Updated: Do Printers/Printing Companies Require a SOC (System and Organization Control) Report?

The answer to this question is clearly based upon the level of risk that the printing company represents to its clients.  To answer this question, one must first gain an understanding of the services provided by printing vendors, sensitivity of the data shared with the printing company, the risk to the user organization should the printer experience a data loss and the expected level of security that is required to minimize the identified risk.

Services

The primary service provided by printing companies is commercial printing (i.e., financial statements, event tickets, direct mailers, coupons, posters, labels, schedules, tourist guides, maps, rack literature, postcards) and digital printing of electronic marketing materials.  Printing companies also provide sophisticated data management to personalize content and develop target demographics to better focus marketing campaigns on the right audiences.  Many printing companies also provide order fulfillment services.

Data and Risk

Depending on the type of service provided by the printing vendor, the data being handled can span from names and addresses in mailing lists to social security numbers, bank account numbers, financial data, health information or payroll information.  Some of this data is highly sensitive and could be used to commit identity theft, resulting in material impact to individuals, which could be considered a required reportable event under most state information breach laws and result in substantial cost to the user organization.  Printing vendors are almost always provided mailing lists from user organizations.  At first glance, this may not seem to be sensitive, but if you consider that a mailing list is a record of an organization’s customers, most organizations would view this information as a valuable asset that needs to be protected against leakage or unauthorized disclosure to competitors.  In addition, the mailing lists could be focused on a group’s specific characteristics, such as high-net-worth individuals, that if disclosed, would result in a high level of dissatisfaction of the user organization’s clients.  Clearly, substantial risk could exist on behalf of the user organization should the printing vendor experience a data breach or mishandle its customer data.   In addition to the data risk that exists, printing companies that provide fulfillment services also have risk from shrinkage due to theft of merchandise or duplication of event tickets.

Industry Requirements

A significant increase in third-party management and regulatory requirements has occurred for a number of industries.  In particular, regulators are placing increased pressure on financial institutions to assess the security and controls of third-party vendors, evaluate data protection practices and understand the risk of their business partners. Healthcare organizations have adopted policies that require all third parties to demonstrate HITRUST compliance. Organizations migrating to a cloud environment have also raised the awareness of the need to evaluate data-protection capabilities of all business partners with which they share information.

Should a printing company have a SOC report?  Clearly, there is considerable risk associated with many of the data-fueled services provided by printing companies that would warrant a SOC report.  While a SOC report is not a requirement of the industry, the report would demonstrate to the user organizations that the level of security providing protection of data and merchandise is a major objective and is taken seriously by senior management of the organization.  A SOC report would also provide a distinct competitive and marketing advantage to the printing company, providing an authoritative and respected method to communicate and demonstrate to the marketplace that protection of client information is as valuable as the quality of the service that it provides.

Do you think your organization could benefit from a SOC Report?  Visit our Service Organization Control page or contact one of our professionals to discuss your need.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Five Questions to Assist With Identifying SOC Report Scope
SOC 2 Reports: Common Control Exceptions and How to Avoid Them
SOC 2 Examinations - What Are the Trust Services Criteria and Categories?
How to Decide if a Type 1 or Type 2 SOC Report is Right for Your Organization
SOC Report Refresher: What Are the Different Types of SOC Reports?
Will Cloud Service Providers' SOC 2 Reports Satisfy SaaS Companies' Customer Assurance Needs?

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102