I've been thinking about the compromise of President-Elect Barack Obama's mobile phone records at Verizon Wireless. Verizon Wireless recently fired the guilty parties, as they should. However, this is not the end of the problem. In fact, it's only the beginning.
As I work in a customer service organization, I understand the business need for customer service agents to have access to customer records. In order to provide quality service to a customer, access to their relevant data is vital.
How much access to that data is needed? Does every rep need access to all that data 24x7, anytime? The CISSP in me says absolutely not. Do companies properly control access to this data? Not in my opinion.
There are always going to be people who need access to all customer data, e.g. management or management designates. However, the number of people who have that level of access should be relatively small. All access to that data should be heavily audited.
For the lowly customer service rep--the people who typically answer the phone when a customer calls in--they should have access to the customer's records unless the customer provides a PIN of some sort. Without a valid phone number and the appropriate PIN, the customer service reps should not be able to pull up the records at all.
Of course, there are going to be exceptions to this rule, for example if a specific rep is working with a specific customer on a specific issue, but as a rule, only people with a valid business reason to have access to the customer data right now should have that access. This needs to be enforced by business process as well as the tools themselves.
Really, though, it's a simple matter. If you don't have a legitimate business reason for looking at customer data, don't do it. This has always been my policy back from when I was a systems administrator. Reputable customer service agents follow this rule, the good ones don't even have to be told.
Back to Verizon Wireless for a moment. While I know it is a matter of a few rogue employees and I feel they responded to the situation appropriately, it shouldn't have happened in the first place. A large telecom like Verizon Wireless should have systems in place to prevent this kind of "data leakage" already. Clearly, whatever measures they employ either weren't followed or were ineffective.
I hope that all telecommunications carriers learn from this experience.