Whose job is it to tackle fraud? Why outsourcers can’t hide from their responsibilities any longer
At the beginning of April 2015, AT&T agreed to pay a total of $25 million to settle an investigation into data breaches at its call centres in Mexico, Colombia and the Philippines. These breaches had led to the disclosure of the personal information of almost 300,000 US customers.
Unlike many recent high-profile cases, the breach was not caused by hackers but by external fraudsters who paid call centre employees to hand over customer information. In Mexico, three call centre agents admitted being paid to provide the names and at least the last four digits of Social Security numbers for more than 68,000 US customers. The information was subsequently used to unlock cell phones; 290,083 of them according to the Federal Communications Commission, which regulates the US telecommunications sector. According to the Mexican employees, the details were given to a mysterious individual known only as “El Pelon”.
For me, one of the most significant aspects of the story is that it focusses a spotlight on outsourcers. Henceforward, customers are likely to be asking a lot more difficult questions about exactly which security measures are in place. While organisations at home are increasingly aware of the need to protect customer details from internal fraud, outsourcers have somehow escaped media scrutiny until now. This is about to change.
It seems likely that the ability to demonstrate security accreditations is about to become a key differentiator for outsourced call centres, particularly where the handling of credit and debit card data is involved. Since the introduction of Payment Card Industry Data Security Standard (PCI DSS) v.3.0, merchants have been under an obligation to scrutinise the security credentials of their service providers. In addition to compliance with the PCI DSS, merchants will therefore be expecting outsourcers to prove and provide certifications such as ISO 27001, PA DSS and those issued by the major card companies.
This view is echoed by analyst group Ovum. In its 2015 CRM Outsourcing Business Trends Survey, respondents indicated that an outsourcer’s fraud prevention and security capabilities are crucial determinants in selecting a vendor partner, second only to agent language capabilities in a list of almost 20 choices.
This compelling business argument is not the only reason for outsourcers to look to their security measures. The AT&T case highlighted the question of communication with customers. Because of the differences in state law in the US not all customers were alerted to the theft of their data.
Those based in California and Vermont were notified, but others were not. Part of the settlement involved AT&T addressing this situation and ensuring that all potentially affected customers were informed of the breach.
The requirement to communicate news of data breaches will soon be law in Europe. Revisions to European Union Data Privacy legislation will place a legal requirement on organisations to make data breaches public. The AT&T case demonstrates that nobody can hide behind loopholes that might allow for secrecy.
What is certain is that it is no longer simply the major brands themselves who need to look to their security measures. Putting in place the right technology and procedures to fight fraud is something that outsourcers are going to need to tackle head on.
About the Author
Tim Critchley is the CEO of Semafone, which provides secure voice payment software to contact centres. Tim has over 15 years’ experience at executive board level in SME businesses and a career that includes creating, growing and turning around a range of companies. He graduated from the London School of Economics and has an MBA from Manchester Business School.