The Next Call Center Headache

Hot on the heels of the Do Not Call legislation, a California law regarding customer security has been introduced that could cost companies a bundle. The new law, dubbed the California Security Breach Notification Law, stipulates that if an unauthorized party gains access to customer data like a social security number or a credit card account number, the company must immediately notify any and all customers of the breach. The legislation is intended to combat identity theft. "So far it has been up to the individual to combat identity theft with his own resources," says Denis Pombriant, vice president and research director of the CRM division of the Aberdeen Group. "This is good for the consumer, to see a level of responsibility levied on companies to safeguard that information." The costs involved with this legislation can be substantial, arising from two areas: compliance and prevention. Complying with the law means that when a security breach occurs, every single customer whose data you have needs to be notified. "If you have one million customers in California and you have just one security breach, think of the costs involved in notifying every one of those individuals in terms of line costs, wages, postage, or other mediums you might use to communicate with your customers," says Rick Welding, vice president of sales and marketing for Positive Software, which provides call center solutions. Adds Pombriant, "In the practical sense something like this could be so cost prohibitive that it could run smaller companies out of business, in some instances." Forrester Research recently reported that a customer support call costs a company an average of $33. Even if a notification call is a fraction of that cost, the numbers still add up, especially for companies that have thousands or even millions of customers who would have to be contacted. According to Welding, the cost of preventing security breaches in an outbound call center can also skyrocket, because most centers are using next-generation predictive dialers that are loaded with individual customer information. "The problem is, all of that data that goes to the dialer is outside the firewall, and you can end up in a heap of trouble with all that information sitting out there," Welding notes. "Since many companies have multiple dialers, getting a dialing system behind a firewall can be time intensive and costly, if it can even be done." One solution that can circumvent this problem is keeping all customer data inside the firewall on a server and only allowing the data needed to make a call to be sent to a dialer, Welding says. "Then, when the call is connected the individual customer data can be pushed to a live agent, obviating the need for keeping sensitive data outside the firewall," he says. Although the law may be confined to California businesses and any business with any employees or customers in the state, Welding says this law may spread. "The Do Not Call list started with one state, and this law deals with a potentially more serious issue than unwanted phone calls--identity theft. This legislation could turn into a national trend." One segment of the CRM community that can benefit from the legislation is the hosted CRM providers, Pombriant says. "By contracting with hosted solution providers, smaller companies can get greater security of customer data than they can afford on their own," he says. "Where previously not having direct control over data was one of the cons involved with hosted models, it could turn into an asset." Who's in Charge of CRM? Harte-Hanks recently completed an inclusive report on the state of CRM in 2003. The results showed that most CRM initiatives are being controlled not by sales, marketing, or customer service departments, but rather by IT departments that may or may not be making decisions based on customers' needs.