Do Printers/Printing Companies Require a SOC (Service Organization Control) Report?


By Frank Dezort

To answer this question one must first gain an understanding of the services provided by printing vendors, the data being utilized, the risk to the user organization and the expected level of security that is required to minimize the identified risk.


The primary service provided by printing companies is commercial printing (i.e. financial statements, event tickets, direct mailers, coupons, posters, labels, schedules, tourist guides, maps, rack literature, post cards) and digital printing (electronic marketing materials using sophisticated data management to personalize content and collection of market research data).  Addition services provide by printers is mailing and order fulfillment.

Data and Risk

Depending on the type of service provided by the printing vendor, the data being handled can span from name and address in mailing lists to social security numbers, bank account numbers, financial data or payroll information.  Some of this data is highly sensitive and could be used to commit identity theft resulting in material impact to individuals which could be considered a required reportable event under most state information breach laws and result in substantial cost to the user organization.  Printing vendors are almost always provided mailing lists from user organization.  At first glance this may not seem to be sensitive, but if you consider that a mailing list is a record of an organization’s customers, most organizations would view this information as a valuable asset that needs to be protected against leakage or unauthorized disclosure to competitors.  In addition, the mailing lists be focused on a groups specific characteristics, such as  high net-worth individuals that if disclosed would result in a high level of dissatisfaction of the user organization’s clients.  Clearly substantial risk could exist on behalf of the user organization should the printing vendor experience a data breach or mis-handle their customer data.   In additional to the data risk that exists, printing companies that provide fulfillment services also have risk from shrinkage due to theft of merchandise or duplication of event tickets.

Should a printing company have a SOC report?  Clearly there is considerable risk associated with many of the services provided by printing companies that would warrant a SOC report.  While A SOC report is not a requirement of the industry the report would demonstrate to the user organizations that the level of security providing protection of data and merchandise is a major objective and is taken serious by the senior management of the organization.  A SOC report would also provide a distinct competitive and marketing advantage to the printing company providing an authoritative and respected method to communicate and demonstrate to the market place that protection of client information is as valuable as the quality of the service that they provide.

Do you think your organization could benefit from a SOC Report?  Visit our Service Organization Control page or contact one of our professionals to discuss your need.

© 2014 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.