Sunday, November 15, 2009

Whose customers are they?

Those nice folks who give money to your company, you know, the customers- whose customers are they? Are they the company's customers, or the salesman's? Or a bit of both? Maybe it is more complicated than that, if your company sells through partners/agents/resellers- now whose customers are they?

And the tricky bit- you aren't trying to secure customer data without everyone involved understanding, and agreeing on, whose customers they are, and who is responsible for the data, are you? That would be waste of time, wouldn't it?

If you are new at this, especially if you only see it from an information security perspective, this may seem fairly simple. It isn't. Salesmen (real salesmen, as opposed to people who just sell stuff) always have their "Rolodex" with their customers in it. That's part of what you get when you hire a salesman, access to their customer base- and the salesman takes it with them when they go. The salesman's right to take their customer list with them was supposedly codified in law in some states, but regardless of law, the practice has been universal. And now we have breach disclosure and data protection regulations preventing customer information from "leaking", so that magically stops, salesmen readily surrender their livelihoods without a battle (to a salesman, their customer list is their livelihood, make no mistake about that), and we're covered. And those jurisdictions which codified the salesmen's rights to their customers, I'm sure they updated their laws to reconcile the conflicts between the various laws and regulations protecting the salesmen's rights and the customer's data. No state would leave businesses stuck between contradictory laws, twisting in the wind. Things like that just don't happen.

I would like to offer a simple answer, but this is another one where lawyers most likely need to be consulted, the problems discussed, policies drafted, etc. The critical part will be making sure everyone involved knows and understands what the policies are, what legal implications drove the policies, and how the policies will be enforced. And then the policies must be enforced.

I do have a few ideas about this-

  • Social Security, credit card, or other account numbers need to be expressly prohibited from entering or leaving via "the Rolodex"
    • No brainer, but needs to be clear to all involved
  • If any information is allowed to enter the company via "the Rolodex", it is only fair to allow it to leave that way
    • If it can't leave, don't let it come in.
      • If it comes in, it came from somewhere else where they are fighting the same battle
  • The data is going to leave anyway. Deal with it.
    • Really, deal with it.
      • Everyone has to know what is and is not allowed
      • Steps need to be taken to control and monitor data
    • This doesn't excuse the company from doing the right thing whenever possible- but the nature of people, especially salespeople, must be taken into account.

So, whose customers are they? And who is responsible for their data?