Tag Archives: legal articles

Email Protocol for the Call Center

By Dr. Julie Miller


TeamHealth Medical Call Center


Information is the blessing and the curse of the digital revolution. Between email, instant messaging, text messaging, cell phones, Blackberries, and the Internet, we are drowning in data overload. Moreover, the constant interruptions cost the U.S. economy an estimated $558 billion annually. This staggering number does not add in the cost of poorly written emails that land companies and employees in hot legal trouble, destroy long-term client relationships, and ruin reputations – just review Mike Brown’s emails (former FEMA chief) as Hurricane Katrina raged and you will understand. Add to this mix a lack of civility and common sense and you have an explosive brew.

How can the problem be addressed? For starters, begin treating email writing not as casual conversation. Whether words are written in the sky, sent by carrier pigeon, or via the email, words must connect with the reader. Good writing allows this to happen; poor writing does not. Currently, writing online is still, as author Patricia O’Conner writes, “…in its Wild West stage…with everybody shooting from the hip and no sheriff in sight.”

Therefore, establish some law and order by developing an email protocol, whether you are a multi-national operation or a single station call center. Simply stated, it’s “the way we do business around here” in terms of communicating via email with co-workers and customers. It is a code of behavior, a set of standards as to how you will frame your words, manage your inbox, and even extend your brand.

Below is a short list of questions to address at your next staff meeting. Your answers could be the beginning of a company-wide document.

  • How do you greet and close messages? Companies are putting together a series of key phrases used solely for openings and closings. Remember, you would never call on the telephone without greeting someone. Why would you not greet people in your emails?
  • What does your email signature say about your company? It should be an extension of your company’s brand. It should be professional, with no cutesy sayings, but it should also contain all contact information. Establish a standard for font style and size. Also, because you have limited real estate, consider placing your signature block horizontal rather than vertical.
  • What is the company policy about blind copies? Some companies only use them for email blasts; others say they are strictly verboten. Discuss why, when, and how you use them.
  • Do you have a message for the “out of office” auto-responder, and when do you turn it on? After four hours? For one day or longer? One company requires that if an employee is immersed in an important project, it must be turned on if he or she is gone from the office for more than one hour.
  • How often do you check emails? Some companies set their programs so emails are only called up hourly, thus reducing down time and increasing productivity.
  • How soon do you return emails? Within four hours? Inside of 24 hours? Some companies’ policy state all emails need to be answered within the same business day.
  • Do you use emoticons? Buzzing bees, dancing bears, smiley faces, and the like may be cute, but they have no place in business communications. Heartily rule against it.
  • How many emails do you send before you pick up the phone? The rule of thumb seems to be three. If the issues are not resolved, pick up the phone or walk down the hall.
  • What are your company’s policies about writing business letters, accessing confidential information, and handling racial or sexual harassment? Your email policy should be compatible with these policies.
  • How will you insure employees understand your protocol? For example, who is the contact person when questions arise? How will updates be handled? Will you schedule training meetings?

Email has become the biggest productivity drain in businesses today. Getting a handle on this daily data dump by establishing procedures – email etiquette, if you will – will make you and your call center stand above the crowd. This will possibly bring law and order to the untamed world of Internet communication.

Dr. Julie Miller, founder of Business Writing That Counts, is a national consultant and trainer who helps professionals reduce their writing time while still producing powerful documents. She and her team work with executives who want to hone their writing skills and professionals who want to advance their careers. For more information, call 425-485-3221.

[From the October/November 2007 issue of AnswerStat magazine]

Is That Hold Music Legal?

By Mike Wilson, J.D.

Music so permeates our culture that we take for granted the right to play it. However, performing rights organizations like ASCAP, SESAC, and BMI do not take it for granted. They know, and so should you, that a licensing agreement is required to legally play copyrighted works.

It does not matter if you own the CD that is playing for your callers on hold. It does not matter that it is really the radio station that is broadcasting the songs you have piped in as your “on hold” music. It does not even matter if you are a non-profit organization. Licensing is required. If you think music copyrights are a non-issue, all you need to do is look at the fervor over Napster.

