Senior decision-makers come together to connect around strategies and business trends affecting utilities.


Storm, Hurricane, Data Center Disaster, Contact Center: Which of these is the Riskiest to Your Utility?

Maria DeChellis's picture
Vice President, Customer Engagement Utilligent

As a nearly 20-year industry veteran, Maria DeChellis has focused her efforts in working with utilities to improve the customer experience through technology and building new revenue streams. ...

  • Member since 2010
  • 4 items added with 5,276 views
  • Sep 9, 2010 12:00 pm GMT
We've all seen the Personal Identifying Information (PII) breaches in the headlines, from Bank of America's lost back-up tape releasing sensitive information on 1.2 million of its customers to the Wisconsin Department of Revenue mailing tax forms with taxpayer social security numbers visibly printed on the front. The most taboo security-related topic, however, is the one that presents a utility company with possibly one of its greatest risks -- the internal breach.

With a variety of legislations across the country meant to force utilities to open their eyes to the potential risk that internal breaches may create, the Federal Trade Commission's Red Flag Act has gone the furthest as it relates to the end customer. It does so by pushing all "creditors," which utility companies are classified as, to identify their "red flags" -- relevant warning signs of identity theft such as suspicious activity. In doing so, utilities were pushed to look at their most critical transactions, including service establishment, collection processing and payment processing.

So how does your utility go about finding the greatest weaknesses and mitigating the susceptibility? A bottom-up approach is the strongest method of enforcement when looking at exposure level. The contact center is both the primary face of the utility as well as its greatest risk for PII breach. It doesn't take long to walk through a utility's contact center and clearly see where some of the major risks are. The following are common issues and recommended solutions, simple in principle but often not put into practice, which could help your organization to avoid being put in a highly vulnerable position for a security breach.

  • The "Printed Report": The need for reports is as ubiquitous as calls for utility service. However, are you sure the reports are always safely secured or destroyed when no longer needed? The need for regular report audits, where any report containing sensitive information is tracked against the user requesting that data, is essential. Treating the reports as sensitive information and thereby locking them up when not in use, shredding when completed, and not leaving them in unsecured areas is paramount to protecting the utility end-use customer. Finally, a strategy to web-deploy reports and restrict access in lieu of printing is critical to reducing risk of unauthorized access.
  • The "Offending Notebook": This is by far the most common exposure of utility contact centers. Most of today's Off-the-Shelf Tier 1 and 2 Customer Information Systems (CIS) have addressed encryption, workflow, and visibility of PII; however, legacy applications were not necessarily designed with the true needs of the CSR in mind, meaning customers often have to repeat their information. To help improve customer service, CSRs have self-implemented notepad-based information capture as a method of reducing that repetition of data. Critical pieces of customer data are often scribbled down on paper that is tossed in the trash, left on an unsecured desk, or is not tracked at all. The true liability of the utility when considering the amount of untracked data that could be easily accessible far outweighs the average risk presented through network hacking.

    What sophisticated outsourcers have secretly known is that to reduce the risk it is necessary to reduce the opportunity. The use of dry-erase boards to capture information for use during a call and immediately erase afterward is one of the quickest and cheapest options. Lockers, a contact center policy which addresses the need to eliminate the practice of writing down any sensitive information in hard-copy fashion, as well as a training program that addresses personal responsibility in the data that is accessed, is fundamental in reducing your exposure level.

  • The "Don't Make Me Walk": As data breaches have grown over the past 10 years, one of the first major trends within contact centers was the addition of shredders for the destruction of sensitive information. Paper shredders certainly made life easier, but the placement of shredders within the contact center is just as important as the purchase of them. The lower the shredder to CSR ratio and shortest distance to access one, the more ubiquitous the act of shredding will become.
  • The "Fax Machine Run Amok": The news today addresses several privacy concerns individuals have regarding their smart meter and the data transferred to the utility, yet there are customers who feel comfortable faxing that same utility company papers containing their social security number, bank account information or credit card data. When walking through utility contact centers, one can often see fax machines that have requests for service, menus from nearby restaurants, and screen prints from other areas of the organization sitting in their trays. What does all of this information have in common? In short, nothing. Sensitive information should be isolated from any public fax machine in an open office. The use of a digital fax service that will generate a secure notification to an office-designated email is important for not only transmitting information in a less public forum, but also for the purposes of workflow management -- the tracking of information from the time of inception until completion.
The truth still remains: there is no magic bullet meant to create a hard and fast rule to protect the end-use utility customer and to shield the utility from the exposure that exists. It is the utility's responsibility to create as much buffer between PII and the risk of its exposure. Addressing the aforementioned vulnerabilities and defining a clear strategy that touches all of your utility's major areas -- and not just the contact center or IT -- will do wonders for reducing your liability. This will make your utility AND your customers feel better about conducting business together.

This is part one of a two-part article. In her next piece, Maria DeChellis will address a recommended approach and elements for a utility's data security plan.

Maria DeChellis's picture
Thank Maria for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Vintila Arie's picture
Vintila Arie on Nov 8, 2010

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »