USPS Report on NCOA’s Change of Address Procedures Finds Inadequate Protection of Customer Information

In September 2014, a report of the United States Postal Service’s (USPS) Office of Inspector General (OIG) found that the security controls used by the National Change of Address Program (the NCOA Program) do not sufficiently protect the confidentiality and integrity of customer information. In particular, inadequate data protection by the NCOA Program’s National Change of Address Linkage (NCOALink) raises significant cyber security concerns. NCOALink is a USPS service that provides change of address (COA) records for a fee to licensees that are authorized to obtain NCOA data and make it available to their business customers, including many insurers, broker-dealers and transfer agents. The OIG estimates that more than 13.5 million NCOALink customer records with a potential value of $228 million are at risk due to the following: (1) the NCOA Program is using outdated software, (2) often the NCOALink license agreements insufficiently protect customer data, and (3) USPS management inadequately monitors NCOALink licensee compliance.

First, the NCOA Program uses outdated software. While this section of the report is substantially redacted, it appears that outdated software would permit a person to crack the security system and obtain or change sensitive NCOALink customer data. In order for the Program to comply with security policies, USPS and licensee computer systems will require major upgrades.

Second, the NCOALink license agreements often fail to require licensees and business mailers to secure customer data. The OIG sampled 36 of the 515 NCOALink license agreements. All 36 license agreements sampled contain at least one of the following issues:

• The license agreement, which currently requires a licensee to self-certify regarding its internal, physical and logical security controls, is inadequate to assure third-party adherence to privacy and security requirements.
• The licensee is commingling Postal Service NCOALink data servers in third-party data centers shared with other companies, in violation of USPS policy.
• The licensee is not identifying all cooperative database business mailers that receive NCOALink data as stipulated in their monthly performance report requirements.

The report found that these security issues occurred because there is no assigned contracting authority or process to ensure that the USPS incorporates the necessary security and privacy requirements into the NCOALink license agreements.

Finally, USPS management is inadequately monitoring NCOALink licensee compliance, as evidenced by the following:

• Licensees are transmitting sensitive customer data to business mailers using File Transfer Protocol (FTP), which is insecure and violates USPS policy.
• USPS management stopped requiring licensees to complete site security review worksheets as part of the licensing and certification process, and site security reviews of licensees’ environments have never been performed.
• Some licensees are storing COA data on unsupported operating systems for which security updates are no longer available, leaving COA data at risk of data breaches.
• International mailers are participating in the NCOALink service program, which is a violation of the NCOALink agreement.
• USPS management does not always ensure that third parties are updating their acknowledgement forms.

To ameliorate these cyber security issues, the OIG recommended such reforms such as: (1) software upgrades, (2) updates to license agreements requiring that licensees include the names of cooperative database business mailers and their data activities in their monthly performance reports, (3) random site security reviews of NCOALink licensees, and (4) the implementation of a process to ensure that current legal, security, privacy, and compliance requirements are included in all NCOALink license agreements. While USPS management agreed that software upgrades and random site security reviews of licensees were necessary, they disagreed with the other two recommendations, making it unclear whether changes to NCOALink license agreement contract provisions and enhanced enforcement procedures will be implemented.