Securing Your Customer Data

Every aspect of our lives today is driven by data, and whether we like it or not, the need to protect and secure that data is becoming increasingly critical. Businesses of all types are being targeted more frequently, as thieves look for vulnerable access points that will provide them with the necessary information to then steal money, identities, and more.

And printers are a prime target.

You might be tempted to dismiss that claim, since it’s difficult for someone to steal a printed page over the Internet. But the problem is that more and more print shops are becoming marketing hubs, and more and more of the campaigns they produce involve variable or personalized data – all of which means the shop is in possession of personally identifiable information (PII) that can potentially be targeted and stolen.

How ‘hardware’ goes beyond printing devices and servers

“Printers are supplied with personal and confidential information such as name and address information when doing mailings or data-quality services, so this data must be protected and stored in a secure environment physically or encrypted in digital communications,” says Kristen McKiernan, president of Accuzip.

Marc Johnson, marketing manager, Core PageWide Web Press, Americas, HP Inc., agrees: “Whether this is a bank offering credit offers to a specific consumer based on that consumer’s credit profile, or a retailer making an offer based on a consumer’s buying history, or an insurer making an offer based on demographic information, the consumer’s PII data must be safeguarded and this is normally spelled out in the contract.

“In addition,” he says, “legally mandated security measures may be required – HIPPA (Health Insurance Portability and Accountability Act of 1996) requirements for health-related information, for example.”

Healthcare is, of course, a particularly sensitive topic. Any printer who produces materials for any type of healthcare organization – even if it is just their marketing materials – could find themselves falling under HIPPA requirements.

Konica Minolta’s Chris Belillo, director, Business Solutions & Market Development, has actually come across a situation where a printer inadvertently disclosed PII: “In 2010, a multifunction printer was returned to a warehouse after the lease expired. An investigative report discovered that the device's hard drive contained patient records from a healthcare organization. Subsequently, in 2013 the healthcare organization was fined $1.2 million by the Department of Health and Human Services (HHS) for violating HIPAA.”

And while that was a specific situation, and involved an MFP rather than a full commercial printing press, the same ideas apply. “’Hardware’ actually extends beyond printing devices and servers and also includes site security – access controls, logging, identification, visitor-access procedures, vendor-access procedures – as well as the data networking layer,” notes Johnson.

The mail stream is another potential target, with not only name and address information ripe to be stolen. It often includes demographic information as well – information that could be used against those consumers if an unscrupulous party were to garner access to it.

“Printers should ensure that any software solutions they use for mailings are certified by regulated agencies such as the USPS and not processed through a secondary or third-party vendor,” stresses McKiernan. “The software vendor of choice should be the manufacturer of the solution, rather than a branded reseller to ensure that the printer knows exactly who the party is that is receiving and processing their data, and that this party is credible.

“Look for software vendors that have been in the industry for several years and have a history of handling sensitive data. Ask software vendors for customer references and security NDAs or confidentiality agreements prior to sending confidential data for processing. Vendors that process data through services such as NCOALink for move update processing should also share their data security and confidentiality policies with the printers,” says McKiernan.

Planning for, dealing with a breach

Given that even the most secure systems in the world can be hacked, the best a print shop can do is ensure it has taken all the necessary steps to try and keep the information secure, and have a plan in place for when – not if – a breach occurs.

When it comes to prevention, says Johnson, “Basic security measures like building access, network firewalls, and virus/malware-detection software are good business practices to implement for all businesses; they become even more important when handling customer data. There are well-defined security protocols ranging from SSAE 16/SOC1 (replacement for SAS 70), HIPPA (for healthcare), and implementation is usually handled with the help of consultants and trainers who specialize in these standards.”

Johnson goes on to specifically address the systems most printers are running, noting, “For the press and workflow systems driving the press, best practices are that PII data (name, address, offer information, anything identifiable) should be transient and not persistent beyond the actual print run.”

Other basic steps a shop can take to help prevent any attacks from succeeding include: create complex passwords for any system that will touch PII – even if it’s just passing through – and put a system in place to ensure those passwords are changed a minimum of every 90 days; encrypt all hard drives, whether they are attached to the digital front end of the press, live inside a multi-function printer, or are attached to the computers used for prepress or workflow processes; secure all mobile devices, including laptops and mobile phones, when not in use; and make sure all filing cabinets and desk drawers that contain PII are locked – just because cyber attacks are more likely, don’t forget to secure the hard copies as well.

To ensure the shop is prepared for any attempted security breaches, says Belillo, “Create an incidence response plan. In the event of an attack, the lack of a cohesive plan extends the duration and losses associated with an attack.”

Belillo suggests that the plan include forming a relationship with a security company that can be trusted to quickly come in and analyze the breach and mitigate the results. A few questions he suggests should be the top priorities in planning for and resolving breaches include:

• Was the company under a bona fide cyber attack?
• Did a breach actually occur? Where was it? Malware, email spoofing, brute force attack?
• Who is the designated company point person for security?
• What is the main priority after a breach is detected? Restoring service, protecting data, or is there another priority? 
• What systems and/or data should receive the highest response priority? 
• Make a list of third-party technology and Internet vendors: who are the contacts (email, mobile numbers etc.) at those organizations?

McKiernan agrees, noting that her steps for what should happen after a breach include: “Determine what data has been accessed and immediately take action to mitigate or eliminate a continued breach. Change credentials of the digital systems that have been hacked. Notify the customer of the breach and make sure your management team is aware of potential legal ramifications that may arise from the breach. Contact legal counsel for advice on how to proceed.”

And, she adds: “If the breach is large enough, contact authorities such as the Department of Homeland Security and Interpol Cybercrime Division to inform them of the breach. Once the breach has been identified and mitigated, prepare for the future to avoid future breaches.”

Minimizing the damage

Today’s data thieves are more sophisticated than ever, with the ability to take information stolen from multiple systems and matching them up, giving them a more complete picture of a consumer’s life – which can then be used to open credit in their name, steal money from bank accounts, or gain access to other sensitive accounts. Printers process name and address information, at the very least, and for shops that have moved into being marketing communication providers, or who have begun to offer more complex print options, the data can expand to include a wealth of other sensitive information.

To safeguard the consumers whose PII is potentially at risk, as well as your own business, take the necessary steps to secure your shop today. Make sure every employee knows what the action plan is, so when a breach does happen, you’re ready to respond quickly and minimize the damage.

Dealing with a Ransomware Attack

A ransomware attack is one more way that your customers’ data can be put at risk. Ransomware attacks, which began several years ago and have been on the increase since 2015, are instigated by malware that encrypts valuable digital files and then demands a ransom for their release. Small and large businesses as well as hospitals, local governments, school districts, and other institutions (and even individuals) have been subjected to these attacks.

As the FBI reports: “Organizations are generally not even aware they’ve been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins (because of the anonymity this virtual currency provides).”

Because ransomware techniques and malware are continuing to evolve – and because it’s difficult to detect a ransomware compromise before it’s too late – the FBI says that companies and organizations should focus on two main areas:

Prevention efforts, both in both in terms of awareness training for employees and robust technical prevention controls; and
The creation of a solid business continuity plan in the event of a ransomware attack.
The FBI does not support paying a ransom in response to a ransomware attack: “Paying a ransom doesn’t guarantee an organization that it will get its data back – we’ve seen cases where organizations never got a decryption key after having paid the ransom,” states the organization.

“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”