Security, privacy keys to CRM

High profile breaches of customer data at Bank of America and ChoicePoint should have firms thinking about how privacy affects the customer experience.

A wave of high-profile cases of companies losing customer data has many thinking about security, but it's a reason to think about CRM as well, according to one consultant.

In the last month, Bank of America, ChoicePoint and even Paris Hilton have seen personal information released to the wrong hands. Charlotte, N.C.-based Bank of America recently lost several computer data tapes with personal information on up to 1.2 million federal employees, including members of the U.S. Senate. Early last month, data broker ChoicePoint, based in Alpharetta, Ga., lost tens of thousands of personal records to scammers posing as legitimate businesses. And Hilton, the hotel heiress and erstwhile celebrity, had phone numbers of actors, athletes and musicians taken from her cell phone and posted online.

"It's important to realize that these data security breaches can happen to even the best of companies," said Larry Ponemon, chairman and founder of the Ponemon Institute in Tucson, Ariz. "Companies can spend tens of millions of dollars on this and it's still not a guarantee that they can provide a failsafe environment."

However, a strong and visible customer privacy program can lead to customer loyalty.

For more information

See what your CRM vendor can teach you about privacy


Take a look at Procter & Gamble's privacy protection crusade

"Those organizations that can do privacy better, that actually spend the time to resolve minor issues before they become big issues are the organizations people will flock to out of fear," Ponemon said.

Federal regulations such as the Gramm-Leach-Bliley Act or Health Insurance Portability and Accountability Act have forced many companies to undertake privacy initiatives, but a few are beginning to see it from a CRM perspective, Ponemon said. For example, some of the chief privacy officers Ponemon is most impressed with, like Janet Chapman at Charles Schwab in San Francisco and Charles Giordano at Bell Canada, come from a marketing background.

"You need people with security expertise and people with legal and regulatory expertise, but the person who leads the charge should see it not as a cost or compliance issue but as a customer experience issue," Ponemon said.

Information security initiatives, such as firewalls and other anti-hacking measures, are one way of assuring customers that their private information is safe, but companies also need to offer assurances that their data is being used correctly.

For example, a credit card company asks several detailed questions before accessing a customer's records, providing a sense of trust. Once a company has that trust it can gather more information that can be used to identify preferences for more targeted marketing materials. Ask too much at first and a customer will get turned off and go somewhere else, Ponemon warns.

Marketing itself can become a privacy issue for customers.

"Any time customers receive marketing that's irrelevant or annoying, it's a privacy issue to them," Ponemon said.

The marketplace is beginning to capitalize on this intersection of CRM and security as well. BearingPoint Inc., the McLean, Va.-based consulting and systems integration firm, announced this week its plans to offer what it calls Customer Identity Management (CIM) services. CIM is a convergence of CRM, identity management and risk management, according to BearingPoint.

"Respecting customer privacy preferences and providing customer confidentiality are vital to establishing and maintaining a trusting relationship," Christopher Formant, executive vice president, global financial services, said in a statement. "Customer identity management can help companies to transform their business models from an account-centric to a customer-centric focus."

In the case of Bank of America, the institution dealt with its breach in the right way, according to Ponemon. It informed the affected customers quickly and gave its customers the opportunity to address the issue.

"Compare that to others, where the communication wasn't fast, it was actually piecemeal," Ponemon said. "I think Bank of America gets a gold star in the redress and communication process. It's nice to know the bank told you when something happened."

But just good communication is not enough. The marketing and the security side of privacy go hand in glove, according to Ponemon. Companies should gather all the information they can from customers, but they need to safeguard that customer data from outsiders.

"If you have no faith in the security side, the whole issue of trust crumbles," he said.

Read more on Business applications