Exemptions are limited: Music during church services or in face-to-face teaching in a classroom does not require a license. There are some other narrowly defined exemptions in Section 110(5) of the Copyright Act. Playing a TV or radio in public may be okay in certain circumstances. For example, if there is no charge and the radio or TV are of the “kind commonly used in homes” and there’s no retransmission to the general public, it is permissible. In addition, there are other restrictions on the size and type of establishment, the number of speakers or TVs in each room, and so on. Unless you fall within an exemption, licensing will be required or you will be guilty of copyright infringement. Other countries, of course, have copyright laws as well and penalties for violating them.

What If You Fail To Get A License? If you fail to license the music you are playing, perhaps nothing will happen. Due to the difficulty of monitoring the millions of performances of copyrighted music that take place every day, perhaps you will not be caught. However, increasingly representatives from ASCAP, BMI, and SESAC are contacting businesses that use music to determine whether the music has been licensed. Even more worrisome is that a disgruntled employee or aggressive competitor might “report” you to these organizations.

Instead of asking whether you will be caught, ask what can be the consequences? Actual damages as well as statutory damages of up to $20,000 can be awarded for each copyrighted song performed without a license. The damages can be up to $100,000 if the infringement is willful. Those who willfully infringe on a copyright for commercial advantage or private gain can be fined up to $25,000, be sentenced to jail time of up to a year, or both.

Obtaining a License: There are many different types of licensing agreements intended to serve different needs. You may contact the performance rights organizations yourself to see what is offered. ASCAP, SESAC, and BMI license performance rights for most of the music copyright holders in the United States. Also, a music clearance and licensing company can help you determine your licensing needs and assist in the process of obtaining the kind of license you need. In addition, some professional and business associations may negotiate a group rate with one or more of the performance rights organizations. It is common for businesses to license the right to use all of the works represented by a particular performance rights organization like BMI for one flat annual fee instead of attempting to license individual songs.

The cost of licensing is not prohibitive and is certainly worth the money in light of the potential downside of steep fines and damages. An easy solution is to contact a company that provides music-on-hold or on-hold programs. Generally, they will handle the licensing for you. This will be included in the cost of their services.

Whichever method you select, be sure to obtain documentation so that you can prove your on-hold music is licensed in the event ASCAP, SESAC, or BMI ever come knocking on the door of your call center.

Mike Wilson is an attorney and author. He teaches at Sullivan University in Lexington, KY.

[ASCAP is the American Society of Composers, Authors and Publishers; SESAC is the Society of European Authors and Composers; BMI is Broadcast Music, Inc.]

[From the December 2006/January 2007 issue of AnswerStat magazine]

Phone Phishing: Are your Agents Too Helpful?

By George T. Platt

According to a study commissioned by the Federal Trade Commission, last year over 9.9 million Americans were victims of identity theft, at a total cost of nearly $50 billion – an average of almost $5,000 per victim. The first thing many people associate with identity theft is computer hacking or Internet security breaches. The reality is that online and perimeter intrusions contribute far less to the identity theft problem than disgruntled employees, friends, and relatives.

One of the most prevalent and accessible methods of gaining access to personal data is the simple process of picking up the phone and calling a call center. Customer service agents are trained to “take care” of callers and often will go to great lengths to be helpful. This is just what an identity thief is counting on. The concept of taking advantage of helpful customer service agents to steal information over the telephone is sometimes called phone phishing or pretext calling; in a broader context it can be referred to as social engineering. Phone phishing is particularly disturbing because unlike Internet phishing, the victim is not involved and is completely unaware that someone else is calling pretending to be them. With just a few calls, thieves can gain the bits and pieces of data required to assemble unquestioned access to a customer’s accounts and other information. In fact, criminals find the telephone very attractive because it is inherently faceless, hard to trace, inexpensive, and they know that companies are relying on information alone for identity verification.

