaced. This is because there is no need to integrate existing systems and data sources with each other. They can all continue operating just as they do now, in their own siloes.

Instead, everything gets integrated into the agent desktop via the workflow using APIs (Application Program Interfaces). This vastly simplifies the process of integrating multiple systems because they don’t have to ‘talk’ to one another, just to the workflow.

Let’s say a customer has called in (or is using webchat, or Messenger, it doesn’t matter) to change their address and query a previous payment. Rather than having to access different software applications to perform these tasks, the agent first runs a workflow which includes an interface they can use to input the new address. It also shows the old address and other information they need to confirm the customer’s identity.

Next the agent opens another workflow they can use to search through the customer’s past transactions. While these all really sit in another database on another IT system (or several) they are brought together in a single view in the workflow. The agent can search for the appropriate transaction, pull up further information about it, and launch further workflows if they need to make a change, add a note, or escalate the query.

The workflow software acts as a central point of control, allowing data to be drawn into it from multiple siloes and systems, and for the agent to input data back into those systems. If all that existing data has been catalogued to provide the “Single Customer View” then the meta-tags that pull it all together can be used by the workflow to find and associate pieces of data more effectively.

For more information on how to create a Single Customer View download Infinity CCS’s e-Guide here: http://www.infinityccs.com/gdpr-and-single-customer-view-guide/

Infinity CCS partners with Connexica for GDPR compliance solutions

 960 640 Stuart O'Brien
By:
0

Infinity CCS has partnered with Connexica to offer an analytics suite that includes a Data Discovery and Management (DDAM) module specifically designed to help companies become GDPR compliant.

Delivered on its own, as part of the analytics suite, or alongside the full Infinity Platform, Infinity CCS says DDAM can be installed and configured quickly and is already helping a number of business to achieve and maintain GDPR compliance.

An added benefit is that while indexing customer data, DDAM also creates a Single Customer View that provides agents and other staff with the tools to access intelligence from a single user interface so that it can be used to improve customer interactions.

Geoff Land, MD of Infinity CCS, said: “If your organisation is carrying out call centre activities on behalf of a client, you’ll need to ensure that everything you do in relation to that client’s customer data is detailed in your service agreement, contract or whatever legal framework you have in place. Our solution and partnership with Connexica is enabling us to quickly and cost effectively help businesses to do this”.

Jenny Jones, Marketing Co-ordinator at Connexica, added: “We are delighted to partner with Infinity CCS and to work on a number of exciting projects including GDPR and the Single Customer View. The Infinity Platform combined with our own CXAIR Platform has the ability to create market leading solutions designed to help organisations to achieve the unimaginable in relation to data insight and analytics”.

For Infinity CCS’s free guide on how about GDPR and how to boost omni-channel customer experience capabilities, click here.

Compliance3

GUEST BLOG: Compliance3 details contact centre data breach consumer research

 960 640 Stuart O'Brien
By:
0

By Glenn Hurley, Chairman, Compliance3

Hardly a day seems to pass when we are not made aware of yet another organisation struggling to cope with a breach of its clients or customers’ personal data.

Whilst this will have a diverse detrimental effect on the finances of the organisations involved, it can have a dramatic personal financial and emotional impact on the people, be they customers or citizens, it touches.

Knowing that an organisation they deal with has had a breach of their information will be an anxious moment for everyone.

Given this, how companies and public bodies handle these pre- and immediate post-breach situations can be vital to their chances of maintaining client satisfaction and in preventing a significant loss of customers.

This is a report based on research completed by Compliance3 over the past 18 months and is a detailed analysis of the views of ordinary people on how the organisations they interact with should behave in the pre- and post-breach environments.

It will also cover their feelings as they themselves reveal what they are thinking as they transact the customer journey. It is intended that the principle audience for the paper will be organisations, be they an international brand, a small to medium enterprise, a public body, or a Charity.

The heightened awareness, prompted in no small part by increased media coverage, of the likely impacts has undoubtedly fed it’s a way into the people’s consciousness in both the pre- and post-breach environments.

Their own perceptions and emotions about how they really feel, are as significant as those they have about the companies they entrust their valuable personal and payment card data with.

One recently reported illustration of this is mentioned in the BT research reported by Dr Nicola Millard, and included below, which shows people are increasingly worried about security over the telephone. Conversely, 28% of the market would buy more over the telephone if they knew it was secure:

I worry about security over the phone

UK 2015 72% | UK 2011 51%

Buy more over the phone if payment is secure

UK 28%

Source: BT Research Autonomous Customer

Evidently, how companies treat their customers’ data can significantly influence their customers’ perception of how well they do – it is both a threat to the success of organisations and, interestingly, a massive commercial opportunity if handled correctly.

