| 1.1 Portfolio
44 Customer Quotation Service | |
|---|
| 11.44 Customer Quotation Service: | | 1. In this context, the term "quotation" means any form of marketing information or document. This is not legal advice and the Owner may seek legal opinion, however best practice as used by a large number of compliant companies can be used as a foundation. | | 2. The Owner can have anything they want with the one limitation that what they want must be legal and in compliance with UK laws. | | 3. Privacy and Electronic Communication Regulation (PECR) is the UK law that defines the way that every Customer Quotation Service (CQS) must be operated - this is not an option. | | 4. Compliance with PECR is governed by the Information Commissioners Office (ICO) with fines and compensation to people who are impacted. |
| 2. Consent: | | 1. People have rights, but companies do not have rights - PECR applies to known people who may be known as customer contact people. | | 2. People must consent to be shown a quotation before a quotation is shown to them. Evidence of how and when consent was obtained must be recorded. | | 3. Consent means that the person must positively opt-in and subscribe to be shown a quotation. | | 4. A person may withdraw their consent at any time and is must be as easy to opt-out and unsubscribe as it was to opt-in and subscribe. | | 5. In any consent dispute, the person is assumed to be innocent and the company is assumed to be guilty until evidence to the contrary can be provided. | | 6. It is easy to see if an email with a quote has had consent and has an "unsubscribe" link so the person can withdraw their consent. | | 7. People understand that they may be able to claim compensation from the company if they are not given the right to unsubscribe. The company will understand that the risk of a fine and having to pay compensation to all impacted people is so great that it is cheaper to comply with UK laws and provide an unsubscribe link. |
| 3. Life Cycle: | | 1. Every customer quotation must have a published expiry date. A typical customer quotation will expire after 30 days. | | 2. The company has a legal obligation under the Data Protection Act to not keep data longer than is necessary and to delete data when it has expired. | | 3. It may be reasonable to mark a quotation as expired after 30 days and delete the quotation 366 days later so the quotation can be used for (annoymous) historic management information purposes. | | 4. When a customer is sent a quotation, it may be reasonable to include link so the customer can view all the quotations they have been sent in the last year. The customer has the right to view their own information and it is expected for a customer to be able to view their history of dealings with a supplier. A company that purposefully withholds customer infomation may find they have to deal with a much more expensive Subject Access Request that demands the company discloses such infomation. |
| 4. Envlope and Letter: | | 1. Email has been likened to a postcard that will be copied and processed by agencies in all parts of the world. It is no longer acceptable to communicate private, confidential or sensitive business information by email. In fact, a person could claim damages from a company for leaking valuable business information by using email. Informed companies will not trade with other companies that leak their business dealings by email - they cannot be trusted to have deployed adequate internal security measures. | | 2. The traditional email has been replaced with an envelope email that only discloses the sender and quotation subject as the message. If the receipiant chooses to opt-in and subscribe to the quotation, they click the applicable link and the quotation is shown. If the receipiant chooses to opt-out and unsubscribe from the quotation, they click the applicable link and the customers record is updated to show that they have withdrawn their consent. The quotation is not shown. If the receipiant chooses ignore the envelope email invitation, then the quotation will expire as scheduled with the customer record showing that the person did not consent to view the quotation. | | 3. The quotation is the safe, secure and encrypted letter contents of the envelope that will only be disclosed after evidence that the person consents to see the quotation. The broker can withdraw consent for the person to view the quotation by cancelling the quotation at any time. A cancelled (or expired) quotation cannot be viewed by the person who was sent the email envelope - something that could not be done with a traditional email with attachment. | | 4. For each and every customer quotation, workflow evidence is recorded as to if, when and how the person consented to process the quotation. Evidence includes the date, time IP address and browser the person used to process the quotation or if the quotation was not viewed or if the envelope invitation was ignored. |
| 5. Data Protection Impact Assessment: (DPIA) | | 1. It is a legal obligation to undertake a DPIA by the Data Protection Officer and Risk Manager. | | 2. The DPIA will be used by the ICO to decide if adequate data protection methods were deployed to determine the scale of any fines and compensation. | | 3. Fines can be avoided or minimised where it can be proven that adequate best practice data protection measures were deployed. | | 4. Fines may be increased with an "unjust enrichment" fine greater than the cost of providing adequate data protection measures where a company hopes not to be caught by trading illegally without adequate security. | | 5. The DPIA lists all possible threats, risks and reasonable counter measures as:- | | (1) All business data is encrypted when stored and encrypted when communicated so data cannot be stolen. | | (2) All business data is replicated to many secure data centers so data cannot be lost. | | (3) Internal support message services are deployed so no protected business data is leaked by public phone or email messages. | | (4) Authentication of business associates is fit-for-purpose according to industry best practice and monitored 24*7 to blacklist criminal attacks and help approved people. | | (5) Criminal attacks are expected and blacklisted with regular penetration testing and security audits. By eliminating application programming and with more than twenty years of regular security audits, vulnerabilities do not exist. | | (6) Phishing attacks are carried out by external security auditors to identify weeknesses in how people respond to phone and email phishing attacks. | | (7) Insider threats have been eliminated with a strong "need to know" culture and the replacement of system administrators with artificial intelligence. |
