Compliance vs Security: What's the difference?


24 Jul 2023

Contact center security and compliance are two important considerations for financial organizations operating call centers or other customer service centers.

While these terms are often used interchangeably, they actually refer to two distinct concepts that are important for insurance companies to understand.


Compliance refers to the adherence to laws, regulations, and industry standards. For insurance sector contact centers, this could include things like (but not limited to):

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) These state privacy laws are leading a growing trend in US privacy laws aimed at safeguarding consumers' privacy rights and personal information. CCPA, effective in 2020, grants consumers control over their personal data, allowing them to access, delete or opt-out of the sale of their data. CPRA, enforceable from 2023, builds on CCPA by expanding data-protecting rights, creating the California Privacy Protection Agency and introducing stricter regulations. Both laws obligate businesses to disclose data practices, offer opt-out processes and implement security measures to protect consumer data.
  • General Data Protection Regulation (GDPR): This EU regulation governs data protection and privacy for all individuals within the EU and EEA. It requires companies to have appropriate measures in place to protect personal data and to obtain valid consent for data processing. Read more about GDPR.
  • Payment Card Industry Data Security Standard (PCI DSS): This set of security standards applies to any company that accepts, processes, stores, or transmits credit card information. It requires companies to implement security measures to protect against credit card fraud. Read more about PCI DSS.
  • Gramm Leach Bliley Act (GLBA): This UK regulation applies to companies that provide publicly available electronic communications services. It requires companies to protect personal data and obtain valid consent for data processing.
  • NAIC's Model Security Law: The National Association of Insurance Commissioners (NAIC) currently has two model laws that deal with consumer data privacy: The Insurance Information and Privacy Protection Model Act (#670) and The Privacy of Consumer Financial and Health Information Regulation (#672). These provide cybersecurity guidelines for insurance companies to protect consumer data. These Model Laws outline data security standards, breach notification requirements and procedures for safeguarding information. The laws aim to enhance resilience against cyber threats and ensure confidentiality and integrity of customer data.
  • Health Insurance Portability and Accountability Act: HIPAA is a set of regulations that safeguard protected health information (PHI). It applies to healthcare providers and any organization that handles PHI, ensuring confidentiality, integrity and availability. HIPAA mandates privacy practices, security measures and breach notification protocols to protect patients' sensitive health information.
  • State laws like New York SHIELD: SHIELD stands for Stop Hacks and Improve Electronic Data Security. These laws require businesses to implement safeguards for sensitive personal information. It aims to enhance data security and protect consumers from data breaches. Companies are required to develop and maintain data security programs to ensure the confidentiality and integrity of sensitive information.
  • The Federal Trade Commission Act of 1914: This US federal law promotes fair competition and protects consumers from deceptive and unfair business practices. It also established the FTC as the authority that investigates and takes legal action against companies engaging in anticompetitive behavior or deceptive advertising and sales tactics.
  • Sarbanes-Oxley Act (SOX): A set of federal regulations established to enhance corporate transparency, mandating that certain practices must be maintained for financial record keeping and reporting for corporations.

These are some of the main compliance regulations a financial services contact center would need to adhere to. It is important for the company to have a clear understanding of the regulations and to ensure that they have the necessary policies, procedures, and controls in place to comply with them.


Contact center security refers to the measures put in place to protect against unauthorized access to sensitive information and systems. This includes things like:

  1. Humanized procedures
    • If staff doesn't understand the why part, they’ll never stick to the procedures.
    • People should really understand how and why your security policies and procedures protect them, their job, the organization and their customers.
  2. Strong Authentication
    • All access within your organization must be strongly authenticated and fully auditable, enabling you to know who or what is accessing your systems.
  3. Creating a culture of security
    • Make sure that your agents aren’t worried they will lose their jobs if they make a simple mistake such as clicking a link they shouldn’t click on.
    • Make people feel comfortable raising a red flag if they’ve seen behavior that could compromise the security of your contact center.
  4. Minimizing sensitive data
    • You can’t lose the data that was never collected in the first place. If you want your contact center agents to be able to take payments, there’s no reason they have to access, see or store payment data, whatever their working environment.
    • Technologies such as Eckoh’s CallGuard enable agents to take a payment while preventing sensitive payment and card data from ever being seen or stored in the contact center and call recordings, without any disruption to the customer’s experience.

It is critical for insurance companies to have strong security measures in place to secure the personal and financial information of their customers and to protect against cyber threats.

Getting the best from contact center compliance and security

It is important for insurance companies to understand the difference between contact center security and compliance, as they are two separate but interconnected considerations. Strong security measures are essential for protecting customer information and maintaining trust, while compliance is necessary to avoid legal and regulatory consequences. By understanding and prioritizing both security and compliance, insurance companies can ensure the safety and integrity of their contact centers.