In this White Paper, we show how in the pre- and post-breach environments people are considering their situation with a mixture of head and heart.

Emotion and logic are mixed to give a situation where, unless you understand the elements in the mix, outcomes can be difficult to predict and even harder to understand.

For our purposes, we have equated these to a mixture of trust and confidence being expressed by our respondents in the ability of organisations and their management to protect their information.

Trust and confidence are two complex issues, the complexity of which we cannot begin to delve into here, but the following description may help and we have paraphrased the final sentence to suit our current situation:

Both concepts refer to expectations which may lapse into disappointments. However, trust is the means by which someone achieves confidence in something. Trust establishes confidence. The other way to achieve confidence is through control. So, you will feel confident in your friend (organisation) that he won’t betray you if you trust him (them) or/and if you control him(them).

Michalis Pavlidis · Senior Lecturer in Information Systems Security at University of Brighton (2)

We will continue to explore this interesting relationship, between trust and confidence in our respondents’ attitudes towards organisations, throughout the rest of the White Paper. How do our respondents balance the trust and confidence equation and are there ways organisations can increase their confidence by giving people more control?

Accordingly, any organisation, when considering its incident response plan, needs to consider this mix. Doing so will give them the ability to diffuse a highly-charged situation and in some cases, convert a disaster in to a success – well, a partial one maybe.

The US company Target Group, despite potentially losing the card details of up to 40 million customers, was only forecasting a 2.5% drop in sales and just for one quarter. (The Target Breach, By the Numbers, Krebs on Security, May 2014. (7)

Whilst making several mistakes in the initial communication to customers, Target seemed to have prevented high levels of customer loss by a serious of offers including discounts, free security software etc.

The Research

The research, designed to probe consumer views on card payment and personal data security and fraud in contact centres, was conducted in eight phases between January 2015 and July 2016.

To get a robust, representative spread of respondents, we used a specialist consumer engagement platform, OnePulse, that enables quick market research by sending bite – size surveys known as ‘pulses’ to its panel via a mobile app.

We sent the ‘pulses’ to a cross section of individuals from the entire UK-based panel to secure a statistically robust and representative sample of the wider population.

Our approached to reporting the research has been to divide into two main sections pre-and post-breach and by doing so attempt to follow a stylised customer journey.

Within those sections, we have considered how respondents viewed organisations and then, separately, their own reactions and perceptions about both the pre- and post-breach environments.

By arranging our reporting of the results in this way we are going to illustrate what people’s perception of the organisations responsibilities are and their ability to secure their data in the pre breach environment, and to show how people are likely to react in a post breach situation and their views on the organisation that may have let them down.

Understanding how people view an organisation and its management responsibilities in both scenarios can be a great help in planning what to do in an incident response situation and how to get something that all too often goes badly wrong open and honest communication with those directly affected. Be it customers, members, or residents.

Research Conclusions

Having gathered feedback from 8,000 respondents and collecting views across more than 20 topics in relation to pre- and post-incident response, what are the main conclusions we can draw?

Breaches, if not well handled, are arguably the biggest threat to an organisations’ reputation and brand profile. They may well have direct financial consequences for the organisation, but the collateral damage they do, if they are handled incorrectly, can and will cost organisations far more.

  • 80% feel that organisations who don’t do enough to protect payment card data should be named and shamed
  • 40% of people wouldn’t buy from a breached brand, whilst a further 25% wouldn’t buy for a while

In managing their incident response communications organisations must be strong and factual, avoid emotion and give the people the confidence to come back through strong reasoned logic. People who feel their trust and confidence has been abused will be thinking twice about continuing their relationship with the guilty organisation.

  • If an organisation experiences a breach more than 3 in 4 of their customers/clients think they should tell all of them

The difference between emotional response and confidence levels may well explain why companies don’t lose so many customers or organisations get the predicted levels of adverse reaction.

Our results show the high degree of trust people have that their personal data is being well looked after by the companies they choose to do business with. This seems to persist even when they are not 100% confident that the company is always doing the right thing with their data. Other research suggests that if they are made to feel more confident and in control then the regular users could increase to closer to 30%.

  • Over 1 in 5 of respondents are regular (>2-3 times pcm) payment card users via the telephone
  • 86% have felt uncomfortable during a call, due to the amount of information they were asked to share

Whilst they have a concern about why they are being asked to share some personal data, 65% feel comfortable when asked to do so.

It appears that people have a high level of trust in the organisations ability to keep their information safe, in a pre-breach environment. However, we were curious about, and able to discover how they might react when they are let down following a breach.

