What is more painful than stuffing thousands of envelopes by hand? Why, stuffing them by machine before finding a month-old error in the programming, of course. Between April 6 and May 21 of this year, the Indiana Family and Social Services Administration (FSSA) experienced an error in a document management system maintained by contractor RCR Technology Corporation (RCR), potentially compromising the personal information of roughly 157,800 Hoosiers. The cause of this mailing mix-up seems to be a computer programming error that made it possible for duplicate copies of client information to be printed and inserted into envelopes addressed to other clients. Duplicated mailings may have divulged such personal information as name, birth date, address, gender, race, contact information, employment and financial information, bank balances, medical conditions, and types and amounts of benefit received. Of the 187,533 potentially-affected clients, 3,962 may have had their social security numbers compromised as well. “Potentially” here is the keyword. The nature of the document management system does not allow for the tracing of every single document printed, so any number of clients could have had their information mailed to other clients. As of July 1, 14 people have reported receiving someone else’s information, according to Jim Gavin, Director of Communications for FSSA. When one considers the magnitude of the collection of personal information that FSSA regularly handles, the tiniest programming hiccup could very reasonably be expected to trigger tidal waves of consequences. The FSSA evidently understood this, and does deserve credit for how it handled the situation. Employees notified all clients who were mailed anything within the window of time when the error was in effect, and provided information and advice to clients about ways to protect themselves from identity theft. RCR is also taking steps to improve their computer programming and testing processes. In short, FSSA and RCR took level-headed action to protect their clients from any consequences of the security breach.
Clients entrust their information to us and we take the security of that information very seriously. We are ultimately responsible for the safekeeping of that information and regret that in this rare instance some information may have been accidently shared inappropriately. We do not believe this was a widespread disclosure of information and have only been made aware of a handful of instances where information was received by the wrong person. Still, we are taking the most complete and prudent approach to notifying all potentially impacted clients.” ~ Debra Minott, Secretary of the FSSAAs members of a company dealing in both security- and mailroom solutions, we here at Whitaker Brothers immediately saw a connection between the FSSA security breach and our own collection of folder-inserters. Several of our folder-inserters include duplicate document sensors and diverters, so that unauthorized duplicates, as well as documents otherwise requiring inspection or special handling, can be diverted automatically into the divert station without halting operation. Additionally, an optional Optical Mark Reading (OMR) feature will automatically collate and insert multi-page documents into envelopes by detecting markings on the edges of the papers themselves. These document security measures are probably similar to the technologies that RCR used in their handling of FSSA correspondence. While these machines can be used to great effect, it is evident that the smallest mistake can result in drastic consequences. So what are the "lessons learned” here?
- Be sure that you are thoroughly familiar with the protocols and philosophies of any contractor you outsource to.
- Amid the hype surrounding cyber security and computer encryption, do not lose sight of the physical materials you are charged with handling.
- Have a comprehensive, borderline-paranoid course of action for all major worst-case scenarios. Be sure that these plans rely minimally on the outsource contractor, and are well-communicated to all of your employees.