In 2013, there were 619 known data breaches in the U.S., often happening in business, education, healthcare, and government, with nearly 58 million personal or financial records being exposed or stolen, according to the nonprofit Identity Theft Resource Center. Cyber-attacks are so rampant and sophisticated these days that some in government, law enforcement, data security and IT agree that they cannot be avoided.
While most third party hosts managing sensitive personal data for their clients focus on serving one or perhaps two business verticals, in the printing/mail industry, the major houses may service –and therefore provide massive data storage for–numerous clients in a myriad of business verticals.
One such industry leading firm is United Mail, which serves more than 1,000 clients in a host of businesses and industries through its operations in Cincinnati, OH, and Louisville, KY.
“Our challenge was to come up with a program to provide data security for the many different industries that we provide services for,” commented Connie Burns, Vice President of Research and Development and Acting Compliance Officer for United Mail. “What we developed is a security program that complies with the different regulations out there in which we treat all clients the same. We set a very high bar of data security compliance for all clients, regardless of business or industry. We don’t treat a financial client any differently than we do, say, a healthcare insured client, a non-profit or a marketing firm.”
United’s core client is in the healthcare insured vertical, so the firm must adhere to strict standards of the Health Insurance Portability and Accountability Act (HIPAA). The second largest client sector is the financial services industry.
[column span=”2″ class=”text-center margin-top-20″][icon type=”file” class=”accent” size=”5x”][/column]
“The SOC 2 report is most useful for service organizations whose clients do not necessarily rely on the reported controls for financial reporting purposes, but depend on their service organization’s ability to maintain a controlled environment”
United’s data security procedures were examined by third-party assurance/compliance firm [company_long] a national, multi-service, licensed Certified Public Accountant (CPA) and Qualified Security Assessor (QSA) firm that specializes in integrated compliance solutions for service providers related to internal controls, security, confidentiality, privacy, processing integrity, and availability and other elements critical to information surety. The results of United’s examination identified no relevant exceptions, according to Eric Ratcliffe, an executive at 360 Advanced.
One of the levels of compliance United achieved was the SOC2 Type 1 followed by a Type 2, which is a Service Organization Control report that Ratcliffe recommends for all major print/mail operations. SOC 2 is an attestation report issued by an independent CPA firm that provides expert opinion on the design or operating effectiveness of a service organization’s controls and whether one or more of the following five (5) defined criteria and/or principles have been achieved: security, availability, processing integrity, confidentiality and/or privacy.
According to Ratcliffe, the SOC 2 report is most useful for service organizations whose clients do not necessarily rely on the reported controls for financial reporting purposes, but depend on their service organization’s ability to maintain a controlled environment. The SOC 2 report demonstrates to a service organization’s clients the ability of the organization to be independently assessed against one or more of the five American Institute of Certified Public Accountants (AICPA) Trust Services Principles:
- [icon type=”angle-double-right” class=”fa fa-li accent”]Security: The system is protected against both physical and logical unauthorized access.
- [icon type=”angle-double-right” class=”fa fa-li accent”]Availability: The system is available for operation and use as committed or agreed.
- [icon type=”angle-double-right” class=”fa fa-li accent”]Processing Integrity: System processing is complete, accurate, timely, and authorized.
- [icon type=”angle-double-right” class=”fa fa-li accent”]Confidentiality: Information designated as confidential is protected as committed or agreed.
- [icon type=”angle-double-right” class=”fa fa-li accent”]Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and criteria set forth in Generally Accepted Privacy Principles issued jointly by the AICPA and the CICA.
The HIPAA Security Rule is a United States federal regulatory requirement specifying a series of administrative, physical, and technical safeguards for assuring the confidentiality, integrity, and availability of certain healthcare data. The HITECH act extends the HIPAA rules to include Business Associates (such as service providers to the healthcare industry) and to promote various other aspects of HIPAA compliance and information technology standardization.
Compliance with HIPAA standards is mandatory for any organization handling, storing, managing or utilizing private individual healthcare information. 360 Advanced provides HIPAA assessments, consulting, remediation, and sustainable compliance services, and specializes in helping service providers target the healthcare industry and utilize HIPAA compliance as a tool for expanding their client base.
Burns had the following advice for colleagues in the print/mail industry: “You need to start your program and start it soon. Get on board. This is the future,” she said. “We had some insights from our executive team some three years ago, and our program has been in place now for three years. It took that time for us to feel comfortable seeking out an outside auditing firm. I think a lot of people in this industry are really not addressing it the way they should. I find it very interesting when I find other companies offering print-mail that have gone through SOC 2 compliance.”
SOC 2 compliance is no longer going to be an option, she observed. “We went from three years ago having some clients inquire about whether we had completed and audit from an outside firm to five this year that mandated it,” she said. “In three years we’ve seen major changes.”