They’ve Got Your Number: Whether we like it or not, we have become a number. Our personal information essentially becomes our identity as we interact with entities such as banks, insurance providers, and the government. In many cases, access to our accounts can be had with little more than these six core pieces of information:

  • Social Security Number/Insurance Number
  • Mother’s Maiden Name
  • Date of Birth
  • Name
  • Address
  • Phone Number

The nature of each business relationships determines how much or how little information is available. However, many lenders and providers share information with each other in the normal course of doing business. Furthermore, five out of six pieces of our core identity are publicly available. If it seems it could not get any worse, our identity information resides in thousands of places, online and offline.

The Evolution of Self-Service: The evolution of our reliance on customer self-service is adding to the risk of exposure. In the past, most self-service applications were used to automate simple tasks involving information retrieval. Now self-service systems allow the user to actually execute transactions such as bill payment, account status, or insurance claim processing to name a few. The ability to actually execute transactions with no human interaction after identities have been stolen can increase the risk of loss associated with identity theft.

Solving the Problem: The obvious answer for call centers to stopping identity theft and fraud is simply to verify identities better, with something more than information alone. Verifying that the information provided matches the information on file is no longer sufficient to allow access to account information or transactions to be executed.

Protecting callers’ personal data, while keeping interactions fast and easy, is the foundation of strong customer loyalty and a key to increasing customer retention. In order to attain this goal, it is important to reduce the likelihood of human error from the identity verification process. Unfortunately, criminals prey on the good intentions of customer service agents. Improving agent training is an important part of a comprehensive fraud prevention program. However, high turnover rates and a desire to help callers will always make live agents a point of risk.

So, with the human element remaining a threat, what can be done to prevent this growing problem? Individual action is a start. We should be protecting our identity with the same passion that we protect our personal safety. Just as we install a home security system for protection, individuals should also install firewalls on home computers, encrypt their wireless network, and decide to use better passwords. The community as a whole can also be a strong deterrent of identity theft. Institutions can compare personal information provided against information in a database before granting access to an account over the phone.

As with most other crimes, crime prevention can also be a strong deterrent to the problem. For years, financial institutions have been using automated pattern recognition systems to detect credit card buying patterns that do not match the normal behavior of the credit card holder. These solutions are becoming increasingly sophisticated, looking not only for patterns within an individual account, but also for patterns across multiple accounts.

All of these solutions could certainly play a large role in stopping identity theft through the telephone. However, just as with the problem itself, these solutions largely involve a human factor.

The Technology Solution: As with identity theft and fraud through the computer, the most reliable way to prevent identity theft and fraud through the telephone is through the use of technologies that take away the human factor. Automated systems remove live agents from the identity verification process, allowing an identity to be confirmed before a caller can reach an agent who is willing to give out sensitive information.

Automated voice systems can empower users to protect themselves by offering a simple voiceprint enrollment process that takes approximately one minute to complete. On subsequent calls, the voiceprint becomes one of the key factors used to verify a customer’s identity. At the same time, behind the scenes, an application performs behavior pattern tracking an analysis as customers interact with the automated system. For example, the system can monitor for too many calls from the same phone number inquiring on different accounts within a period of time.

The reliable authentication of customers using something as unique as a voice print can save agent time, while reducing the caller’s responsibility for remembering the myriad of PINs, passwords, and security questions. Furthermore, automating this process plugs a vulnerable security leak, our thoughtful agent, while freeing these same agents to address issues for callers who have already been authenticated.

In addition to providing authentication and reducing the number of common requests received by live agents, the return on investment for voice-based applications is considerable. Datamonitor reports call centers currently deal with 26 billion call minutes per month; by 2007 this will increase by 35 percent to 35 billion. On average, providing customer service in the traditional agent-assisted manner within a call center costs $9.50 a call, therefore the return on encouraging callers to use self-service channels companies can be a financial windfall.

With the emergence of standards like VoiceXML and SALT, and support from major software and hardware vendors, speech automation is rapidly moving into the mainstream. Call centers can now extend their investments in Web-based infrastructures to include voice-based applications. The ability to manage one code base for both Web- and voice-enabled applications makes it possible to extend new self-service Web capabilities to customers/employees.