  • Over 60% were confident their data was being stored safely and securely
  • 70% are aware of what they should do to keep their personal data safe

In the immediate post-breach environment organisations can and do prevent serious levels of defection by having and delivering against a well thought through incident response plan. People are not overly demanding, wanting a honest and objective apology and the offer of compensation at not too extortionate levels.

  • 70% wanted an apology plus an offer of compensation

In a post-breach scenario, and following the inevitable inquest, the market is going to be very unforgiving of any company that cannot demonstrate that it has done everything possible to protect its clients or customers’ personal data prior to the breach.

In fact, it wouldn’t be unreasonable to predict that organisations who don’t handle their incident response well run the risk of those broken promises and trust unleashing an emotional volcano from which they may struggle to recover!

  • After a data breach 50% of males and 60% of females first response would be to call the customer helpline
  • 30% would think twice about continuing to do business with a breached organisation

Earlier, we highlighted how organisations can, by giving their clients and customers more control, increase their level of confidence and trust in the originations they deal with. Furthermore, if organisations can do this then there are direct commercial benefits in doing so.

Additionally, given the inevitability of organisations being breached, how they handle their incident response plans can make all the difference in preventing a bad situation from getting much worse.

  • 55% felt more confident sharing card details if the call centre agent couldn’t hear or see their card details
  • 55% would be more confident if they knew industry security standards were being met by the call centre

Having been held in a position of value and trust, companies must demonstrate that this expression of confidence is reflected in their breach protection, compliant collection of information and in their post breach incident handling plans.

Companies need to be aware of and take action to prevent the increasing levels of fraud that involve the telephone in all or most likely part of the process.

  • In ranking terms whilst financial loss, at 42% is still ranked highest concern over identity theft and fraud are close behind

People are prepared to share payment card and personal information with companies because generally they trust that it will be handled securely. Furthermore, they have confidence in organisations abilities to keep that data safe and secure.

If organisations want to improve the level of trust, then they can do by making the channels they are using more secure and giving more control over them to their clients/customers. Not forgetting that a good incident response plan backed with good accurate and timely communication can control the emotional volcano that otherwise might have been unleashed.

Conclusion Data

  • 20% of respondents are regular (>2-3 times pcm) payment card users via the telephone
  • 70% are aware of what they should do to keep their personal data safe
  • In ranking terms whilst financial loss is still ranked highest concern over identity theft and fraud are close behind
  • More than 50% would be more confident if they knew industry security standards were being met by the call centre
  • If an organisation experiences a breach more than 75% of their customers/clients think they should tell all of them
  • 75% wanted an apology plus an offer of compensation
  • 35% often or always feel that they have been asked to share information that made them feel uncomfortable.
  • 60%+ wouldn’t do business with or would be cautious about doing business with an organisation that had had a breach.
  • 60% would contact the customer helpline is the company they dealt with had a breach
  • 80% feel that organisations who don’t do enough to protect payment card data should be named and shamed
  • 65%+ are better than somewhat confident their data is kept safe and secure.

Download Infographic


About Compliance3

Compliance3 helps contact centres cost-­‐effectively achieve and maintain customer contact compliance – including GDPR and PCI DSS. In doing so, we help protect our clients’ revenues and margins and significantly reduce the risk of reputational damage and consequential revenue loss – as well as the costs associated with compliance.

www.compliance3.com

 

Data

Are you ready for GDPR in the contact centre?

 960 640 Stuart O'Brien
By:
0

General Data Protection Regulation (GDPR) is getting closer. The rules will be pretty stringent, with some hefty fines – and have the potential to have a big impact on a lot of global businesses. Vigilance around the use and protection of customer data now rises to the top of the agenda.

For this reason Aeriandi, in conjunction with Pindrop, commissioned Martin Hill-Wilson to research and produce a whitepaper on the impact that GDPR will have on Contact Centres.

Martin is an independent consultant with a long-standing track record in customer engagement strategy and implementation.

Following on from this, Aeriandi and Pindrop will be holding an event on GDPR in the Contact Centres.

Here, they will discuss the whitepaper findings and explore what contact centre leaders need to do in preparation for becoming GDPR ready.

For more information and to register please visit: www.aeriandi.com/events/gdpr-workshop/

Aeriandi have spent over 14 years investing in cloud-based design and architecture and are proud to work with some of the biggest names in banking, telecommunications, utilities, retail and travel.

Their PCI-DSS Level 1 secure phone payment system is the first and only cloud-based solution to process over 1 billion pounds in payments in a year. It’s fast to implement, user-friendly, secure, and 100% flexible, scaling up or down to match your business.

www.aeriandi.com