News

Subscribe to RSS Feed

Protecting data from disaster

Catherine Dawes, Print Buyer, 01 April 2007

In marketing, a database of potential customers’ details is akin to gold dust. Unfortunately, it could also be valuable to less scrupulous individuals. Personal details need to be kept safe, and when financial information such as bank details and credit card numbers are involved, the stakes climb higher.

Transactional mailings are increasingly viewed as a way of ensuring customers actually see adverts. However much people may not want to, they all have to open credit card and other bills. If a company is considering putting adverts on transactional mail, it is essential that they are aware of potential
security issues.

Many printers in the transactional and security sectors offer consultancy services to new clients to ensure they are up to speed on the latest safety measures.

File Transport Protocols (FTP) can be used to move data to the printer through the internet. However, when using an FTP, or email, the data is sent in clear text and can therefore be intercepted. Instead, a Secure FTP (SFTP) is necessary as they use encryption, meaning a third party is unable to read the data and authentication of the recipient or sender can take place.

Access for all
Andy Ruddle, managing director of transactional specialist Real Digital International, says he is “staggered by how many people email over data. We have all the secure FTPs and yet people still use email: ‘it was only a little file’ they say”.

With the growing use of advertising techniques on transactional mail, marketers are increasingly getting involved in what was traditionally the secret domain of the financial operations department. This can cause problems says Ruddle. “Compa­nies are not always aware of security issues and can try to use existing suppliers forfor marketing material.”

DST International Output (DSTi) is a transactional printer specialising in the financial and utility billing sectors. It has developed an online system to help combat this problem. Called the Campaign Definition System (CDD), it is a workflow tool to enable a client’s marketing department to see the necessary transactional information, without being able to alter it. Marke­t­ers use online templates that enable them to view a customer’s spending habits to determine which products to advertise to that person, while an overlay system preserves the integrity of the sensitive financial details.

Chief executive Tim Delahay says that CDD makes it safer for the data to be combined at DSTi, than if the client tried to combine the information within their own company. “If the client was to combine the advertising and transactional information at their end and then send it all to us, there would be the danger that marketing could accidentally alter the information or that data could become corrupted. CDD protects against that.”

Once you have got everything to the printer, you must ensure the data is handled in an appropriate manner. The Data Protection Act 1998 governs the handling of personal details such as names and addresses, which even a simple direct mailing must adhere to.

BPIF head of legal Anne Copley explains that when a customer’s details are given to a bank or credit card company, that organisation is deemed the data controller. If that company passes the records to a printer, the printer becomes the data processor. “The emphasis in data protection is on the credit card firm as the data controller. They are most responsible for making sure that the data is kept secure. Even once the information has gone to the printer,” she adds.

The Data Protection Act states that personal details must be processed fairly and for a specified purpose. The information must be accurate and not excessive, and not kept for longer than is necessary. Finally, it must be kept secure and not transferred to countries outside the European Union, unless the information is adequately protected. (This may rule out offshoring print requirements.) If you hold and process information about individuals, you may need to notify the Information Commissioner. You can check whether a company is registered at www.informationcommmissioner.gov.uk.

Security standards
Once the information is with the printer, there are standards for how it is processed. In October 2005, ISO 27001 for information security management was published. It provides a complete set of guidelines for ensuring that data is handled in a way that protects its confidentiality, integrity and availability. The procedures are designed to protect information from a wide range of threats, both physical and electronic.

Real Digital’s Ruddle believes ISO 27001 accreditation is essential for transactional printers. “Basic standards, such as QMP (the Quality Standard for Mail Protection), might be enough for direct mail, but not transactional.” Delahay agrees: “The legislations are a good break indicator between the high-end quality operators and the DM printers that think they can do transactional.” Ruddle explains that although direct mail and transactional printers may seem to be doing pretty much the same things – laser printing, folding and enclosing – in terms of the workflow and 100% production security, they are totally separate.

Both DSTi and Real Digital are working towards full ISO 27001 accreditation, but Delahay says that it’s not something that his clients have been asking for. As a relatively new standard, many print buyers may not know about ISO 27001, or what it entails. The standard covers all elements of the printing process from database and site security to checks on the staff and machinery. The physical security of the site is crucial. There’s no point having a million passwords to get into your database, if someone could break into the factory and steal a pile of printed statements.

Instant action
Yet suppose, despite all of these security checks, something still goes wrong. You need to be sure the company you’re dealing with carries out proper risk assessments and has strategies in place for when things do go wrong. At DSTi, if there is a breach of quality, or anything that is assessed to be a risk, all senior members of staff are notified immediately by text message, so that procedures can be implemented straight away.

Once your documents have been printed, they must be put into envelopes. This may seem simple enough, but in February of this year personal information and bank details of as many as 26,000 pensioners were sent to the wrong addresses. Using a firm that can handle enclosing and mailing, as well as printing, eliminates the risk of items going missing during transit, it also enables the company to verify that what went in at one end tallies up with what’s coming out at the other.

If disaster strikes and people’s details do make it into the wrong hands, you must act fast to try to limit the number of people affected and stop it happening again. Check the contract that was drawn up. Under what circumstances does it indemnify the printer to make good any damages incurred to a third party?
The BPIF’s Copley goes on to say: “If it was deemed the information hadn’t been looked after correctly, then the printer could be fined for breach of the data protection act. If it was the result of negligence, then the printer would be charged under common laws of negligence.” None of this, however, is likely to restore customers’ faith in their bank’s ability to keep their data safe, or the bank’s faith in the printer.

ISO 27001
ISO 27001 is the international standard for the secure management of information. Entitled ‘Information Security Management – specification with guidance for use’, it was published in October 2005 as the replacement for BS7799-2.

The basic objective of the standard is to help establish and maintain an effective information management system, using a continual improvement approach. It implements OECD (Organisation for Economic Cooperation and Development) principles, governing the security of information and network systems.

Its three underlying principles are to ensure that data is handled in a way that protects its confidentiality, integrity and availability. The procedures protect information from a wide range of threats, both physical and electronic, and concern the backup and recovery of information. There are 11 main areas within the standard, covering various aspects:

• The organisation of a security policy
• The company’s management of its security policy
• Asset management
• HR security
• Physical security
• Environmental security
• Communications
• Operational management
• Control of access to the building
• Systems access management
• Incident management

Comments

There are currently no comments.

To post comments please log in here

Sign up for News Bulletins

Advertisement

Other Articles

PN readers split on call for energy minister

Bidvest aims to buy 25% of Nampak

McBride puts in 'robust' performance

Wiseman dairy to increase capacity

Taypack fined for forklift accident

HP drops laptop packaging for reusable bag