Not something a lot of people consider.
Check out this excellent contributed article by Parascript’s Don Dew on the some of the ways organizations can ensure that their data entry operations are as secure as their back-end data systems.
New Customer Account Applications: Ensuring privacy and security in capturing sensitive information
Paperwork is often part of the first interaction point with a new customer – whether it’s new account applications or enrollment forms for employment, a credit card, or even Medicare. Because of this, information needs to be captured and entered quickly and seamlessly to provide responsive service at an important initial relationship-building stage. And, because these forms contain critical customer information – such as date of birth, social security number, and even payment data – they also need to be processed safely.
Information on applications and forms can generally be classified into two types of data: personal identifiable information (PII), and non-identifiable information (NII).
Security, policy, and technical requirements set PII apart from NII. PII includes information such as name, address, social security number, telephone number, diagnosis, credit card accounts and email address. The loss of PII can result in identity theft or fraudulent use of information. Meanwhile, NII includes anonymous information such as gender or age, does not identify a specific person, and, therefore, can be easier to process.
A number of regulations make keeping personal information secure a requirement for businesses and organizations:
- The Freedom of Information and Privacy Act requires the disclosure of federal documents and makes it necessary for government agencies to completely remove or redact confidential information from released files.
- In the health care industry, companies and their contract providers must also comply with HIPAA in order to protect the privacy of individually identifiable health information.
- Financial institutions have to comply with The Gramm-Leach-Bliley (GLB) Act, which requires companies to ensure the security and confidentiality of information such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers.
- · Many businesses also must follow PCI Standards, which provide a framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.
With the potential for fines, penalties, lawsuits and/or embarrassment for leaking vital information, companies and government organizations are compelled to stay on top of requirements to protect sensitive information. Once this information has entered a business system, privacy is most easily managed through software encryption and permission management. However, getting information off of physical documents and into that system offers multiple opportunities for breaches, including: 1) access to information as it is being keyed in by data humans, sometimes located overseas, and/or in high turnover jobs 2) access to information located in imaged archives, and 3) access to paper originals.
Assuming that access to the original paper has been dealt with via careful retention and destruction policies, the other two scenarios can be successfully mitigated with security features built in to document capture software, acting as a first point of defense. Examples include:
Restricting access to information by only providing ‘snippets’ to validators/keyers – Document capture and recognition software solutions can enforce security at the field level, such as providing only a snippet of each form to a single operator. First name fields, for instance, can be given to one validator/keyer, social security numbers to another and diagnostics to still another, so that each piece of information on its own is benign.
Decentralizing access to information by distributing the validation/keying function – To go one step further, the information can be sent to multiple sites within the same company, completely removing and practicall
y eliminating any chance of a security breach or misuse.
These processes ensure that any back-office human validation of forms restricts personally identifiable information by limiting the context in which it would be useful.
Preventing future information leaks through redaction – In cases where document images must be retained for archival, redaction removes sensitive information by digitally obscuring it to make documents secure for distribution. Redaction can often be efficiently achieved during the document capture process, just as sensitive information is entering an organization. Incoming documents are scanned and keyed, then sensitive fields, such as account, drivers’ license and social security numbers are automatically located and redacted by capture software, and sent to archives through a secure digital workflow. This helps to ensure confidentiality and protect key information. Redacted information in the archive can’t be accidentally or maliciously accessed years later.
Customer onboarding is a document heavy, critical moment in the account lifecycle. Companies need to be both responsive and protective of information that customers entrust them with on new account applications. In addition to being the law, safeguarding customer information also makes good business sense. And, with greater access to information, in a secure environment, companies can provide better service and help boost the bottom line.
Don Dew is Director of Marketing for Parascript, a leading recognition solutions provider, online at www.parascript.com