By Tim Critchley, CEO,Semafone
Recent research by law firm RPC found that the number of data breaches reported by the insurance sector has doubled in the space of a year. Just a few days after the numbers were released, the reality of the situation was aptly demonstrated by health insurer Bupa when the company found itself the victim of an insider data breach affecting almost 550,000 international health insurance plan customers. In the face of this serious lapse in data security, it’s unsurprising that consumers are questioning companies’ ability to keep their data safe. In fact, according to a new report, just 30 per cent of British insurance policy holders trust their insurance provider to manage their data securely.
Yet, in the face of rising threats and customer doubts, many insurers are still relying on a seriously inadequate data security solution that is putting customers’ sensitive information at risk. Our own research in 2017 of the top insurance firms in the UK and US found that 19 out of 20 use a process known as “Pause and Resume”. While this technology prevents contact centres recording customer’s payment card details on calls, it fails to provide the rigorous data security that is needed beyond recording the call, to protect customers’ sensitive information from the internal and external threats.
Don’t press pause on data security
Pause and Resume does what it says on the label; when a customer calls a contact centre and is asked to provide payment card information over the phone, the contact centre agent will use the system to pause the call recording, resuming it once payment details have been captured. At its inception, the solution was relied upon to help organisations adhere to industry regulations and standards for call recordings. Many businesses continue to use Pause and Resume to fulfil the role of a data security solution, ensuring that in the event the contact centre IT system suffers a cyber-attack, there is no valuable information sitting within the call recordings that can be stolen by the hackers.
However, in reality, the technology presents more data security problems than it solves. And looking one step further, when it comes to navigating a complex regulatory landscape, Pause and Resume is severely lacking the rigour to satisfy the compliance demands placed on insurers by regulators or governing bodies.
The three pressure points
- Insiders can be enemies too
Over seven billion data records have been exposed as a result of a data breach since 2013. And figures indicate that malicious insiders, looking to steal data for financial gain or revenge, account for 9% of all breaches. In fact, a 2017 survey of 4,000 office workers in the UK, Italy, France and Germany show just how dangerous an inside employee can be; 29% of respondents said they had intentionally provided third parties with sensitive information without authorisation. Pause and Resume solutions put contact centre agents in far too much control when it comes to having access to this sensitive data. While the technology may keep data from being recorded, agents can still hear the customer reading out the details – whether that be payment card numbers, dates of births, bank details or social security numbers. This means they have ample opportunity to note down sensitive data to either use for personal gain, or to pass onto others in exchange for money.
- Accidents can happen
On top of those malicious insiders looking to make a quick buck, there is also the damage that can be done as a result of human error. Accidental data breaches by employees were the number one cause of breaches in 2015, according to a PwC report. In much the same way as an unintentional data breach, when using Pause and Resume, an agent can put customers’ sensitive data at risk by mistakenly stopping the recording at the wrong time. This means that payment card data is captured on the call and stored on the recording or IT system, where a hacker or an opportunistic insider could gain access to it.
- Regulations add complexity
Most financial services organisations – including insurers – are required to record customers’ calls from start to finish. The main reason for this is to ensure compliance with the Financial Conduct Authority (FCA) regulations, which require full call recordings in the case of legal disputes between customers and financial firms. Pause and Resume solutions directly contradict this requirement, at the moment when the contact centre agent presses pause on the call recording, thereby making it incomplete and inadmissible as evidence in legal cases.
You can’t afford to compromise your data security
It’s true that your contact centre agents are one of your company’s biggest assets. They are the friendly, human voice of your organisation; answering questions, soothing stressed customers and often selling them things in the process. But if your company is relying on Pause and Resume to keep sensitive details safe in your contact centre, you are putting your valued customers at risk of fraud and theft; and your company at risk of significant financial and reputational damage.