Security of electronic data is one thing, says Chris Haden, but documents need attention too

Much attention is given to the handling of electronic documents within a company, but when it comes to the mailroom, there seems to be an ‘e-gap’ – a potentially dangerous situation given the risk exposure relating to customer service response, regulation and operational efficiency. What is the risk exposure associated with the gap between physical and digital communications, and how are organisations who are aware of this danger mitigating the risk?

Organisations in both the public and private sector have been shamed by their apparent inattention to data security over the last two or three years. Two major recent examples are the data breach at HMRC and the fine levied by the FSA on Abbey for not being able to locate and retrieve key documents when audited over the issue of mishandling mortgage endowment complaints. In the case of HMRC, debate has mainly focused on data security, but only in a single direction – ie measures to stop data escaping from the organisation into the hands of unauthorised (possibly criminal) third parties. Little has been said about how the possible abuse of lost data can be tracked, nor how tight security around electronic data leaves physical records and unstructured data (documents) still exposed.

These organisations may regard the risk of millions of records being lost and then abused as a greater priority than the unauthorised exposure of hundreds. This is a mistake.

This is especially the case when one takes into account the suspicion that the large volume exposures are most likely the result of incompetence and poor procedure, whereas the leaking of small numbers can often indicate deliberate theft. The case at Abbey, where a fine was levied by the FSA for not having documents properly indexed and easily retrievable, shows a common thread with the point made above – namely that structured data, organised into a few data elements and put into rapid retrieval databases, seems to receive all the attention from management and IT professionals, whereas unstructured data in the form of documents, emails, forms and so on, is usually ignored from a security point of view.

The second key point of risk is that of compliance – a major headache for corporations, financial institutions and public sector bodies alike. Let us take one example that affects large corporations listed in the US – the Sarbanes-Oxley Act. The Act requires that senior management can demonstrably maintain what is called a ‘control’ on their business performance and process. This is possibly the Act’s most important fraud prevention measure. In order to satisfy its demands, corporate systems must be able to drill down through aggregated figures reported to headquarters by a firm’s operation units, in order to verify their validity, even down to the level of consulting an individual document. If data and documents are not effectively linked, this cannot be achieved, and the corporation is likely to be deemed non-compliant by the regulatory authorities.

A seamless whole

“Many organisations have come to grief because they could not prove they received a document.

A related point – but often ignored – is that there is a fate worse than losing a known document: not knowing that you ever had it in the first place! Many organisations have come to grief because they could not prove they received a document. If all mail is digitised as it enters the organisation, this risk is reduced because there is an auditable record of all mail received.

Thirdly, all corporations face regular inspections, by bodies such as Revenue and Customs and Social Security. These inspections are time-limited, and often involve the inspection of activities going back several years. They tend to throw up questions which challenge a corporation’s interpretation of law or regulation – VAT judgements are a good example. If the authorities take a different view, the corporation needs to have all the data and documentary evidence at its fingertips in order to justify its actions. The absence of such back-up, especially if it leaves the company open to a retrospective correction, can often be very expensive.

Leading organisations that have recognised this weakness in the interface between physical and electronic documents are mostly implementing the same strategy to resolve the issue.

They are putting in place some form of digital mailroom. A digital mailroom effectively combines documents and data into a single, electronic system. Incoming and outgoing physical documents (other than bills and statements, which are stored in a different way) are scanned, indexed and held in a central repository.

Indexing can in many cases be automated, so that data capture systems intelligently read the content and describe the document in a way that makes it easily findable and retrievable. The need to incorporate physical documents is recognised and accommodated, but the interface between the organisation and the outside world becomes a single, unified, electronic whole. There is no need to rewrite whole IT systems to implement this policy. Solutions either involve a technology layer, which leaves legacy systems where they lie, or the process is performedthrough an outsource centre.

Throughout business and the public sector, there is growing recognition that such unitary information strategies bring the triple advantage of effective compliance, better customer management and the ability to improve data security.