Why should we focus on the privacy of recipient information in transaction document production? We do so because the people who pay to have it produced are very worried about it. Many have been put through the wringer by government agencies and standards groups for privacy weaknesses in data storage and online transactions, and these same individuals are anxious not to go through the same with their correspondence. They are not just worried about privacy breaches but also about notice and consent.
There are now numerous bodies that perform audits to ensure that consumer financial and medical information is highly secure. The rules they enforce include Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Gramm—Leach—Bliley Act (GLB), Fair Credit Reporting Act (FCRA), Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the European Union E-Privacy Directive.
The fines and civil settlement can be enormous; TJ Max has reserved $200 million to cover damages associated with the 40 million cards that were compromised. For HIPAA violations, a hospital was recently fined one million dollars and a Maryland healthcare provider fined $4.3 million.
We don't have much that's sensitive. This is not true! Customer statement runs contain enormous amounts of financially and even medically sensitive information. As one government intelligence-gathering agency once said,
"Transaction document print files are like data syrup. Someone has gone to a great deal of trouble removing all of the irrelevant or trivial information, boiling it down to what really is important. What would take millions of highly suspicious queries into a secure database has already been removed and is sitting in a few files on a minimally secured server in a print shop."
"Compared to the data security fortress in a corporate IT environment, the protection around transaction documents, and the information that creates them, can look like a chain-link fence."
The issues associated with client privacy are complex. Management and key technical specialists need to understand the guidelines and principals that surround it. Here are some of the key areas that management must understand.
We should consider anything that is produced and mailed from a company's financial system as something that will likely have sensitive client information. For example, a customer's bank statement might contain information about electronic payments or deposits; a letter from a health provider might contain information about a client's medical condition; or a telecommunications bill has a list of all the calls to and from the client. In some cases, the significance of information in the customer database is not clear until it is extracted and applied against a letter or notice (e.g., the client's mortgage is 90 days overdue), making it an easier target, or until after information from multiple databases is pulled together to drive statement creation or marketing and compliance messaging.
The documents we produce include the printed and mailed document, as well as electronically presented (e.g., PDFs in emails) and the copy-of-record that we may either transmit to the mailer or archive for them. Auditors have become increasingly interested in the latter two.
There are numerous places, within the transaction document workflow, where villains can capture sensitive customer information. To have robust security, you must first identify all of these places and then implement appropriate policies and technology to protect them against incursion. You should also remember that the theft could be from outsiders, employees or supplier personnel. It may even be by foreign government-sponsored cyber criminals or by "hacktivists."
You need policies to identify which personnel can have access to either the client information or to the technology in which it can be found. You need to choose technologies that ensure that these policies are followed.
There are two key things associated with data that you need to focus on: data in motion and data at rest. With data in motion, ask yourself, "How does the data travel from one step in the process to the next (even when moving from one sub-step to the next)?" Think of this as secure data transmission, although the transmission may only be from one part of the computer or printer to another part. When it comes to data at rest, ask, "Where does the data reside or rest as it is processed at each step in the workflow?" Think of this as secured storage, and be sensitive to what software and hardware you need in place. What artifacts have been left behind? How do you remove them? How do you know they have been removed?
That's not all
Every mechanical device emits electronic noise. I am sure some remember the old impact line printer that could, when printing the right sequence of characters, play Christmas carols or movie themes. Although laser and inkjet printers are nowhere near as talented, they still emit noise. With the right audio surveillance equipment, a villain could decipher client information as you print it; sounds wild, but it's true. How do you mitigate this exposure?
Security experts have pet technologies they like to use that could actually be quite disruptive to the efficiency and fidelity of our workflow. Tokenization is a great example of this. Highly sensitive data is substituted with placeholder "tokens." The tokens are swapped with real data at the very last step of processing (in the RIP). This solution is not very practical for the production printing workflow. How do you explain this to privacy "experts?"
When a job has to be scrapped after it has been printed, where does the printout go? How and where is it destroyed? Do you think that privacy specialists even think to ask?
Although rare, occasionally a recipient of transaction mail will receive someone else's information. There are a few key steps in the workflow where this is likely to happen, and an ounce of prevention is worth a pound of cure. Other operational issues, such as using the wrong letterhead, envelopes or inserts, do not result in a security violation. However, they certainly could cause a great deal of embarrassment, loss of business or even an article in a newspaper. There are new technologies on the market that can all but eliminate this exposure.
We listed a number of countries' privacy legislation. You probably thought that your national regulations are the only ones that apply to you. However, that isn't the case. If any of the documents you produce are addressed to a recipient in another country, you could be subject to the laws of the recipient, as well as the laws of the sender (and potentially even the laws of the producer, if the producer is in a different country than the sender or recipient). Depending on the jurisdiction (i.e., the US, CDA or EU), the laws surrounding the data exposure can vary. From a US perspective, they vary from state to state.
Gone are the days when a print file could be sent from the mailer to the producer on tape or DVD via courier. We need to be accountable for privacy at every step of the way. If we aren't, we could expose consumers to identity theft, expose the mailer to major fines and civil penalties and lose client contracts at mail producers.
WILLIAM BRODDY is president and co-founder of acadami, the preeminent transaction document education development and delivery. He has been supporting mail-owners, producers and suppliers for over 30 years. Mr. Broddy is one of the nine Master Electronic Document Professionals worldwide. For more, email firstname.lastname@example.org.
KEVIN LANTAFF is director of acadami USA. He has been heavily involved with transaction document, direct mail and POD solutions and technologies for over 30 years. Mr. Lantaff achieved his Electronic Document Professional accreditation in 2011. For more, email email@example.com.
acadami's Privacy in Transaction Document Production course trains industry professionals on the management issues associated with consumer privacy. For more information, please go to www.acadami.org.