Data Security: How Pitney Bowes Protects employees from Themselves

By Deborah Gage Print this article Print

The postage meter manufacturer discovered its workers properly handled customer information—but not their own personal data.

Pitney Bowes might be known as a marketer of business machines, but it has another business as well—as a repository of other people's data.

Founded in 1920 as a manufacturer of postage meters, the Stamford, Conn.-based company now manages other organizations' messages and mail. Government agencies, universities and companies like T-Mobile hire Pitney Bowes to print and track direct mail, calculate taxes on bills and handle other document-related chores. One service—the "automated document factory"—relies on a database of addresses to automatically match printed statements with printed envelopes for mailing. Getting the right statement into the right envelope so it's mailed to the right person is critical.

Trevor Odell, the manager of data security, is in charge of protecting Pitney Bowes' data and must truthfully answer "yes" when board members ask him if the company is compliant with the alphabet soup of regulations that govern its business. Because it handles health-care data, it's subject to the Health Insurance Portability and Accountability Act; because of financial data, the Payment Card Industry Data Security Standard and the Gramm-Leach-Bliley Act; and so on.

And Odell has another worry: Pitney Bowes doesn't want employees e-mailing, instant-messaging or transferring its intellectual property outside the company, even accidentally.

But when, a couple of years ago, the company set out to safeguard its critical business data, it found that employees were sending out personal information through the corporate network—a fact Pitney Bowes has learned to use to its advantage.

In 2005, Pitney Bowes bought software from Vontu to protect its data and monitor employees' electronic communications. Vontu, a San Francisco-based company, makes data loss prevention software that watches communications on all network exit points.

One product, Vontu Monitor, comes with about 60 templates to help companies figure out which information to protect. It monitors both structured and unstructured data in a variety of ways—by exact matches, pattern matches, sender-receiver, network protocol and several others. A second product, Vontu Prevent, flags and can automatically block violations.

Pitney Bowes distributed and replicated the software in its U.S. offices. Odell won't say how much the company paid for the deployment.

The company's employees in Europe, however, are not monitored by Vontu, at least not yet. The software may violate the European Union's privacy laws, so Pitney Bowes is negotiating with the E.U. for permission to use it. Until they reach agreement, Odell says, Pitney Bowes will take "a conservative approach" and keep the software in the U.S.

Most of Vontu's customers, like Pitney Bowes, are Fortune 1000 companies in industries that deal in sensitive information—financial services, health care, insurance. And like Pitney Bowes, many of these companies are surprised to discover what's happening to the information they're monitoring, says Maureen Kelly, a product marketing director at Vontu.

Pitney Bowes employees were careful with corporate information, Odell discovered after Vontu's software started running, but they were cavalier in how they handled information about themselves. The software showed that employees were e-mailing sensitive personal documents—applications for mortgages, personal tax returns during tax season—that could have exposed them to identity theft or worse.

"I don't think people understand how valuable private data is," Odell says.

So, Pitney Bowes is preparing online training for its employees on how to handle and protect their personal information, focusing on practices they can use at home.

Odell believes the training will benefit not just employees, but his employer as well. "Anytime you train somebody for whatever reason about personal information, it translates to their activities as an employee," he says. "It's in their mind to protect information."

He figures hackers are not picky—whether data comes from companies or individuals, it's still salable. And the software helps him feel more confident that information leaks aren't damaging Pitney Bowes or its brand.

This article was originally published on 2006-11-21
Senior Writer
Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.