Conclusion: In the 1970s, when the call center was first introduced to provide centralized customer service, verifying customers using information alone may have seemed like a reasonable security measure. Today, this weakness is exposed with the convergence of identity theft and fraud, the digitization of information, and the affordability and ubiquitous nature of the Internet. Telephone security had not changed in 30 years, but the introduction of voice-based authentication and automated voice applications can now remove customer service agents from the identity verification process, reduce call times and customer frustration, improve call center profitability, and create customers for life.

George Platt is currently Senior Vice President and General Manager of Intervoice’s Enterprise Business Unit where he is responsible for product marketing, product management, services marketing, software product development, and professional services within the enterprise sector.

[From the June/July 2005 issue of AnswerStat magazine]

Developing an E-Security Policy

By Patricia S. Eyres, Attorney at Law

Dangers lurk in cyberspace. Every call center should have an easily understood, consistently enforceable policy to protect trade secrets, maintain the integrity and security of all networks and servers, protect sensitive patient information, protect the organization from lawsuits by third parties, protect the integrity and reputation of the organization and its business, and ensure achievement and productivity. Security is everybody’s business.

Spam and viruses are the most visible, but not the most significant security challenge. Fearing loss of confidential records from intrusion by criminal hackers, call centers are installing firewalls to protect their networks. These firewalls will stop many, but not all, of today’s hacker attacks. Hackers can take advantage of holes in a network’s perimeter defenses created by employees who bypass protections by attaching modems to their PC’s, setting up wireless access points without permission, or downloading risky software, such as chat or file-sharing programs, all of which offer entry points for the creative criminal. That’s why security is everybody’s business and all managers and employees must understand the importance of following established security procedures. This is especially important when using laptops or working from remote locations.

Keeping your networks secure from hackers is just as critical to protect callers’ information. Hackers target electronic databases of call centers because they often have a mountain of information from which identities can be stolen: names, addresses, financial information, and other personal data. Theft of customer data gets the attention of the media; one company was hit with a class action lawsuit charging that it failed to secure credit card information online. The visibility of insecure networks has prompted tough laws in several states, most notably California, that require any business that collects data from California consumers to immediately notify every person if there is a breach of security – from any source.

What about mischief and malice by employees and coworkers?  In many ways, email is ideally suited to smuggle trade secrets and valuable company data out of an organization. Leaks of business plans can be embarrassing and costly; the intentional disclosure of secrets can cost a lot more. A comprehensive e-security plan should address internal threats that are as dangerous as attacks from outside. Identifying internal threats is the first step. The combination of email overload and careless attachments is one risk; intentional stealing from internal electronic files by email attachment is quite another. Whether accidental or deliberate, breaches of confidentiality can erode customer and employee confidence, cost jobs, and devastate your organization.

Information security requires effective policies and consistent enforcement. It is imperative that every employee know and understand their role in security, even when it seems like a hassle.

What is the Purpose of Information Security? Information security is designed to prevent unauthorized access or damage to hardware, software, and data. This encompasses misuse, malicious or accidental damage, vandalism, intentional intrusion, fraud, theft, and sabotage to information resources. The purpose of information security is to safeguard your call center’s information resources, including all hardware, software, and data in both electronic and hardcopy formats.

Define Responsibilities for Information Security: The job of protecting hardware, software, and data (hard-copy and soft-copy) from abuse is shared by all users – employees, contractors, management, and administrative staff. Make it the responsibility of every system and information user to read, understand, and comply with your security policy and all associated information security policies and procedures. Post the essential provisions on your intranet as well as publishing it in hard copy in your Employee Handbook.

Your organization should manage information security standards, procedures, and controls intended to minimize the risk of loss, damage, or misuse of your organization’s data, by developing policies:

  • Establishing and maintaining policies, procedures, and standards for access.
  • Securing information and implementing access to authorized persons.
  • Assisting data custodians in identifying and evaluating information security risks.
  • Selecting, implementing, and administering controls and procedures to manage information security risks.
  • Distributing security report information in a timely manner to management, data custodians, and appropriate system administrators.
  • Reviewing data security issues that have company-wide impact.
  • Promoting security awareness to all managers, supervisors, and other end-users through timely information and training.

