by: Harry Stephens, President and CEO, DATAMATX
Every credit union holds a vast amount of sensitive information regarding all of its members, so it is critical to have effective controls in place to protect member data and company information. In today’s world, as everyone is aware, data breaches (whether accidental or intentional) can be very costly in terms of damage to an institution’s or company’s reputation, lawsuits, and regulatory fines, as well as customer loss.
For a variety of reasons, it is easy for a credit union to fail to identify the myriad of data security risks they may face. For example, some institutions are not aware of the severity of the risk at hand, some do not have the expertise to effectively assess the key risk factors and develop ways to mitigate them, and in other cases it can be difficult to appropriately coordinate adequate resources to address these risks. Therefore, it is good practice for every credit union to conduct a risk assessment of its data security environment and implement the controls necessary to reduce its risk.
Taking a global view
While the term “identity theft” has become synonymous with the thought of computer hackers, the truth is that it is important to recognize that vulnerabilities within your own operations frequently lead to accidental privacy violations—which can be equally damaging. The risk of data loss through the internet is obvious, but the security risks involving people taking work home with them via laptops, portable USB devices, etc., are often overlooked. Are you sure your employees are shredding sensitive documents? Did a paper jam cause printing to get out of sync? Or how about those monthly statements that accidentally got sent to the wrong account holder? Let’s face it: Things happen.
As a result of these developing trends, it is important to determine how well your credit union is identifying and tackling the risks of data loss. Here are some questions to ask:
- How is your customer data stored in electronic databases?
- Do you have the proper controls in place to restrict access to customer data and prevent it from being lost or stolen?
- Is redundant customer data disposed of securely?
- Do you have the appropriate resources on hand to do an effective assessment of your risk and, in turn, install more-effective controls if necessary?
In addition to the list of inherent security risks is the fact that all credit unions are held to a variety of local, federal and international regulatory mandates relative to information security. Because of all these reasons and more, many credit unions have chosen to outsource their electronic document processing and distribution and billing solutions to a reputable third-party provider certified in operational excellence and security.
First and foremost, any provider of electronic billing solutions should be independently certified in the industry standards mandatory to security compliance. The top three certifications pertaining to credit unions are:
- SSAE 16, Type II, SOC 2 & 3 (Statement on Standards for Attestation Engagements No. 16) Certification – SSAE 16 is an accreditation awarded by the American Institute of Certified Public Accountants (AICPA) and ensures that all outsourced documents are handled in a secure, reliable and stable environment with tight process controls in place.
- PCI DSS 2.0 (Payment Card Industry Data Security Standard) Compliant – The PCI DSS is a globally instituted security standard for all merchants and service providers who accept credit card information; it is designed to keep customer payment card data secure and prevent payment cardholder data fraud.
- Sarbanes-Oxley (SOX) – Any organization fully trained in SOX regulations ensures that its clients are compliant with all corporate accounting controls required by U.S. federal law.
On top of the compliancy accreditation that must be in place for you to feel comfortable with the outsource provider of printed statements and e-solutions you choose, credit unions at a minimum should make sure the company they are working with has stringent internal security measures in place to protect your members’ data. Production areas should be locked and monitored at all times. FTP servers must be protected by a well-rated hardware firewall to eliminate unwanted intrusions. Online payments need to be encrypted and performed over a secure SSL internet connection. Lastly, it is imperative that anyone you choose to partner with has a comprehensive disaster recovery program in place to safeguard against fire and other natural and environmental hazards.
At the end of the day, no matter what type of electronic communication is being disseminated from your credit union—whether it’s email, internet-based forms or file transfers—there is a good chance many of them go largely uncontrolled and unmonitored. This leaves the chance of confidential information falling into the wrong hands.
Protecting and ensuring compliance for credit unions is more than a full-time job: It requires 24/7 monitoring of all data, networks and internal processes. Avoid potential fines, loss of customers, bad publicity and, worse, legal action by making sure your credit union is prepared.
Harry Stephens is President/CEO and founder of DATAMATX, one of the nation’s largest, privately held full-service providers of printed and electronic billing solutions. As an advocate for business mailers across the country, Stephens is actively involved in several postal trade associations. He serves on the Executive Board of the Greater Atlanta Postal Customer Council, Major Mailers Association (MMA), PCC Advisory Committee (PCCAC), and the Board of the National Postal Policy Council (NPPC). He is a board member of The Imaging Network Group (INg), an association for Transactional and Direct Mail Marketing service bureaus. As an expert on high-volume print and mail, he has frequently been asked to speak to various USPS groups. You can contact Harry Stephens at email@example.com www.datamatx.com