The role of employees in keeping customer data safe

Most of us will remember a particularly good (or bad) encounter that completely lifted (or destroyed) our consumption experience. I, for instance, have had consistently good interactions with staff at John Lewis who will, generally, go out of their way to help me find an item in store. Conversely, there is this little, family restaurant that serves the most amazing seafood rice but that I often avoid because of the person who tends to the tables. And, then, of course, there are the cases of bad employee behaviour lending the company on the news, as the case of the Domino’s Pizza employees who filmed themselves tampering with food.

In academia, too, there is a growing interest among marketing researchers in the role of employees in delivering value to customers. For instance, Earl Naumann (1995) argued that the key factor for long-term success of a firm was the ability to deliver customer value over and above that delivered by one’s competitors. Later, Payne and Holt (2001) emphasised the need to manage the relationship with employees – current and prospective – in order to maximise value to customers and the organisation. And, more recently, my former colleague Moira Clark demonstrated that there is a link between employee perceptions of organisational climate, employee behaviour and customer retention rates.

One area of employee behaviour that interests me is how staff may undermine a firm’s best efforts to protect customers’ privacy. Analysis of recent privacy failures reveals that a very large number of data breaches result from either the deliberate actions of members of staff or from their failures. For instance, in some cases privacy was compromised through the purposeful theft of personal information with the intention to defraud. In other cases, the breach was due to human error. And those data breaches continue to occur despite the abundance of legislation regulating what data may be collected and how it may be used, or the plethora of technology-based solutions to ensure compliance with those same privacy regulations, such as encryption technology to anonymise data, or firewalls and passwords to limit access to sensitive information.

The issue of customer privacy is particularly relevant in the current environment, where data collection is often an inherent part of the service. I write about the role of employees in privacy protection here. I conclude that an effective approach to the management and protection of customer data must specifically include staff’s role in safeguarding customer privacy. Specifically, to minimise data breaches organisations should:

  • Audit the privacy related attitudes, norms and stereotypes in place in your firm, and consider whether they support or, indeed, undermine the effectiveness of training initiatives.
  • Investigate ways in which various job-related environmental cues situate particular cultural frames and, therefore, influence privacy related behaviours.
  • Increase the relevance of privacy measures to all functions in the firm, be it in their daily tasks, or as a component of their job evaluation. In particular, consider to what extent and in what forms commercial goals are in conflict with privacy obligations.
  • Communicate relevant legal obligations and specific company privacy policies clearly, and using strong, unequivocal terms.
  • Where possible, anonymise, and control access to, customer related data.

I am extending this research into privacy breaches in specific organisational environments. If you would like to participate in the study, or discuss the application of the findings to your organisation, please contact me.

3 thoughts on “The role of employees in keeping customer data safe

  1. Interesting topic, Ana, and it has a very familiar ring to it. In the field of information security, it is a given that employees always are the weakest spot, and the hardest to secure against. Deliberate theft of data, or making it publicly available, or simply leaving passwords on sticky notes on desktop screens. The human factor needs training, awareness, and responsibility, while management needs to realise that there’s only a limit to what technology can do here.


    1. That was exactly the point – a lot of money is thrown at technical solutions, whereas staff are the weak (if not the weakest) link. Even those that should know better: I know a information systems security professor who kep the password to his desktop in a post-it not under his keyboard!!


      1. Amazing. When I was doing an information security project years ago, I was told a story of an information security manager at a bank. He would go to branch offices, and ask to speak to the manager, without clearly identifying himself. Just dressed up in a suit and an attitude. While people would look for the manager, he’d walk around the office, open some paper files and copy them. Simply to confront the manager with the information he simply gained access to. Sometimes it’s as simple as that: employees with not enough awareness can not guarantee information security.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s