True or False? You are responsible for high-volume print-to-mail production. Someone on your team makes an unintentional error and non-public personal customer information is compromised. If your organization is governed by the Gramm-Leach-Bliley (GLB) Data Protection Act, or if your organization provides services to an institution governed by one of the federal banking agencies, then you could be in breach of the Gramm-Leach-Bliley Data Protection Act and subject to fines.
Unfair, you protest, it was an accident. Fair or unfair, the regulation is clear. Under the rules, an error is no excuse — you need more than a strategy, you need an effectively deployed program based on a strategy that can be (and has been) audited and tested. Mistake or no mistake, if you can’t produce documentation that you have policies and procedures for data protection in place, you could be in violation. And these regulations are true not only for banking institutions, but also for support organizations. If you outsource your print-to-mail services, either routinely, at the time of a disaster or when you have a production overflow and need assistance, the company to which you outsource these services must also comply with the GLB rules. And you are responsible for ensuring they do.
True or False?
Unless you are a depository bank, you are not governed by the Gramm-Leach-Bliley Data Protection Act.
The GLB rules must be followed by financial institutions, defined as banks, thrifts and credit unions as well as numerous non-depository institutions. In a press release distributed by the Federal Trade Commission (FTC) in November, the “financial institutions” covered by the Safeguards Rule in the GLB Act, “include not only lenders and other traditional financial institutions, but also companies providing many other types of financial products and services to consumers. These institutions include, for example, payday lenders, check-cashing businesses, professional tax preparers, auto dealers engaged in financing or leasing, electronic funds transfer networks, mortgage brokers, credit counselors, real estate settlement companies and retailers that issue credit cards to consumers.”
If your eyes are beginning to glaze over, read the next few sentences and see if you don’t perk up. Although the deadline for compliance with the GLB Data Protection Act was May 23, 2003, it was only recently that the Federal Government started cracking down. In November, as part of a nationwide compliance sweep, the FTC charged Nationwide Mortgage Group, Inc., headquartered in Fairfax, Virginia, and Sunbelt Lending Services Inc. a subsidiary of Cendant Mortgage Company, headquartered in Clearwater, Florida, with violating the GLB Safeguards rule “by not having reasonable protections for customers’ sensitive personal and financial information.” In fact, the Federal Trade Commission also charged the president Nationwide John D. Eubank, personally with the violation.
The FTC noted specifically that the mortgage companies had failed to protect their customers’ names, social security numbers, credit histories, bank account numbers, income tax returns and other sensitive financial information. These are the FTC’s first cases enforcing the Safeguards · Rule. These crackdowns are not likely to be the last. And, did I mention Sunbelt’s settlement requires biannual audits of Sunbelt’s information security program by a qualified, independent professional for 10 years? How much do you think that will cost the company?
Why Should We Care?
What does any of this have to do with those of us in the mailing systems business? The GLB Data Protection Rule applies to any and all third-party vendors and service providers that maintain transact in or process customer data. Do you print statements for a bank? Insert and mail statements for an insurance company? Do you handle direct mail, either First Class or Standard, using confidential customer information for any organization governed by banking regulators? If you are a third-party provider and you answered yes to any one of these questions, you should care. If you work for an institution governed by banking regulators and outsource any of these processes to a third-party provider, you should care.
Specifically, the GLB requires that institutions not only achieve their own compliance, they must also review and monitor the strategies and plans of their business partners to ensure that the partner’s compliance (or more specifically lack of compliance) doesn’t compromise their own. With the enforcement of the regulations no longer a risk but a reality, you have no time to lose. Achieving compliance and passing a regulatory audit are two separate steps. Confirming that your service provider partners can pass the same muster is yet an additional step. If you are the third-party provider, you should be ready to present your audit results, if not your company might undergo an additional, potentially rigorous audit from your clients. In the process, one area that is often overlooked is print-to-mail business continuity. Is there a part on high-volume print-to-mail in your business continuity plan and is your third-party print-to-mail provider compliant with GLB?
A little more than a year ago, a Madison Advisors study specifically examined the preparedness of organizations relative to print-to-mail continuity issues. Over 30% of the responders in a mail survey indicated their companies have integrated business continuity with their mainframe disaster recovery plans. On the other hand, only 15% of those responding as part of a phone survey indicated it was part of the mainframe recovery plan. A business continuity plan is an integral part of any auditable compliance plan; do you know for certain what your company’s plan includes?
What’s Your Guess?
Madison Advisors also discovered that while high-volume printers were sometimes included in continuity plans, inserting and mailing equipment and processes were more often not. Why not? “The fact that some companies have backup strategies for their print volumes but not their mailing processes is baffling. What they propose to do with a million pages of invoices without an insertion and mailing plan is anyone’s guess,” the report states. What’s your guess?
I’m guessing it’s a matter of “it’s not my job.” If printing is the purview of one department and inserting and mailing is the purview of another department, whose job is it to make sure the entire process is completed? If your job responsibility is complete when the printing is done, should you care if the invoices get mailed? What is the impact on your company’s bottom line? Do you care about that?
What is the risk to your company if you don’t have a plan for business continuity? In fact, that should be two questions: What is the financial risk? And, what is the regulatory risk? Remember, both you and your third-party providers must protect non-public personal data. The protection of that personal data relative to any printing, inserting or mailing done outside of your organization is still your full responsibility.
According to the OCC, bulletin 2001-47, this means to properly oversee and manage third-party relationships, organizations should adopt a risk management process that includes:
• A risk assessment to identity needs and requirements.
• Proper due diligence to identify and select a third-party provider.
• Written contracts that outline duties, obligations, responsibilities of the parties involved.
• Ongoing oversight of the third-parties and the activities of the third-party.
It’s time for all of us to step up and take responsibility —for compliance, for risk management, and for business continuity. In these uncertain times, its better to be prepared than surprised. Know who in your organization is responsible for business continuity and how (or if) your responsibilities and processes are included in that plan. Ask to see the documentation, if you haven’t seen it already, and if your area of responsibility is not included:
• Offer to help evaluate the risk should printing and/or mailing systems become inaccessible.
• Document the steps you can take to keep them up and running or getting them recovered.
You may be surprised by the new friends (in high places) you make by raising your hand and saying, “We need to protect our company!” That’s your job.
Gerald A. (Jerry) Montella serves as vice president of Warminster, Pennsylvania-based Mail-Gard. He is responsible for overseeing all of Mail-Gard’s operations as well as developing and managing the company’s sales and marketing activities. Additional information on the GLB Data Protection Act can be found at www.mailgard.com.