Privacy Ref Blog

Does your call center share too much personal information?

If you have done business with a company and reach out to their call center, how do they authenticate who you are? Do they ask you for personal information or ask you to verify personal information?

So I called my bank…

When I telephone my bank’s call center they need to verify who I was before they will share any information with me. The bank generally asks information that presumably I would know but would not share with anyone else such as:

I rarely share the last of these items unless for a good business purpose and it would be very unusual for me to share all three pieces of information with any one person.

There are other questions that might be asked such as “how much was a recent deposit”, but in no case does the bank give me personal information and ask for it to be verified. This is a very good practice.

Verifying personal information

Unfortunately, it is not unusual that a call center to ask you to verify personal information. While it may not be an accepted practice at a company, the practice can be the result of an individual contributor or even a manager trying to do “the right thing” to make it easier for a customer. Unfortunately this is one of those things that has just not been thought through.

For example, I called a retailer to get my frequent shopper card number. After explaining what I wanted, I was asked for my name and my zip code. “Do you still live at…” I was asked. What an easy way for someone to get my home address. How easy it would be for someone to have access to coupons or rebates I have earned.

…and then I called Disney World

Earlier this week my wife and I discussed going to Disney World for the weekend so I called the reservations number. When the automated system asked me what I wanted, I responded with “a new resort reservation”.

To make the process easier I was asked how many times I had visited Disney World. After replying I was asked if any of the visits were during the last 5 years. I responded “yes”. I was then asked for my phone number.

Much to my surprise, I was asked to verify my last name (the system spelled it for me) and my address. I was shocked. By simply providing a phone number and saying I had visited the resort in the last five years I obtained personal information from the automated system; a practice that management must have approved.

You can argue that last name, telephone number, and address are public information. I suggest it does not matter. As custodians for personal information provided by their guests, Disney (or any organization for that matter) has a responsibility to verify who the caller is before sharing any information. Besides, I suggest that mobile phone numbers are not generally public information.

Obtaining a telephone number is just not enough to provide personal information to a caller. What if I changed my phone number and didn’t report it to Disney? What if someone acquired my phone number and wanted to track me down? What of they were following my children?

I mentioned my concern to the call center representative I spoke with. She didn’t really seem concerned and was told I may want to send an email to report this.

How can this information be better protected?

Disney could ask one more question based on the information they collect during each guest’s visit. Without knowing all of the information Disney collects about their guests, here are a few suggestions:

A best practice for call center’s protection of personal information

Every organization has a responsibility to protect the personal information their customers give them. Ensuring that a call center requests information to authenticate that a caller may access personal information before providing the information is a fundamental best practice that all organizations should adopt.

Providing personal information prior to properly authenticating the caller should be considered a data breach.

  • author's avatar

    By: Bob Siegel

    Bob Siegel, the founder and President of Privacy Ref, Inc., has extensive professional experience in the development and improvement of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He utilizes a combination of alignment, adaptability, and accountability strategies to guide organizations in achieving their privacy goals.

    He is a Fellow of Information Privacy (FIP) and a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in U.S. private-sector law (CIPP/US), US public sector law (CIPP/G), European law (CIPP/E), and Canadian law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and Privacy Technologist (CIPT).

    Siegel is a member of the IAPP faculty, has served on the Certification Advisory Board for the CIPM program the Publications Advisory Board.

    Siegel also writes the blog “Operational Privacy” on CSOonline.com

  • author's avatar

  • author's avatar

    What you don’t know may (pleasantly) surprise you
    CNIL’s Google Fine of 50 million Euros
    In praise of a privacy compliance program
    Looking to 2019 Privacy Plans
    Preparing your customer-facing staff

    See all this author’s posts

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on July 17, 2014 by Bob Siegel
Tags: , , ,

« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

April 5, 2019

See you at the Summit
Visit us at Booth 500 at the IAPP Global Privacy Summit. Bob Siegel will be facilitating the CIPM course. April 30th-May 1st, 9 am - 5 pm. Meeting time available to discuss your privacy needs is available for signup here.

Latest Blog Posts

May 17, 2019

1 Minute Quick Privacy Ref-ernces

If you have a moment take a look at our 1 minute videos to get caught up on the latest things going on in the privacy community. California Consumer Protection Act - Ben Siegel discusses the California Consumer Protection Act and how some of the advancing Amendments can drastically change the CCPA.

Continue reading this post...

May 16, 2019

Fallout from a Fallout

It is often that a data breach reveals other issues that a business is experiencing, but it isn’t every day I see the opposite. When I heard about what was happening at Bethesda Softworks and their online game, I was interested immediately.

The background on this is simple enough. Bethesda is a well-known video game maker with a number of well-known titles. Fallout 76 was the newest title in one of their series, but unlike previous titles, was an online game. Many were excited for this title and there special editions of this game offered to those willing to spend extra. Upon the launch of a game with a large amount of bugs and glitches, a number of issues took place.

Continue reading this post...

Other Recent Posts

PRIVACY REF