Perfectionism in this kind of issue doesn't pay. What are the alternatives? Instead of trying to preventing access, you can monitor access and create reports that alert management to abusers within each organization. You can have HR put more specific data security guidelines into the personnel handbook, and make it clear that violations will be punished.
Preventing Data Leaks
As I wrote a while ago, information leak detection and data loss prevention are hot topics. Of course you want to keep your servers secured in every way, and the leading cloud vendors do a great job of protecting your data. The real data leak problem is at the end points: laptops, iPads, and smart phones that store tremendous amounts of information.
While there are solutions available to really lock down windows laptops, they almost inevitably involve special device drivers or kernel patches that can mean trouble over time. To really do the job, you'd also want to add encryption for all files to keep data from prying eyes. At least one of these solutions that explicitly works with CRM applications, but I know of nothing that works with Macs or Linux laptops.
Unfortunately, for most organizations there just isn't a solution here, other than limiting the amount of data stored on the endpoint. Security zealots will say that clumsy ILP/DLP solutions are "better than doing nothing," but the reality may be more like "the cure is worse than the disease."
Reports that Walk
Although the law may be fuzzy about whether a salesperson's address book is his property or the company's, the law couldn't be clearer about the company's leads, contacts, deal history, and account list. Yet reps walk out the door with these all the time.
In most CRM systems, report access is basically "all or nothing." Unfortunately, management often wants the reps to be able to run ad-hoc reports to do their job while simultaneously wanting to prevent wholesale data theft.
Instead of trying to enforce a complex web of policies, it's easier to do the following:
• Make sure that the reps do not have API or Web service access to the system. The smart ones will be able to pull stuff out through Excel.
• Turn off report export privileges, if your CRM system supports this.
• Turn off their access to reporting, at least for ad-hoc stuff. If your system allows you to give reps access to canned reports only, terrific.
• Give them access to reports only through an internet "jump" page that limits which reports they see and monitors who's using what. Provide alerts to managers about employees who suddenly become excessive report users: this is often a "tell" for an employee about to leave.