For those of you with partially or fully manual vendor setup and maintenance processes, you may receive a vendor packet complete with your vendor setup form, a W-9 or W-8, a banking form or banking on the vendors’ or vendors’ bank letterhead. Other information such as insurance certificates or a contract or a statement of work to support payment terms can also be received. Sometimes this documentation is received via email (and still printed) or received in hard copy.
Are you protecting the vendor sensitive personal information contained on those forms? Let’s first define what you should be protecting.
What is Vendor Sensitive Personal Information (SPI)?
- Banking Details – Many vendors include banking details on their invoices (especially International vendors) because the accounts that AP uses is a “deposit only” account. That is not always the case. Many Individuals, Single Member LLCs do not have “deposit only” accounts, so banking details are considered sensitive personal information. Banking details can be on the vendor setup form, a banking form, vendors’ or vendors’ bank letterhead or email.
- Birth Date – In specific scenarios, the IRS requires the collection of a birthdate for Foreign Individuals. Birthdates are considered sensitive personal data that should only be collected for regulatory requirements. Birthdates can be included on W-8s or within emails.
- Tax ID – For US Vendors, it can either be the Employer Identification Number (EIN) or the Social Security Number (SSN). Since the SSN can be assigned to an individual and the fact that some accounting systems have one field for either tax identification number, the Tax ID should be considered sensitive personal information. The tax id can be on vendor set up forms, W-9 or W-8, in contracts or email.
What’s Wrong with Desks, We Have to Review it Right?
Yes, but you don’t want anyone else viewing it when it is not necessary. Leaving Vendor SPI on your desk gives access to other employees that may not have the companies best interest at heart (occupational fraud).
- If the documentation came to you via email, most companies now have two monitors. Request a privacy monitor screen for both monitors and review. Only one monitor – shrink the electronic documents so that you can look at them side by side on the same screen.
- If you received hardcopies, scan them in. Take them to the printer (more on this later) and scan them in, verify the sheets were successfully sent, then place the hard copies in the shred bin (not the blue recycle container under your desk).
- Implement a Random Desk Audit process. This can be monthly or any interval you choose. If you have a large team, identify a rotating set of “desk auditors” to check desks for any obvious Vendor SPI left in plain view. Don’t rifle through drawers, binders, etc. The point is to put employees in a mindset of secure behavior and making sure their desk is clear of vendor sensitive personal information before they leave for the day. Perform the random audit before employees come in or after employees leave for the day Tip: Include passwords, etc as well, which will stop those passwords being on sticky notes at the bottom of monitors or on their desk walls.
Open Access is What’s Wrong with Printers
You remember how exciting and satisfying it is when that big vendor packet you received hardcopy or via email has all the information you require to process that new vendor add or existing vendor change? It is very rewarding, so do not blow it by printing (if received by email) or storing in a file cabinet.
For printing, we have all been there. You send something to a shared printer (they are all shared these days), and then you get distracted. By the time you get to the printer, other people who have done the same thing are rifling through the printer tray and have intentions of being most helpful when they lay your vendors documentation on top of the printer face up with the W-9 form on top for all to see.
- If you received via email, don’t print (see above)
- If you must print, use the secure print function. Secure print will allow you time to get to the printer, then key in your code and only then print the documents.
- Include printers in the Random Desk Audit process recommended above.
Open Access is also What’s Wrong with File Cabinets
You have your hard copies, either because you printed them or because you were given hardcopies. Once you process them, they must go somewhere right? So, they are put into a file cabinet. Problem is who has access to the file cabinet. Is the file cabinet locked? Yes? Who has access to the key? Just like system security, file cabinets where sensitive information is kept must apply least-privileged access – only those that access should have access.
- If you received via email, don’t print (see above)
- Scan and attach the documentation directly on the vendor record. If you are offsite for any reason (disaster recovery drill, working remote), you will still have access to this documentation.
- If you cannot attach to the vendor record, save the scanned copies on a secure drive – again only allow access to those that need access.
- If you must store these hard copies in a file cabinet, commandeer a separate file cabinet that only contains vendor supporting documentation, lock it. Allow access only to those staff members that work with vendor requests.
It can be scary to think about open access to your vendors’ sensitive personal information. Get training, train your staff and even other internal employees that submit vendor documentation to you. Everyone in the company has to take responsibility for protecting your vendors’ data.