We all know that the U.S. has a number of different data privacy regulations, like HIPPA and the Social Security Number Protection Act. But, did you know that there is no standardization for how non-public information (NPI) is secured, state by state? With data breaches in the U.S. at an all-time high, it makes one think: why shouldn’t there be a regulation to standardize the protection of this sensitive data? In 2016 alone, there were 1,093 data breaches – up 40 percent from the previous year. Of those breaches, more than half (52 percent) exposed SSNs and 13 percent exposed credit card numbers. This is especially unnerving for insurance companies, who routinely hold and process these types of NPI. You certainly don’t want to risk jeopardizing your customer’s trust and damaging your brand’s reputation as victim of the next big cybersecurity attack, right?
Meet New York’s New Cybersecurity Regulation
Bearing in mind these alarming statistics, it’s understandable that the New York State Department of Financial Services (DFS) has launched a new regulation on March 1 2017 that requires banks, insurance companies and other financial services institutions to establish and maintain a cybersecurity program. The first of its kind in the United States, the regulation aims to protect New York State consumers and financial institutions from the growing threat of cyberattacks. Although this regulation will be enacted in New York, its implications are much wider – any financial services company licensed by or operating in New York State must comply. That’s more than 4,400 entities.
But, like any other industry-wide regulation, this mandate will bring its fair share of challenges. A key provision in the New York DFS’ proposal is the requirement for encrypting NPI both in motion and at rest, including payment card data, SSNs, bank details, date of birth, driver’s license or any biometric records. And, one of the places in your organization that handles this type of information on a regular basis is your call center.
The Call Center – The Weakest Link in Your Security Chain
While a seemingly small part of your business in the grand scheme of things, the call center is often deemed the “weakest link” in your security chain. In fact, call center fraud has reportedly grown 45 percent since 2013. Despite the numerous controls in play, fraud from both external and internal threats remain a factor due to the many outdated and insecure processes call centers still use. For instance, you may think that the practice of “stop/start” is an effective way to block payment card numbers and other NPI from call recordings. Although this practice ensures that the information is safe if those recordings are breached, you are actually creating another set of security and governance concerns. First, if you are recording the call to demonstrate compliance and are using stop/start, you’re no longer recording the entire call; and therefore, you’re no longer compliant. Second, you are opening up opportunities for illicit activity to occur while the call is stopped. In the wake of Wells Fargo’s mis-selling practices, it is vital to ensure that the whole call is recorded – including the parts of the call that include NPI.
Consider the following scenario: a customer calls to pay a bill and reads his or her payment card number out loud over the phone. Who’s to say that the agent on the line isn’t copying that number down – while the recording is stopped – with the intent to maliciously use the information? It’s certainly a very real possibility. Just recently, a former call center employee (in New York, nonetheless) admitted to stealing more than $15,000 from the bank accounts of nine customers by illicitly using personal information obtained on the job.
Even if you are using interactive voice response (IVR) technology to bypass the agent when collecting sensitive information, the data still moves through and is stored in a number of different systems (e.g. your CRM, agent desktop or your corporate network). Under the New York DFS regulation, every information system that touches the data must also be protected, further complicating the situation.
They Can’t Hack What You Don’t Hold
With current and pending regulations only creating more challenges, shouldn’t there be a way to secure sensitive data in your call center and maintain compliance? The answer is actually fairly simple: keep NPI out of the call center altogether. The most effective method of protecting sensitive information, eliminating insecure practices and fixing broken processes (and therefore, avoiding potentially costly penalties and a tarnished brand reputation) is to follow the saying, “They can’t hack what you don’t hold.” All that is needed is a solution that encrypts information as it is collected and in motion, while reducing the sheer amount of data at rest.
One large, global insurance company based in the U.K. is successfully doing so with Semafone’s secure payment solution. Semafone’s solution allows callers to input payment card numbers directly into their telephone keypad. The numbers are obscured using dual tone multi-frequency (DTMF) masking, so the call center agent cannot see or hear the numbers. The agent also stays in communication with the customer to help if issues arise, which improves the quality of customer service. Semafone’s solution takes the customers’ payment information and transfers it directly to the payment service provider (PSP), bypassing the call center environment entirely and thereby removing the call center from the scope of Payment Card Industry Data Security Standard (PCI DSS) compliance. This insurer is now secured against both internal and external fraud, and it has reduced the risk of the reputational and monetary costs of a data breach.
Are more cybersecurity regulations on the way?
The New York DFS regulation is the first of its kind, but it won’t be the last. Even if this particular regulation does not affect your business, you can safely bet that you’ll soon run into one that does. Take for example the pending European Union General Data Protection Regulation (EU GDPR). In May of 2018, the EU GDPR will impact all businesses who hold or process data pertaining to EU citizens, wherever they reside. That being said, compliance is only going to get harder and more frustrating – and, the threat of cyber attacks shows no sign of a slowdown.
No matter where you operate, one thing is for sure: now is the time to consider how new technologies can help you simplify your compliance efforts, secure sensitive customer information, and prevent potentially brand-damaging data breaches. The call center is a good place to start.