July 29, 2013 •Brian Watson
Keeping your customers’ sensitive information under lock-and-key isn’t getting any easier. According to the 2012 Data Breach QuickView report, data loss security incidents reached a record high last year, more than doubling the previous high.
Media coverage of these kinds of security events tend to center on the hackers and the crackers: groups of black-hat techies that congregate in the dark corners of the web and emerge en masse to carry out large-scale password and data hacks.
A small army of Lisbeth Salanders -- subsisting on Red Bull, cigarettes, and takeout -- that would like nothing better than to grab and share your password info with black marketers the world over? It’s pretty easy to see why that story sells.
But it’s only part of the truth.
Just as often, it’s the data security policies that you implement that leave your company vulnerable to leaks, the employees that you trust that unknowingly put you at risk, and the partners that you rely on that expose you to high costs and considerable embarrassment.
Take a hypothetical case involving a theoretical outsource statement processing vendor. Let's say some of the files you uploaded were improperly stored on an employee’s laptop. That mistake was compounded when the device was taken off the premises; finally escalating into a full-fledged incident when it was stolen from the backset of the employee's car and the customer records sold to identity thieves.
Your statement print and mail partner made the mistake, but you get to share in the embarrassment when the leak goes viral. That’s why it’s so important that your statement vendor not only has a hands-on approach to data security, but is also completely transparent -- providing site visits, security policy manuals, audit results; whatever you need to achieve the peace-of-mind to rest easy.
What are some statement print and mail security areas you should be paying close attention to during your vendor security due diligence?
1). Production Oversight
Data breaches don’t have to be large-scale to have far-reaching consequences. Something as seemingly benign as inserting two different statements into a single envelope could accidently expose patient data, leading to a damaging HIPAA violation.
To protect against costly “double-stuff” errors, many processors now use automated piece-count technology that can cross reference actual statement output against the number of records contained in the source data file to ensure no statements are omitted, inserted incorrectly, or otherwise defective.
Others add an additional layer of oversight -- printing scanable 2D barcodes on each statement that are read by digital cameras mounted on statement insertion equipment. If a statement is not in the right order or otherwise problematic, software automatically halts the job production until the issue is corrected.
2). Facility Security
When it comes to statement print and mail production, site security is absolutely critical. Consider: at nearly any hour of the day, your vendor’s facility is host to a veritable treasure-trove of sensitive customer financial and medical information, including data files, printed statements, and address information.
Taken together, it’s hard to overstate the significance of physical site security. While much of the data security focus these days is on network, application, and device protection (and rightfully so), there’s still room for ample emphasis on facility security as well.
Talk to your statement processing company about their building security standards. They should have a written plan on file. Check to see if it provides:
• Exterior security through a card, touchpad, or biometric access system
• Facility monitoring though external cameras or security guards
• A system to authorize and control visitor, customer, or contractor access to the building
• Production spaces built to provide ample camera and human oversight of employees
• Secure boundaries to areas where customer data is stored (e.g. servers) or processed (the production floor)
3). Pre-Employment Checks
As much as we’d like to assume that all the bad guys are lurking “out there” beyond our safe and sound perimeter, the truth is that sometimes employees represent the greatest threat to data security. It’s a mistake to assume that every person hired has the same integrity or respect for a business and its customers.
That’s why it’s important that your statement processing partner conduct detailed pre-employment criminal, work history, and drug screenings to help red flag potentially problematic candidates. All prospective employees should also be advised of their data protection responsibilities and asked to sign a Confidentiality or Non-Disclosure agreement before employment.
4). Employee Training
Although internal data theft is a risk, a far more likely cause of a data breach is improper employee conduct.
For example, Cisco’s Data Leakage Worldwide study discovered that 70% of IT professionals believe that employee use of unauthorized programs led to as many as half of their companies’ data loss incidents. Similarly troubling, 39% have had to deal with improper employee access of parts of their network or facility.
To combat that issue, your print and mail vendor should have a clear, well-defined policy (in writing) for educating and managing employees on issues like roles, rights and responsibilities, password setup/use, network access, computer and application use, prohibited activities, and remote worker security. Plus plans for new employee training and continuing education -- policies that you can freely access and review when needed.
5). Statment Shredding
Dumpster-divers -- though repugnant -- are really good at what they do. As a result, a surprising number of breaches can be traced back to thieves with the time and patience to pick through a company’s trash for sensitive information.
You may not consider that a major issue for your statement processing partner. After all, their job description is print and mail, not print and store. But between last-minute statement suppressions and bad address bounce-backs (for providers that also handle return mail management), they can be tasked with disposing of a lot more financial records than you might think.
Most statement processing companies don’t take any chances. Today, shredding best-practice (yes, there is such a thing) involves implementing a shred-all policy. Shred-all doesn’t ask production employees to make a decision as to what should be shredded, simply because everything is -- quickly and compliantly by a professional document disposal company.
That also goes beyond documents, covering everything else that might contain sensitive information – from CDs and DVDs to storage devices and old computer equipment.
6). File Deletion
Thieves can’t steal what doesn’t exist. That simple logic can prevent all types of breaches. It’s also why file deletion is at the core of any really good statement print and mail security plan. So make sure your statement processing partner can provide you with nitty-gritty details of its record disposal policy, including:
• How long records are stored before they are deleted
• Where data is stored
• How is data encrypted and servers protected
• How data is purged
• Which employee roles have access to the information and why
There are valid reasons for storing customer records for a prolonged period after processing. Providing customers will the ability to access statement history online as part of an e-payment application is one contemporary motivation.
However, as a general rule of thumb you should shoot for as much data minimization as possible. For statement processing companies, that means reducing the number of places where data is stored, limiting the number of people who have access to the data, and immediately disposing of it in a responsible way when it’s no longer needed.
7). Network Security
Exchange of customer information plays a major role in outsource statement processing. On one side of the equation, you routinely pass sensitive data to your print and mail vendor that will be used to prepare, print, and delivery statements to end-level customers.
In exchange, many providers pass back processed data – in the form of specialized revenue cycle reports or online access to pre-production statement files and individual customer statements.
The finer points of system and network management could probably fill another blog post (if not several). Suffice it to say, it’s a really smart play to have your internal IT staff review your partner’s virtual security policies, paying special attention for capabilities like:
• Robust, periodically tested firewalls that are used to secure access from external sources
• A multi-tiered network security system that uses anti-virus and network access control to protect all devices and servers
• Intrusion detection software that detects any potential hacking attempts or activities
• Encryption of information and hardware/devices
• Secure, encrypted file transfer system
What are the security must-haves that you demand from you outsource statement processing vendor?