| 6. Blacklisting: | | 1. All Bespoke Application Services deploy a method of white lists and black lists to help identify and stop criminal behaviour. | | 2. A criminal will deploy a program to try to guess a password or access code at a rate of 100 guesses per second. This modest rate of guessing enables more than 3000 million guesses to be made in a year. Attack rates of up to 20,000 guesses per hour have been sustained for many years. | | 3. To counter such a threat, blacklisting is a process that identifies abnormal behaviour and ignores all communication from the criminals IP address. The criminal counters with a massive list of "spare" IP addresses that are used to try to foil the blacklisting process. | | 4. A significant advantage the Application Service Provider has over others is that many hundreds of different web sites are operated and they include many "honeypot" web sites to lure the criminal into reveiling their attack methods. When a criminal is identified attacking one web site the criminal is blacklisted from all web sites so attacks are ignored with no response most of the time. Error and warning messages have been eliminated so the criminal has no idea when they have been blacklisted. | | 5. With business-to-business private Bespoke Application Services, search engines are classifed as a criminal attack and are ignored so the search engine cannot steal a copy of a wab page. This is not true of all web service, but is a strong security capability of most private Bespoke Application Services - criminals use Google to find vulnerable web sites, so Google must be prohibited from knowing about Bespoke Application Services. | | 6. When designing a password, URL or access code, remember that agencies will typically try 3 billion guesses to guess the code. With the advent of powerful quantum computers, agencies may be guessing codes at a rate of billions per day. |
| 6. How does it work: | | 1. Black listing works where white listing has not identified the transaction as from a known approved person. The vast majority of approved people will have their IP address, computer and network white listed and such people cannot be black listed. | | 2. To counter cyber crime threats, blacklisting is a process that identifies abnormal behaviour and ignores all communication from the criminals IP address and network service. The criminal counters with a massive list of "spare" IP addresses that are used to try to foil the blacklisting process. The blacklisting process expects the criminal to change IP addresses every few seconds and is designed to blacklist each new IP address. | | 3. A transaction from a new approved person will check that the IP address is not black listed and continue with caution. If any issues are identified with the transaction such as a URL defect, that is a sure sign of criminal behaviour and the persons IP address and network is black listed for the rest of the day. Black listed data expires at the end of each day and is automatically deleted so the black list is kept to a modest size and cannot be subject to a buffer overflow attack because it is too big. |
| 7. Business Message Service: (BMS) | | 1. Approved people have the right to create a support request that is monitored by the Request Fulfilment Manager and will be processed within the hour. The support team (and Eliza) have the ability to create an Owner request that is shown on the brokers dashboard. | | 2. Where a customer tries to view an old quotation that has expired, the agent is shown in real-time that the customer tried to view the old quotation and may welcome a message to see if they can help. The brokers message will identify the customer reference number and the quotation reference number so this data can be reviewed in advance of communicating with the customer. For example; a more effective quotation may be prepared and offered while the customer is in a buying mode. | | 3. An objective of BMS is to create a shared evidence trail that is encrypted, it replicated and cannot be corrupted. Messages are not processed by one specific person (who may be on vacation), messages are processed by a role that is manned 24*7 by many people in many places. Messages are automatically escalated to an officer if they are not responded to according to the Service Level Agreement (SLA). | | 4. A benefit of BMS is that a person cannot say they did not get the message - messages are shared and cannot be deleted. When a new request message is opened, the date and time are frozen and cannot be changed. When the request is closed, the date and time are frozen and cannot be changed. Many of the opportunities for confusion or dispute have been eliminated by sharing all messages with all applicable parties in real-time. | | 5. A broker can send a private and confidential message to a customer and the customer can reply with everything replicated, encrypted and shared. Customer actions with a quotation can be reported to the broker so the broker knows the most appropriate time to communicate with a customer. Most important, the customer can accept a quotation online without delay at any time of the day or night from any location, just by clicking a button. |
| Document Control: | | 1. Document Title: Customer Quotation Service. | | 2. Reference: 161144. | | 3. Keywords: Customer Quotation Service. | | 4. Description: Customer Quotation Service. | | 5. Privacy: Public education service as a benefit to humanity. | | 6. Issued: 13 Oct 2017. | | 7. Edition: 1.2. |
|
|