Data Security Measures: An Increasing Concern For Contact Centers

Protecting and maintaining the integrity of consumer personal and financial information is becoming increasingly important to businesses of all types and their in-house and outsourced contact centers. Over the past several years, concerns regarding identity theft and security breaches of consumers' personal information have lead to a number of legislative and regulatory enforcement initiatives which have raised the bar with respect to the security measures that contact centers and others must have in place to ensure the integrity of consumers' personal information. Indeed, the focus on data security has increased proportionally with the growth in Internet and telephone-based customer contacts and information transfers.

In the Internet context, the FTC has brought actions against companies that breached the promises contained in their privacy policies regarding the use, disclosure and protection of consumer's personal information. For example, the Commission filed a complaint against, a bankrupt online retailer, to prevent the sale of consumers' personal information in violation of its own privacy policy, which vowed never to share customer information with third parties. In another enforcement action, entered into a settlement order with the FTC for allegedly representing falsely that customers' personal information was maintained in an unreadable, encrypted format at all times. The FTC alleged that such representation was false because a hacker could (and did) gain access to clear readable text of such personal information. In addition, Guess represented in its policy that it implemented reasonable and suitable measures to protect consumers' personal information against loss, unauthorized use or modification. The FTC's complaint also alleged that such representation was false because Guess did not in fact employ suitable security measures to detect unauthorized access.

More recently, identity theft concerns in the offline context have lead to an increased FTC focus on data security breaches regardless of the representations made in a company's privacy policy (or even whether the company communicates with consumers via the Internet). The FTC has demonstrated a willingness to bring an action against any company that fails to employ reasonable security measures to protect consumers' personal information. Earlier this month, the FTC announced a settlement with DSW, a traditional brick and mortar discount-shoe retailer, with respect to its alleged failure to reasonably protect customer data. DSW had engaged in the following practices, which, in the aggregate, were considered an unfair trade practice by the FTC:

  • Customer data was maintained in numerous files even though the business no longer required the information;
  • Reasonable security measures were not implemented to limit access to the company's computer networks via wireless capabilities;
  • Information was stored in unencrypted files with an ordinary user ID and password;
  • Computers of one in-store network were easily connected to computers of another in-store network; and
  • Sufficient measures were not taken to identify unauthorized access.

    As a result of these lax data protection measures, hackers allegedly gained access to the credit card, debit card, and checking account information of over 1.4 million DSW customers. Consequently, many of these customers were the victims of fraudulent charges on their accounts. The FTC settlement requires DSW to implement a comprehensive security system designed to safeguard customers' information. In addition, the settlement requires DSW to obtain a third-party audit to make certain its security system complies with the settlement once every other year for 20 years. DSW was the seventh company subject to FTC investigation in connection with data security. Other companies targeted by the FTC include BJ's Wholesale Club and Microsoft.

    In addition to FTC enforcement, approximately 20 states have enacted data security laws applicable to companies in possession of consumer personal information. For instance, California requires the following with respect to its residents' information:

  • Companies must take all "reasonable steps" to destroy consumers' personal information once the company no longer has a business need for such information. Destruction may occur by shredding, erasing, or making the information unreadable, or undecipherable.
  • Companies must establish "reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure."
  • A company that discloses personal information about a consumer pursuant to a contract with an unaffiliated third party, must require by contract that the third-party establish the aforementioned reasonable security practices.
  • Companies that own consumers' personal information must, upon discovery, disclose any breach of the security system to any consumer whose unencrypted personal information was, or is reasonable believed to have been, acquired by an unauthorized person. An agency that maintains consumers' personal information must notify the owner of the personal information of any breach of the security if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

    The California statute provided consumers with a private right of action whereby they can recover civil penalties of up to $500 per violation, or up to $3,000 per intentional or reckless violation. In addition, Congress has proposed various bills to impose data security requirements. However, none have been passed as of the writing of this article. As such, companies are currently subject to a myriad of state laws, as well as the threat of FTC or other regulatory inquiry or action.

    Contact centers have access to and maintain a variety of consumer personal information. In light of the foregoing, contact centers must ensure that adequate security measures are in place to protect such information from unauthorized access, use, destruction, disclosure, or modification. Third-party contact centers acting on behalf of various clients must also be sure to act in accordance with their clients' requirements regarding data security requirements.

    William Heberer, Esq., concentrates his practice in intellectual property, advertising, marketing and Internet law. He holds a BBA from Hofstra University; an MBA from Vanderbilt University; and a JD from Hofstra University School of Law.
    Jennifer Deitch, Esq., focuses her practice on advertising, marketing, promotion and Internet law. She holds a BA from George Washington University and a JD from Benjamin N. Cardozo School of Law.

  • CRM Covers
    for qualified subscribers
    Subscribe Now Current Issue Past Issues