Part of my consulting work is as an expert witness, working with lawyers as a forensic CRM analyst. These cases usually involve mergers, reseller agreements, and breaches of contract. But they may also involve wrongful termination, customer privacy issues, trademarks, and compliance issues. For an analyst who knows what they are doing, your CRM system holds a wealth of discoverable clues that can be turning points for lawsuits.
For any modern marketing and selling organisation, CRM is as essential as an accounting system. But most organisations don't realise the value and the scope of the data their CRM represents. You need to understand the policies and the best practices to keep your compliance and legal discovery issues to the absolute minimum. Get this on your agenda pronto.
Financial and Personal Data
At the top of everyone's list should be the customers' financial information. The best way to avoid PCI audits and headlines about credit card lists leaking to the internet is to not store that data in the CRM system in the first place. Although your customer service reps (CSR) may need to access that data, the CRM system should hold only pointers (external keys) to the system of record for credit card numbers, bank account numbers, payment history, etc. A good integration broker can bring that information over for real-time display purposes only -- this is where a browser UI and Web 2.0 mashups really shine. If you must cache some customer-sensitive information in the CRM system, truncating the fields ("last four digits of your social") is the least you can do: multiple obfuscation techniques should be used in tandem.
It's more than just those obvious financial data. In insurance and medical records, add HIPAA. For education and government markets, there's FERPA. Add your favourite acronym here - it all adds up to the need to protect your customers' (and in some cases employees') personal information.
And then there's Europe. US-based readers may not realise the European Community's personal information protection rules are much tighter than those out of Washington, and some member countries have even tighter privacy regulations than the EC. Even though these privacy laws are intended to protect the information of "natural persons" (consumers), if you sell B2B you have to be aware of the requirements with respect to your customer's European employees...and your own. EC Directive (95/46/EC Chapter IV) indicates that the personal information cannot be transported or processed outside of the EC unless the country it's being processed in has privacy laws at least as stringent as the EC. Lovely. The good news is, there are several ways to resolve this. But you'll definitely need to consult your attorney regarding compliance strategies.
Spammity-Spam, wonderful Spam!
As I mentioned recently, a CRM system practically runs on email addresses. You need to protect this valuable asset with DLP/ILP policies and products. You also need to make sure that unsubscribe requests are honoured -- and just having an "email opt out" flag on your CSR screen isn't enough. We invariably recommend that the email opt-out system (1) be fully integrated across your Web sites, email blaster, and marketing automation system and (2) corrupt email addresses so that they will bounce.
Now let's look at the other side of CRM email: the threads that the system receives for people, bugs, and transactions. You don't have to be Scooter Libby or Frank Quattrone to know that emails can be a discoverability nightmare. In product defect lawsuits, a key issue is "what did the vendor know, and when did they know it?" Your CRM's Solutions and Knowledge base areas are usually pretty safe territory. But if the system's Cases contains lots of inbound and outbound emails - which are a big plus for your customer support function - you need to have an iron-clad policy about email deletion (classically, within 6 months to a year after the closure of the Cases). However, don't play games: the policy needs to apply to all the emails, not just select ones you feel nervous about. Consult your attorneys.
Which brings us to the more general area of documents. Most CRM systems allow you to attach documents to contacts, cases, transactions, and nearly any other object in the system. This makes life a lot easier for your marketing, sales, support, finance, and operational areas. But it is uncontrolled (a user can put nearly any kind of file in the system) and typically unmonitored (other than for overall storage quotas). Because the CRM system presents the documents as attachments to its object model, rather than as a file system, you will need to develop specific reports and search methods just to discover what legally discoverable documents you have in the system.
For obvious governance reasons, you need to have a policy about this storage area. Start out with what kinds of content are allowed for each class of attachment, the document retention policy, and a specified purging schedule. Consult your attorneys. One idea we widely recommend is storing certain classes of document (eg, negotiation notes, draft proposals, bug fixes) in one of your own secured servers. There are several ways of presenting the needed information within the relevant customer/case/transaction record without actually storing it in the CRM system. This can be quite seamless in SaaS CRM systems, and there are some free and low-cost plug-ins that do this for Salesforce.com.
One Last Item
Most CRM systems keep a series of logs (including audit trails) which automatically purge after a year or so. The exact policy of what you want to archive on your own servers is up to you - but take my advice, have a written policy about this and have somebody responsible for enforcing it even-handedly. And make sure that the records of user log-ins is absolutely on your list. You'll thank me, come next law suit.
David Taber is the author of the new Prentice Hall book, "Salesforce.com Secrets of Success" and is the CEO of SalesLogistix, a certified Salesforce.com consultancy focused on business process improvement through use of CRM systems. SalesLogistix clients are in North America, Europe, Israel, and India, and David has over 25 years experience in high tech, including 10 years at the VP level or above.