The Case for Call Recording

It’s something that has become so mundane when dealing with businesses over the phone that most consumers don’t even give it a second thought, but it’s also a lawsuit just waiting to happen.

Just about every interaction with an automated interactive voice response (IVR) system or a live agent today begins with the same prerecorded consumer warning: This call may be monitored or recorded for quality assurance purposes.

That would be fine if all the companies did was listen to the calls to make sure that agents were offering the best possible customer service, but as speech analytics technologies have expanded, "companies are using the recordings for much more than quality assurance," warns Donna Fluss, president of DMG Consulting.

And rightly so. All companies, she says, "should be doing 100 percent call recording to capture the most information. You can really find the trends. The information shared by customers is powerful. The insights are invaluable."

But recording calls for quality assurance is different than using them to glean customer information, Fluss says. "Lawyers could argue that the statement doesn’t apply and is deceiving."

And though there haven’t been any reported court cases filed by consumers around the issue, it’s not beyond the realm of possibility. "The U.S. is a very litigious society," Fluss says.

Expanded Prompts

The simple answer to avoiding a potential trip to the courthouse would be for companies to change the verbiage in their initial IVR prompts to better reflect what is being done with the call recordings. But to do so could require an IVR prompt that would take a few minutes to recite. The new prompt may sound something like this: This call may be monitored or recorded for quality assurance purposes or to glean customer data, compile customer profiles, tailor upsell and cross-sell opportunities, identify market trends, streamline operations, improve the customer experience, boost agent productivity, evaluate agent performance, resolve disputes...

Less than halfway through the prompt, the customer is sure to hang up. Most consumers have neither the time nor the patience to listen to a two-minute diatribe about why their calls are being recorded.

And even if they did, would they really care? Jean Bave-Kerwin, the head of JBK Consulting in Slingerlands, N.Y., and a certified associate at the Incoming Calls Management Institute, doesn’t think so. "What you tell them is up to you," she says, "but do customers really care why they’re being recorded? Not really. Most have become used to it."

Fluss agrees. She maintains that such in-depth notifications "provide no benefit to the customer."

The fact is that most consumers really don’t care about the technology being used in a call center at all, as long as they can complete their desired task. "Really, if you had a bunch of mice running your technology, your callers would not know," Moshe Yudkowsky, president of Disaggregate Consulting, said in a session during the SpeechTEK 2008 conference in New York. "Your callers do not care about your technology. Technology is not what your customers want—what they want is service."

The practice of telling customers that their calls could be recorded started more than 20 years ago—back when companies really did use the recordings only for quality assurance—and companies issued those notifications more to reassure a mistrustful public that there wasn’t a larger government conspiracy at work.

Bave-Kerwin and others say that those days are far behind us. "Just to be safe, I always recommend that if you are recording calls, you notify people that they may be recorded," Bave-Kerwin says, "but I do not see a reason why you need to tell them what you are doing with those recordings." Simply saying This call may be recorded will suffice, she adds.

And legally, depending on where the company is based, even that might not be necessary. Federal laws in the United States, Canada, and the United Kingdom, for example, require only one-party notification, meaning that only one of the two parties on a telephone call has to know that the call is being recorded. Laws in many other countries vary greatly, so it is recommended that companies check with the local telecommunications authority in a country before recording calls that involve its citizens.

Consenting Adults

Beyond the federal level, laws in all but 12 U.S. states also require only one-party notification when recording calls. The 12 states that require the consent of both parties to a phone conversation are California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.

In the states where two-party notification is required, the U.S. Federal Communications Commission (FCC) has outlined the means by which such notification be given:

• Verbal or written consent must be given prior to the start of the conversation. A recorded message will suffice here, and it can be assumed that a caller consents if he stays on the line. If he does not wish to be recorded, he has the option of asking that the recorder be turned off, or he can hang up and contact the company through other means, such as a letter, fax, or email.
• An automatic tone, called a beep tone, that is repeated at regular intervals during the course of the conversation must be heard. The accepted norms for this tone are that it falls within the 1,260- to 1,540-hertz range, lasts between 170 and 250 milliseconds, is broadcast for both sides to hear, and occurs every 12 to 15 seconds, according to VLR Communications, a provider of the technology.

In two-party notification states, failure to abide by the laws could result in criminal and civil penalties. Depending on the state or states involved, fines for failing to properly notify callers that they may be recorded can range from a few hundred dollars to $10,000 or more per offense, according to Zachary Rice, director of government affairs at the American Teleservices Association in Indianapolis.

But government enforcement of such laws, particularly as they relate to businesses, is rare, he adds, because most call recording statutes were written more as a means of protecting the public from unauthorized government and police wiretapping. "The legislation indirectly affects call centers," Rice says. "Because the law says ‘any kind of phone call,’ call centers became an unintended consequence of that legislation."

