The recent Target data breach has certainly heightened the concerns about the safety of customer information. Data breaches (whether accidental or intentional) can be very costly in terms of damage to an organization’s reputation, lawsuits and regulatory fines, as well as customer loss. Every credit union holds a vast amount of sensitive information regarding its members. Therefore, it is a good practice to regularly conduct a risk assessment of your data security environment, and implement the controls necessary to reduce its risk.
Looking beyond the computer—assessing every risk
While the term “identity theft” has become synonymous with the thought of computer hackers, the truth is that it is important to recognize that vulnerabilities within your own operations frequently lead to accidental privacy violations—which can be equally damaging. These include security risks involving people taking work home with them via laptops, or portable USB devices, etc. Or how about the chance your monthly statements accidentally are sent to the wrong account holder? As a result of these types of possibilities, it is important to determine how well your credit union is identifying and tackling all the risks involved in data loss.
In addition to the list of possible internal security risks is the fact that all credit unions are held to a variety of local, federal and international regulatory mandates relative to information security. Additionally, many credit unions have chosen to outsource their electronic document processing and distribution and billing solutions to a third-party provider. If so, what should you look for to ensure your outside partners are certified in operational excellence and security?
Always check credentials
Any provider of electronic billing solutions that you select must possess the industry standards in certification that are mandatory to security compliance. The top three certifications pertaining to credit unions are:
- SSAE 16, (Statement on Standards for Attestation Engagements No. 16) Certification – SSAE 16 is an accreditation awarded by the American Institute of Certified Public Accountants (AICPA) and ensures that all outsourced documents are handled in a secure, reliable and stable environment with tight process controls in place.
- PCI DSS 2.0 (Payment Card Industry Data Security Standard) Compliant – The PCI DSS is a globally instituted security standard for all merchants and service providers who accept credit card information; it is designed to keep customer payment card data secure and prevent payment cardholder data fraud.
- Sarbanes-Oxley (SOX) – Any organization fully trained in SOX regulations ensures that its clients are compliant with all corporate accounting controls required by U.S. federal law.
Internal security measures count, too
On top of the compliancy accreditation, credit unions, at a minimum, should make sure the service provider they choose has stringent internal security measures in place to protect members’ data. Check on whether production areas are locked and monitored at all times. Make sure their FTP servers are protected by a well-rated hardware firewall to eliminate unwanted intrusions. Additionally, all electronic payment options need to be encrypted and performed over a secure SSL internet connection.
Lastly, it is imperative that the company you choose to handle your sensitive information has a comprehensive disaster recovery program in place to safeguard against fire and other natural and environmental hazards.
Protecting and ensuring compliance is an ongoing process. Unfortunately, as we have seen in the news lately, there is no magic bullet to ensure that information is safe. It requires 24/7 monitoring of all data, networks and internal processes. To avoid potential fines, loss of customers, bad publicity and worse, legal action, make sure you have covered all your security bases and that your program is well executed and monitored by third-party auditing and testing.
Harry Stephens is President/CEO and founder of DATAMATX, one of the nations largest, privately held full-service providers of printed and electronic billing solutions. As an advocate for business mailers across the country, Stephens is actively involved in several postal trade associations. He serves on the Executive Board of the Greater Atlanta Postal Customer Council, Major Mailers Association (MMA), PCC Advisory Committee (PCCAC), and the Board of the National Postal Policy Council (NPPC). He is a board member of The Imaging Network Group (INg), an association for Transactional and Direct Mail Marketing service bureaus. As an expert on high-volume print and mail, he has frequently been asked to speak to various USPS groups. You can contact Harry Stephens at email@example.com