Commentary & Analysis
How Secure is Your Mail Operation? Are You Sure?
By Noel Ward,
By WhatTheyThink Staff
Published: May 8, 2006
By Noel Ward, Executive Editor, On Demand Journal May 8, 2006 -- The bad guys are out there and they want your data. Your customers' data. Everyone's data. It seems like every week--if not more often--that we see or hear more news about the loss or theft of sensitive personal information belonging to customers of all types of business, financial, government, and educational institutions. For consumers and businesses alike, information security is a top business concern. Transactional and direct mail printers or anyone producing variable data documents has to make this priority one. Another Day at the Breach The Privacy Rights Clearinghouse has compiled a list of more than 150 data breaches involving over 54 million people (http://www.privacyrights.org/ar/ChronDataBreaches.htm) in just 15 months. Some 23 states have passed laws requiring the notification of affected consumers whenever a security breach occurs and Congress is considering several bills that would mandate notifications nationwide. That's a fine move, but understand this: By expanding the requirements for proper protection of personal information, the government is holding your business accountable for the secure storage and transmission of your customers' information. It's safe to say that your SLA's might be getting a little more detailed. It's safe to say that your SLA's might be getting a little more detailed The Health Insurance Portability and Accountability Act (HIPAA) is perhaps the most well known federal effort to, in part, ensure the security of individual medical records. The Act requires medical service providers and insurers inform patients about how their health information is used and shared. In general, a person's health information cannot be disseminated unless the person specifically gives permission. Similarly, the Graham-Leach-Bliley Act requires clear disclosure by all financial institutions of their privacy policies regarding sharing non-public personal information with their affiliates and third parties. The Act further requires a notice to consumers and an opportunity to "opt-out" of sharing of non-public personal information. This is one of the reasons every bank, brokerage firm, mutual fund, insurance, and credit card company you deal with is sending you notices about how they handle your private information. Why Worry About Hackers? There's Always Employees! While computer hacking attracts attention, not all security breaches occurr via the Internet. In March 2005, the secure storage firm Iron Mountain lost computer tapes containing information on 600,000 current and former Time-Warner Inc. employees. As a follow-up, the company lost tapes that contained thousands of City National Bank customers' Social Security numbers, account numbers and other information. And just last month, an Iron Mountain driver lost a container with the names, addresses, Social Security numbers and salary information for virtually everyone who has ever worked for the Long Island Rail Road, along with data tapes belonging to another company. Not to single out Iron Mountain, other " lost tape" incidents involved Ameritrade, Bank of America, Citigroup and Wilcox Memorial Hospital. Doesn't that just make you feel real secure? Lost tape" incidents involved Ameritrade, Bank of America, Citigroup and Wilcox Memorial Hospital The point is that personal information is falling into the hands of the wrong people as a result of "accidents" or "human error." Recently, an employee of Progressive Casualty Insurance Co. accessed information on foreclosure properties she was interested in buying. The employee reportedly took confidential information including names, Social Security numbers, birth dates and property addresses. No hacking was involved because the employee--who has since been terminated for breaching the company's Code of Ethics-- had ready, but unauthorized, access to the information. Clearly, there are many ways your customers' information can fall into the wrong hands. While technology can tighten the security of your applications, many elements still enable or require human intervention. You have probably tightened security surrounding the applications that generate confidential information, but have you given secure document printing and mailing more than a cursory nod? What are you doing to protect your mailings from "human error?" Closing the Loop on Print and Mail Your company may already have secure IT document production applications in place with systems and controls to detect and prevent hacking. Your data is likely encrypted before it is presented to the customer or an authorized user via the Internet. Equally importantly, you hold other firms you partner with to the same high standards you set for your company. You may even audit their performance on a regular (and possibly unannounced) basis. The employee had ready, but unauthorized, access to proprietary information But the fact is, most operations enable anyone to see printed documents containing confidential information. Printing and inserting takes place out in the open where prying eyes can see information they probably shouldn't. We obviously have to trust employees and may even have them sign confidentiality or non-disclosure agreements, but, as Progressive Insurance found, those contracts won't stop an employee intent on wrongly using someone's confidential information. That's at the people level. Now what of the machines on shop floor? Too often manual and machine inserting processes don't ensure the contents intended for an envelope are the only documents in the envelope. Legacy applications and older equipment typically do not employ quality assurance tools such as 2D barcodes and machine vision systems to detect errors as they occur. For instance, do you know for a fact the data sent to your printers was the data they output? Were paper jams properly cleared and sheets reprinted without duplicates getting into the delivery tray? Conversely, are sheets are missing? Were the damaged sheets shredded, or just tossed into a recycle bin? Do you know for a fact the data sent to your printers was the data they output? Do you know whether the sheets run through your mail inserters match the data sent to the printers? And that each and every one of the envelopes contained only the information for that specific recipient? Can you prove the mail was inserted correctly days or weeks later? How do you know? How comprehensive is your verification process? Would you bet your business on it? You are, you know. If you don't know the answer to any of these questions for certain, begin by incorporating machine and human readable copy that identifies each sheet and the mail piece it is associated with in the document. For instance, checks sent in 2-window envelopes should have a unique sequence number that shows through the envelope's return window. When the machine count does not match the job count, this technique enables the inserter and sorter operator crews to quickly fan through the mail to find "double stuffs." Taking this idea one step further, add a 2D barcode or a machine-readable font to each page so an inserter equipped with cameras can track each sheet right into the envelope. A code that is readable from outside the envelope will then enable you to know exactly when the piece was mailed. Since your systems know what went into the envelope, you can easily research customer claims that they received someone else's information. To be sure, this technology costs money. But without it, customers may move jobs to your competitors. In many cases, companies are specifically asking for these types of security measures in RFPs. Not having them can eliminate your firm from the get-go. Would you bet your business on your verification process? You are, you know The use of human readable copy is particularly critical when the job is manually inserted. Human error inevitably intervenes, resulting in potential security breaches when sheets are mixed. Minimize the possibility of a mis-mailing with thorough quality assurance checks and double checks or, ideally, intelligent inserting by machine. Bowe Bell+Howell, Gunther International, IBM, Océ, Pitney Bowes and other suppliers provide hardware and software solutions that help ensure document integrity including: * Individual sheet and mail piece tracking from "host to post" * Machine vision systems for printers and inserters Still, technology alone will not prevent security breaches. Your staff must be trained for and dedicated to accurate production. Design your document production process to minimize the opportunity for mistakes: * Create alternative mail piece designs such as self-mailers to eliminate the need for muiltiple-page documents. * Place human- and machine-readable characters or codes into the document. * Implement thorough and uncompromising quality assurance practices. * Provide extensive staff training and retraining on the importance of mail piece integrity and how to achieve it. * Demonstrate senior management support for 100 percent document integrity as well as the necessary training and capital investments. A well-designed process will minimize the chance of failure, track actual performance and demonstrate adherence to privacy laws. As an individual, you want to know the companies that you do business with treat your personal information with the utmost confidentiality and security. As a document professional, the integrity of your printing and mailing operation enables you to distinguish your company as a trustworthy one that treats every customer's confidential information as if it was its own.