Where notification laws really get sticky is when a company is based in a one-party notification state, but its agents make calls to or receive calls from residents of two-party notification states. In these cases, the two-party notification statutes apply.

Since most U.S. states and the District of Columbia require only one-party notification, most companies can meet the lion’s share of their legal obligations by letting their call center agents know that phone activity could be monitored and recorded at any time. Most firms require new agent hires to sign a consent form, and make signing such a document a de facto condition of employment.

What about when agents make and receive personal calls during business hours? Should there be an expectation of privacy? The laws are unclear on this, so to address such issues, consultants recommend that companies set up recording equipment only on phones within the operational areas of the call center, not in break rooms or common areas. Companies should also have an enforced policy against placing or receiving personal phone calls while in the operations room.

But privacy takes on a whole other set of challenges when it comes to the customer; every precaution must be taken to safeguard the information given to the IVR or live agent during a recorded transaction. The growing concern is that call center operators and independent third-party monitors and auditors can steal customer account information, passwords, and other sensitive information—a possibility made even easier by call recordings that allow them to go back and review any information they may have missed the first time around.

This comes at a time when identity theft is on the rise and consumers’ confidence in companies’ abilities to protect their private information is slipping. In fact, a recent study conducted by Harris Interactive for Nuance Communications found that 52 percent of consumers were somewhat to not at all secure about the safety of their personal data given to an IVR or live agent.

Though it has not yet become law, the credit card industry has drafted a set of standards that mandate greater data protection. The Payment Card Industry (PCI) Data Security Standard outlines 12 steps that any company or organization that stores or processes credit card information must follow:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security passwords.
3. Protect stored cardholder data. This includes not storing cardholder information, or eliminating or masking that information in recordings, unless it is absolutely necessary.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access so that any action taken on critical data can be traced to a specific user.
9. Restrict physical access to cardholder data. This includes storing recordings and other media backup in a secure location, preferably in an off-site facility, and destroying such files when they are no longer necessary.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security. This includes thorough screening and background checks for all potential employees to minimize the risk of data loss from internal sources.

First created in 2004 by PCI member companies like Visa, MasterCard, and American Express, and then amended in 2006, the PCI standards apply as much to call centers as they do to retailers, online merchants, and financial institutions. On its Web site, the PCI Security Standards Council clearly states that the recommendations apply to call centers that store, process, or transmit cardholder data in audio recordings. The standards apply equally to audio files stored electronically or on magnetic audiotapes, CDs, or DVDs.

The standards also note that "it is a violation…to store any sensitive authentication data, including card validation codes and values, after transaction authorization." "If commercially reasonable technology exists to delete these data elements, then these elements should be deleted," the PCI Security Standards Council states on its Web site.

Technological Solutions

That technology does exist, and it’s called data redaction. This technology automatically blacks out all but the last four digits of a credit card number, for example, and limits access to the other data. "The idea is to limit access to people who need to know," Fluss says. "If you’re using the recordings for analytics, that person does not need to know, so black them out of the recordings."

One company, Coordinated Systems, has taken the data redaction process to new levels. In August, it launched Virtual Observer Data Defender, a solution that automatically removes credit card transactions from recorded audio and screen captures. "Lights Out" functionality contained within the application detects the beginning and end of a credit card transaction, mutes the audio, and wipes out the screen images during the process. The application also provides 256-bit encryption for all recordings and screen captures; an audit trail that details every action users take and every piece of data they review, add, edit, or delete; and an application and data security level that allows call center managers to control every menu, program, and button, to pick and choose which users have access to specific features of the application, and to build secure filters that reduce the data a particular user is allowed to access and see.

"It’s important for organizations to maintain a level of trust. We have to be able to ensure the security of private and confidential data, including credit card numbers, Social Security numbers, passwords, PINs, and other information," Dan McGrail, vice president of product development at Coordinated Systems, said in a statement.

So then the next question becomes how long to hold onto the recordings, and when they should be deleted entirely. Though the PCI standards do not set forth a prescribed timetable beyond "what is required for business, legal, and/or regulatory compliance, as documented in a company’s data retention policy," the traditional approach was to keep recordings indefinitely. This practice is starting to change, though, mainly because of the growing need to manage ever-increasing data storage volumes.

With the recording of a typical one-minute call requiring up to 100 kilobytes of storage, it’s easy to see how storing all calls forever can be impossible, especially given the number of calls many contact centers receive in a given day.

