Every business today has an obligation to protect the personal identifying information of their customers and vendors. In most nations, this obligation is more than just good business sense, it is mandated by legislation.
As with anything in life and in business, there is a right way and there is a wrong way to proceed in the matter. The focus of your efforts should be upon things that matter most. In other words, do not get so sidetracked with the minutiae that you fail to competently handle the major components.
For the past 15 years, I worked for a global automotive finance corporation that went wild going through the motions of protecting personally identifying information. It bordered on obsessive and they refused to listen when I explained that they were expending energy and resources on things that didn’t matter while not paying attention to the big picture.
The managers were typically abusive about their position. They knew what was needed. I was a peon. I should comply with the policies and do my job. I tried to reach out to upper management in headquarters. That didn’t work out well and I was threatened with the loss of my job if I ever went over the heads of local management again.
My job was call centre related. If you have ever worked in a call centre, you know that you typically have a plethora of phone numbers, policy, procedure, best practices, and helpful information tacked or pinned to your cubicle walls. This is to save time, reduce call time, and make the representative sound knowledgeable and competent. In fact, we were dinged on those very things when the call was not handled according to the guidelines.
Remember to Focus Your Data Protection in the Right Way
But then, someone was elevated to high office and took the privacy issue way out of context. When I tell you that we were suddenly not even allowed to share information with our counterparts in the dealerships, know that I am not exaggerating. Valuable communication lines were subverted. Information that was required to do the job could not be transmitted to our own people.
At first we were told that all policies and procedures had to be removed from cubicle walls. If you needed to know something, you now would have to look it up as opposed to just looking up at the cubicle wall for frequently used information.
Next, we were told that all phone numbers had to be removed from the cubicles. This included our own internal number lists, local fast food places we called to order lunch, etc. When I asked what this had to do with protecting personal identifying information I was told that a burglar might break in and steal the information. I explained that we were in a low crime area and that after some 17 years in the same facility there had never been a break-in of any kind. That didn’t matter. They were not taking any chances of someone getting Domino’s number and calling in a pizza order.
Rubbish Protection Is Important, but Get the Protection Right
I attempted to educate the local managers on how ID thieves work and that breaking in to steal info from cubicle walls was not something done by people with the ability to steal hundreds of credit card accounts or hack into government sites.
I further pointed out that we had a greater chance of losing information via loss or theft of one of the hundreds of laptop computers that field sales and managers used to work from the road or from home.
Rather than stop playing around with the idea of a break-in scenario and focus the reality of our largely unsecure databases, they cracked down even further.
Now we could not leave any paper whatsoever on our desks unless we were sitting there. Break, lunch, and bathroom – all papers had to be removed and locked in a file drawer. This, they explained, was to prevent someone from stealing customer information while you are away. I argued that the building had armed security at the entrance and secure-locks on the other doors that required a key card. As for fellow employees, we ALL had access to the customer database.
Soon, locked data bins (confidential) were deployed for the disposal of all sensitive paperwork. A third-party vendor had control over these bins and removed them to their shredder facility on a weekly basis. Not long after this, identity thieves struck and they struck hard. Over 13,000 consumers were compromised and several had been victimized. The criminals apparently were able to obtain credit bureau vendor codes and use the unauthorized credit reports to commit their crimes. Oddly, they never called in a pizza order.