Establish Accountability Standards and then Enforce Them Consistently: Security is everybody’s business. End-users, including subcontrators and vendors, accessing your data should be personally responsible for proper use of the resulting available information. Employees who access data must be responsible for:

  • Complying with all security policies and procedures in the use, storage, dissemination, and disposal of data.
  • Safeguarding passwords
  • Protecting data (softcopy and hardcopy) from unauthorized access.
  • Respect the privacy of other users’ software and data.
  • Reporting information security violations.

Specifically Address Data Confidentiality: Due to the value and sensitive nature of your call center’s data and client information, employees must exercise caution and care in their jobs and adhere to all information security policies and procedures. In order to effectively communicate this policy and emphasize the importance placed on the confidentiality of data and software, all employees should sign a data confidentiality statement on an annual basis; new employees should sign the statement prior to being hired. Additionally, the call center should reserve the right to monitor and review all system activities performed by system users and notify users that they do not have a reasonable expectation of privacy in their computer files, including email.

Patricia S. Eyres is an attorney with 18 years defending businesses in the courtroom. She can be reached at 800-548-6468.

[From the June/July 2005 issue of AnswerStat magazine, updated August/September 2006]

Legal Considerations of Voice Logging

Compiled by Peter DeHaan, Ph.D.

Peter DeHaan, Publisher and Editor of AnswerStat

Legal issues regarding the recording of phone calls must be considered before embarking on voice logging. This varies on a state-by-state basis. Some states and countries require “one-party notification” in which only one of the two individuals needs to be made aware that the call is being recorded. This, of course, is most easily done by notifying the call center agents and staff.

This notice should be included in the employee handbook they receive when hired. By signing off on the handbook, it has been documented that employees have been duly notified that the recording will take place.

Check with a local attorney familiar with state employment law, as it may be advisable to have a separate sheet signed by each employee, which explicitly notifies him or her that calls will be recorded. (At least thirty-seven US States, the District of Columbia, the US Federal law, Canada, and England only require one-party notification. Note that there is some disagreement over the determination of the requirements for a few states.)

The other scenario requires that both parties be made aware that the call is being recorded; these are called “two-party notification” states. (Depending on the source, ten to thirteen US states fit this category.) This can be accomplished by playing a preamble recording on every call or inserting a periodic beep tone.

The preamble recording is common, but may prove to be a technical challenge to accomplish in a call center where multiple types of calls are taken and for various departments or clients. There is also the concern of how to respond to clients who object to an automated announcement before every one of their calls. Typical verbiage for the announcement or preamble recording is, “Thank you for calling ABC Clinic, your call may be monitored for training or quality assurance purposes.”

Alternately, many voice logging systems provide an optional beep tone. There are specific parameters to which this beep must adhere. According to VLR Communications, the beep tone needs to be a 1260 to 1540 Hertz tone, lasting 170 to 250 milliseconds, and broadcast for both sides to hear every twelve to fifteen seconds when recording is taking place.

The interesting part of this requirement is that both parties must be able to “hear” the beep tone; there is no measurable audio level specified. Therefore, it makes sense to set the beep level at a low volume, while still being audible to both parties. Still, many people find this beep tone to be disconcerting and distracting. Although call center agents typically grow accustomed to the beep tone, eventually tuning it out, this is not the case with callers, who generally find the ongoing beeping to be an annoying vexation. Callers may even discuss the beep tone or voice recording with the agents, thereby lengthening call time and decreasing the quality of service.

Several websites contain information about notification; unfortunately, they are not in complete agreement. This is shown in the chart below. Regardless of this information, be sure to consult a local attorney before recording any telephone calls.

