Cybersecurity and Compliance for the Print Mail Industry

Faith Kubicki April 20, 2020

    In a digital world, the print mail industry is changing rapidly, and many printers are making necessary adjustments to keep pace. By introducing new services, entering new markets, and responding to changing expectations, print mail organizations are finding ways to increase revenues while complementing the shift to electronic communications.

    Privacy and Security Have Become More Important

    Companies have long sent confidential communications by mail. Even with the introduction of electronic statements, online billing, and other email-based communications, many organizations still deliver printed documents to their customers – and this is unlikely to change. What has changed are the expectations surrounding the privacy and security of these sensitive communications.

    As consumers become more aware of their privacy rights, they have come to expect increased protections from organizations, such as healthcare providers and banks, that have access to their personally identifiable information. In turn, these organizations are requiring stronger security controls from their own service providers. It’s no longer enough for a print mail vendor to say that their operations are secure. To earn new business (and retain business), they are often required to prove it.

    A Real-World Application

    The Health Insurance Portability and Accountability Act (HIPAA) holds healthcare providers responsible for the secure handling of their patients’ data. If a healthcare provider outsources work to a print and letter mailing service and the printer is breached, the healthcare provider could be held partially responsible for the exposure of the data. As a result, printers are being asked to provide higher levels of assurance that they have implemented appropriate privacy and security controls.

    Managing Demand for Multiple Compliance Initiatives

    Most print mailers serve multiple industries, and each of these industries may have different requirements when it comes to cybersecurity and compliance. To earn a hospital’s business, a printer may need to demonstrate compliance with HIPAA or the HITRUST CSF®.  A financial services organization may ask to see a printer’s SOC report, while government agencies may request proof of compliance with the NIST CSF. Other standards that apply to the print mail industry include PCI-DSS, ISO 27001, and GDPR.

    Managing these requests – especially with limited resources – is one of the major compliance challenges facing the print mail industry. While many companies are willing to invest in security to strategically position themselves in a new market, it can be costly to complete every single assessment that a client requests. Additionally, the process of collecting documentation, completing on-site interviews, and going through the formal audit process can be time-consuming – especially when done separately for each assessment.

    To reduce the cost of compliance, print mail organizations can complete several initiatives at the same time. Many security frameworks cover similar areas, which means that well-designed policies and practices can cover most requirements across the board. When the same evidence is used to satisfy multiple audit requirements, the process becomes faster and more efficient.

    Prioritizing Compliance Initiatives by Their Impact

    Any compliance assessment – whether integrated or stand-alone – requires a solid business case and stakeholder buy-in. In the print mail industry, demand is often driven by clients. A vendor may be asked to complete an audit to secure a high-dollar contract, or they may proactively choose to do so to position themselves as a leader in a heavily regulated, competitive industry. Printers that are looking to gain market share in the healthcare, finance, credit, or legal industries, for instance, may be able to leverage their compliance to earn a new source of revenue.

    Making Sense of Cybersecurity and Compliance Without a CISO

    Another challenge: the expertise of a Chief Information Security Officer, Data Protection Officer, or Audit Manager can make compliance initiatives much easier.  However, many small and mid-size printers (and even some full-service mail houses) do not have an internal compliance team.

    To gain essential insights, direct mail organizations can leverage the expertise of an independent third party. An external assessor can work with a company’s internal teams, including IT, HR, and Operations, and provide tailored guidance on everything from surveillance and intrusion detection systems to data encryption methodologies. Printers can learn how their security posture measures up to that of their competitors, while finding new ways to use best practices to their advantage.

    Need Help Navigating Compliance Frameworks for the Print Mail Industry? 360 Advanced can Help.

    With more than 10 years of experience in the print mail industry, 360 Advanced can help you adapt to changing requirements and consumer expectations. Our team of friendly, non-traditional auditors can help you determine which cybersecurity and compliance initiatives can have the greatest impact on your business, then guide you through the process.

    To learn more about our cybersecurity and compliance services for the print mail industry, contact us today.