Many companies, at least in the financial services sector, retain recordings primarily to resolve disputes. This way, when a customer calls and says he did not tell the agent to sell a particular stock, the company can produce a recording to prove that he did, in fact, authorize the sale. But there are instances when those policies can change, as in the case of a loan that is repaid ahead of schedule or when a client closes out an account, making the associated call recordings eligible for deletion sooner than expected.

The PCI standards have not yet been adopted into law by the U.S. government, but to encourage companies to comply, card issuer Visa, for example, implemented a strategy of financial incentives, education, and monthly noncompliance fines—ranging from $5,000 for midsize firms to $25,000 for large firms. According to information obtained from Visa, by the end of 2007 more than three-quarters (77 percent) of the largest U.S. firms and nearly two-thirds (62 percent) of midsize firms in the U.S. were PCI-compliant.

But that doesn’t mean companies can let up. In fact, just the opposite is the case. "Security is an issue and will always be an issue," Fluss states. "Companies invest a fortune on identifying and closing down schemes to get information, but there will always be a new [scheme] coming out."

Fighting such activity is a never-ending battle, and there is no surefire way to protect against it, she adds. "There is absolutely no way to ensure that a thief will never enter your organization."

The object is to make it as difficult as possible for information to be compromised. Fluss and other industry experts recommend that call centers adopt fully paperless operations so their agents cannot write down customer credit card information and go shopping. "Today most call centers are paperless environments," she says. "Agents are not allowed to bring any paper in or out."

But in today’s digital age, precautions like that need to go a step further. It is important to restrict the devices, including digital recorders, MP3 players, CDs, USB thumb drives, and floppy disks, that agents are allowed to bring into the call centers. The ban should also include cameras and mobile devices that contain cameras that can be used to capture screen images. Software should be installed that prohibits the downloading of information to portable storage devices of any kind.

Also tied into that is the need to hire the right employees, and to constantly keep on top of them to make sure they are not motivated to steal information.

Not only should this include looking for instances of criminal activity, but also for drug and alcohol abuse, financial stress, and domestic issues. And when an employee retires, leaves the organization, or is fired, it is crucial that his network and building access be terminated immediately, the experts advise.

"Do background checks. Put in a code of ethics and make sure all employees adhere to them," Fluss says. "Then organizations should be paranoid and work with all the resources available to them."

---

TELEMARKETING LAWS AMENDED, AGAIN

The U.S. Federal Trade Commission in late August amended the Telemarketing Sales Rule (TSR) to expressly bar telemarketing calls that deliver prerecorded messages unless a consumer has agreed to accept such calls from the seller. The amendment, which officially goes into effect in September 2009, alters the current requirement that companies only had to have a prior business relationship with the intended recipient of such calls.

The amendment also requires that, by December 1, telemarketers provide call recipients with an automated opt-out mechanism, either by voice command or keypad entry, at the start of the prerecorded message.

The amendment does not distinguish between calls answered in person or by an answering machine or voicemail service.

The changes do not affect current exceptions for healthcare-related prerecorded messages, such as appointment reminders, and other informational prerecorded messages, such as flight cancellation notices, because they do not attempt to sell any goods or services. One change, however, allows charitable solicitation calls placed by for-profit telemarketers that deliver prerecorded messages on behalf of nonprofits to members of, or previous donors to, the nonprofit; those calls must also include the same opt-out mechanism.

Other stipulations contained in the prerecorded call amendments require all prerecorded telemarketing calls to do the following:

• Allow the telephone to ring for at least four times before an unanswered call is disconnected;
• Begin the prerecorded message within two seconds of a completed greeting by the consumer who answers;
• Disclose at the outset of the call that the recipient may ask to be placed on the company’s do-not-call list at any time during the message;
• If the call is answered by a person, make an automated voice and/or keypress-activated opt-out mechanism available that adds the phone number to the company’s do-not-call list and ends the call; and
• If the call is answered by an answering machine or voicemail, provide a toll-free number that allows the person to connect to a voice and/or keypress-activated opt-out mechanism.

Another related technical amendment modifies the TSR’s method of calculating the maximum permissible level of call abandonment, a side effect of predictive dialers that place calls in anticipation that a salesperson will become available by the time a call is answered. Inevitably, a call will sometimes connect when no sales representative is available. The TSR sets a limit on how often this can occur. It requires that at least 97 percent of a telemarketer’s calls that are answered in person and not by an answering machine or voicemail service be connected to a salesperson within two seconds after a consumer answers. The amendment will retain the current 3 percent permissible abandonment rate, but will permit it to be calculated over a 30-day period, rather than on a daily basis, as is now the case.

"Just like the provisions of the Do Not Call Registry, these changes will protect consumers’ privacy," FTC Chairman William Kovacic said in a statement. "The amendments now directly enable consumers to choose whether they want to receive prerecorded telemarketing calls."