Also, there are privacy concerns and issues. In general, one should take every possible precaution to avoid recording personal phone calls. A practical way of doing so is to only record conversations in the call center (and explicitly not in the breakroom or on any common area telephone) and to have an enforced policy against placing or receiving personal phone calls while in the call center.

These steps will help to ensure that personal phone calls are not inadvertently recorded and that privacy rights are not encroached. Again, obtain legal counsel before recording any phone calls. Voice logging is best used for quality assurance, training, self-evaluation, verification, and dispute resolution.

[For more information, see our Voice Logging feature article and Voice Logging Vendors.]

Peter DeHaan is the publisher and editor-in-chief of AnswerStat magazine and a passionate wordsmith. Connect with him on his personal blogs, social media sites, and newsletter, all accessible from www.peterdehaan.com.

[From the Fall 2003 issue of AnswerStat magazine]

Hospital Answering Services Could Be Risky

By Mike Wilson, JD

Hospitals that provide answering services to physicians at below fair market value (FMV) may risk violating federal or state law – with serious consequences. “Stark II” is a federal law to discourage doctors from referring Medicare and Medicaid patients to entities with which they have a financial relationship, which can include indirect compensation in the form of benefits. For example, hospitals that rent office space to physicians below FMV may violate Stark. Possible penalties include denial of Medicare and Medicaid payments, reimbursement of past payments, and exclusion from Medicare or Medicaid in the future, as well as civil penalties of up to $100,000.

The federal Anti-Kickback Statute prohibits physicians from receiving compensation for referral of patients covered under Medicare, Medicaid, and other federal health programs. Again, compensation could include indirect benefits such as below FMV office leases. Unlike Stark, Anti-Kickback also requires proof of intent to induce referrals. The Anti-Kickback Statute has potential criminal penalties, civil penalties of up to $50,000, treble damages, and exclusion from federal health programs. Some states also have laws similar to Stark or Anti-Kickback.

Language in the Stark regulations suggests that free meals for doctors in the hospital cafeteria, for example, are subject to Stark. Concerns then may be, are free or heavily discounted answering services for doctors a kind of “compensation” subject to Stark? If so, the arrangement would fall under one of the exceptions in the regulation or it would be a violation. For example, if the “compensation” does not exceed $300 per year (and meets other requirements) or is provided at fair market value (and meets other requirements), there is no Stark violation. However, the exception most likely to apply to answering services is the “medical staff incidental benefits” exception.

Medical Staff Incidental Benefits: This exception has eight requirements, all of which must be met (when reading the quotes from the regulation below, substitute “answering service” for “compensation”):

  1. “The compensation is offered to all members of the medical staff without regard to the volume or value of referrals or other business generated between the parties.”
  2. “The compensation is offered only (emphasis added) during periods when the medical staff members are making rounds or performing other duties that benefit the hospital or its patients.”
  3. “The compensation is provided by the hospital and used by the medical staff members only on the hospital’s campus (emphasis added).”
  4. “The compensation is reasonably related to the provision of, or designed to facilitate directly or indirectly the delivery of, medical services at the hospital (emphasis added).”
  5. “The compensation is consistent with the types of benefits offered to medical staff members by other hospitals.”
  6. “The compensation is worth less than $25 per occurrence of the benefit.”
  7. “The compensation doesn’t take into account the value or volume of referrals or business generated.”
  8. “The compensation arrangement does not violate the Federal anti-kickback statute.”

Third Party Enforcement: Many courts have held that third parties can bring an action against violators of Stark or the Anti-Kickback Statute under the False Claims Act. This act allows “whistleblowers” to sue violators and be compensated with a percentage of the recovery. The False Claims Act has its own set of penalties, including treble damages and attorney fees.

This article is not intended to give legal advice. This is a highly specialized area of law and litigation over Stark has yet to generate much case law for guidance. In addition, further regulations are to be issued in the near future. Given the potential exposure, prudent hospitals will seek sound legal advice before offering professional answering services to physicians.

Mike Wilson is an attorney and author. He teaches at Sullivan University in Lexington, Kentucky.

[From the Summer 2003 issue of AnswerStat magazine]