This is a long post, so I apologize in advance. Something else occurred to me, after I made the earlier post on ‘Problem Customers’. It’s the concept that data security should be considered a customer service. If I am paying for a service, the vendor and I establish a trust relationship. I trust that you will provide me a valuable product or service, and you trust I will pay you for that product or service. To help protect the merchant either an up front payment, or some personal information that provides a means to ensure payment, are provided. But once the merchant has that information, the customer trusts that they will keep it safe and take care of their confidential information.
During my many hours on the phone with the ‘Customer Care’ organization I mentioned in the previous post, I struck up a few friendships along the way. My first was with an account representative who happened to be former database administrator, under-employed since the technology market crash. When I asked him about the ‘social number thing’ he said ‘they got to have it’. But he added that ‘the entire database is keyed from the social security number, so all the tables require SSN for a unique identifier’. Subsequent calls to other customer service representatives confirmed this was true, and seen by the customer service representative.
Having been working with databases for the last 20 years, I know exactly what he was talking about. I used to do that too, back in the 1980s before anyone had heard of identity theft. Using the Social Security Number as a primary database reference key was a common method to make sure a customer was only in the database once. It’ somewhat akin to the Y2K issue of using two digits to represent the year, and time would show us that both were bad ideas. This practice is all but extinct now, and there is no longer a good technical reason, and probably no good security reason, to use Social Security Numbers. If you are going to collect this data, you had better have a darn good reason for it. Uniquely identifying a customer is not one of them.
What I was worried about at the time was that many other data mining & telemarketing companies used SSN# as their unique key to user identity in the database. The service companies that collected information ‘required’ it as it raised the value of the data they would later resell to these other firms for marketing or sales intelligence. The idea for the company was to make customer care a profit center by giving it a way to generate revenue. But to the consumer it meant the ubiquitous dinner time sales call. As it was something I am given the option of opting out of, I choose not to give it out. My desire for privacy is the reason I am not keen on providing this information to be sold as a commodity on some secondary information market without my permission.
My viewpoint is that is focus on the bottom line without regard for the customer is a problem. You take care of your customer, and part of the way you do that is by protecting their information and not requiring them to bear the burden of poor data security. You do so by not subjecting them to marketing and sales calls. A desire to provide quality customer service should include a willingness to treat the information as you would the customer. After all, collecting this information provides little benefit to the customer rather it protects the business from fraud. There is an assumed custodial responsibility on the business’s part to keep that information safe.
There are several telltales in the way a company treats their customers that are warning signs: Collecting & storing sensitive information un-needed to provide service; selling or sharing customer information outside your organization and outside of their control; a ‘Customer Care’ automated phone system offering dozens of automated ways to “pay now”, but few to zero ways to get a person to help you. I am sure the readers out there could offer a few telltales of their own.
As a “Customer Care” activity, disconnecting users who requests service too often is what I consider to be another telltale of lack of care. Do you think that the 2/10th of one percent of their customer base they told to go elsewhere was the lunatic fringe, or are they simply the vocal minority who had the time and energy to point out the service provider flaws? In my mind, it begs the question: did these customers “repeatedly asked for information about other people's accounts” as stated Yahoo! News article, or were they simply asking “Do you treat all your customers this way”?
If you care for your customer, take care of their information as well.